Statement on Information Assurance
March 2013
CONTENTS
1. Introduction
2. Policy
3. Organisation
4. Information Risk Management and Information Assurance structure
5. Risk Assessment and Documentation
6. Accreditation
7. Access Control and Asset Management
8. HR Security / User Education
9. Physical Security
10. Incident Management
11. Business Continuity Planning
12. Compliance
1. Introduction
Information about each of us is held on various databases by organisations and businesses, including many Government agencies. As more data are collected and stored electronically legitimate concerns about protecting the privacy of the individual have and are being raised.
Rules about what information can be held, for how long and what it can be used for have been drawn up and legislation passed and organisations set up to help enforce this.
The Data Protection Act 1998 (Information Commissioner’s Office) and the Freedom of Information (Scotland) Act 2002 (Office of the Scottish Information Commissioner), deal with these issues, and their rules and guidance have been adopted throughout all data sharing/linking processes carried out by National Records of Scotland (NRS).
2. Policy
NRS has a well established overarching Information Security policy in place which all staff are required to comply with. This policy is approved by the Registrar General and Keeper of the Records of Scotland and is reviewed on an annual basis.
3. Organisation
Information Security and Information Assurance in NRS is organised in line with the guidance and requirements in the HMG Standards; namely the Security Policy Framework, the CESG IA Standards and Good Practice Guides. All these standards are closely aligned to the International Security standard, ISO 27001.
Key roles in Information Assurance (IA) have been identified and the governance structure involves individuals who fill the following positions: Accounting Officer (AO), the Senior Information Risk Owner (SIRO), the Information Asset Owner (IAO), the Departmental Security Officer (DSO) and the Accreditor.
4. Information Risk Management and Information Assurance structure
NRS has an information assurance structure which ensures that access to data is controlled and granted only to those that need it. The Senior Information Risk Owner is the focus for the management of information risk at a board level and reports to the Accounting Officer. Information Asset Owners are senior individuals involved in running of each project which requires the use of data. Their role is to understand what information is held for their own business area, how that information is used, who has access to it and why. As a result they are able to understand and address risks to the information, ensure that information is used appropriately, and provide input to the SIRO on the security and use of their information asset[1] whether in paper or electronic format.
5. Risk Assessment and Documentation
In line with HMG Information Assurance Standard 1 and 2 (Information Risk Management), NRS produces a Risk Management Accreditation Document Set (RMADS) for each system that handles protectively marked information. This document takes confidentiality, integrity and availability into account and provides a detailed understanding of the risks associated with each system so that individuals within the NRS information assurance structure can make informed decisions on whether they are suitable for storing data.
6. Accreditation
Accreditation is the formal risk assessment of an information system against its IA requirements, resulting in the acceptance of residual risks in the context of the business requirements.
With this in mind, NRS has an Accreditor who carries out the Accreditation function and provides a degree of impartiality over decisions taken by business areas and conducts the process outlined in the above paragraph. It is NRS policy that all systems that handle protectively marked information are subject to the Accreditation process. The Accreditor is responsible for advising the SIRO on information risk and formally accrediting systems on behalf of the board.
7. Access Control and Asset Management
To control the access to information, stringent access controls are applied to any area or system where sensitive or protectively marked data is stored. Asset and configuration management controls are also in place and access to IT equipment and systems is strictly controlled.
NRS removable media, such as laptops and USB memory devices have encryption added which has been approved by HMG.
NRS takes particular care during the life cycle of an information asset. Controls are in place when the data is stored (e.g. secure server rooms), when data is in transit (e.g. use of encryption) and when disposal is required (NRS follows the guidance contained in the CESG IS Standard number 5)
8. HR Security / User Education
All staff employed in NRS are required to undergo pre-employment checks. The minimum checks carried out are to the Baseline Personnel Security Standard (BPSS) which is outlined in the HMG Security Policy Framework.
After taking up duty, all new staff attend a new entrant security/data handling seminar. Existing staff receive quarterly security bulletins and all staff receive a face-to-face seminar every two years to keep their knowledge up-to-date. Staff also have to complete the Government online Data Handling training package. NRS keep statistics of all seminars conducted. The last face-to-face seminars for all staff took place in 2010 with plans well underway to repeat this exercise in 2013.
All staff are subject to the Census Act 1920 while staff who use information processing facilities are subject to the conditions of the IT Code of Conduct.
9. Physical Security
To prevent unauthorised physical access, damage or interference to NRS premises and information, all NRS Buildings are secured in accordance with the guidance in the Security Policy Framework.
10. Incident Management
To ensure information security events and weaknesses associated with any NRS assets are captured, NRS has a well established Incident Management and Vulnerability policy in place. This policy is highlighted to staff in all Induction seminars and all staff are reminded in quarterly bulletins of the importance of reporting. All reports are documented, followed up and reported to Senior Management.
11. Business Continuity Planning
To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters, NRS have defined business continuity plans, procedures, roles and responsibilities.
Critical business function maps are produced which define how each function operates, what resources are required, what dependencies exist and other information in support of recovery time objectives. This approach is designed to ensure there are appropriate arrangements for each significant service or product, allowing us to continue to operate selected services during and following a disruption.
12. Compliance
As part of compliance with the Data Protection Act, NRS is registered with the Information Commissioner Office’s Data Protection Public Register under registration number Z2886501.
All civil servants are bound by the Civil Service Code and an individual copy was given to each member of staff while full guidance on data protection issues can be found on the internal Intranet.
NRS staff also comply with the Computer Misuse Act, the Freedom of Information (Scotland) Act and the Copyright, Design and Patents Act.
NRS has a number of security policies and procedures in place. To ensure compliance, frequent audits of systems and processes are carried out. NRS also has a Protective Monitoring policy statement in place and checks are carried out on a monthly basis. All policies are available on the NRS Intranet and can be easily accessed by all staff using the Security and Data Handling quick links page.
Location: / 3 of 6 / Last saved date: 2012-05-11Version 1.0
[1] An information asset is a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.