ACPO/ACPOS National Information Risk Appetite Statement

Similar documents
Information Management Business Area. National Policing Information Risk Escalation Policy V1.0

Bournemouth Primary MAT Risk Management Policy

The OfS approach to risk management

Risk. Protocol for the Management of Risk

Risk Management Strategy January NHS Education for Scotland RISK MANAGEMENT STRATEGY

Risk Management Policy

Nagement. Revenue Scotland. Risk Management Framework. Revised [ ]February Table of Contents Nagement... 0

COMMISSION DELEGATED REGULATION (EU) /... of

Policy 42 Anti-Fraud, Anti-Theft & Anti-Corruption

Counter Theft, Fraud and Corruption Policy

RISK MANAGEMENT POLICY

Risk Management Strategy

RISK MANAGEMENT FRAMEWORK

RISK MANAGEMENT FRAMEWORK

Nagement. Revenue Scotland. Risk Management Framework

Scouting Ireland Risk Management Framework

Risk Management Policy (v7.0)

Recognition Criteria for other ancillary health care providers

UNIVERSITY OF ABERDEEN RISK MANAGEMENT FRAMEWORK

Risk Management Framework

FRASER & NEAVE HOLDINGS BHD

How to Compile and Maintain a Risk Register

APPENDIX 2 CORPORATE ANTI-FRAUD AND CORRUPTION STRATEGY

ACC Head of Local Policing. D/Supt Investigations Department. D/Supt Investigations Department

Risk Management Policy and Framework

J SAINSBURY PLC (THE COMPANY ) ANNUAL REPORT AND FINANCIAL STATEMENTS 2016

Visa Europe Compliance Report

Auditor-General s Auditing Standards 2017

The Australian National University Fraud Control Framework. Corporate Governance & Risk Office

Risks and uncertainties facing the business

Internal Audit Report

New Zealand Institute of Chartered Accountants

POLICY: FRAUD INVESTIGATION. October 2017

Risk Management Framework

University of the Sunshine Coast (USC) Risk Appetite Statement

Risk Management Policy and Procedures.

CANADA GOOSE HOLDINGS INC.

ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

M_o_R (2011) Foundation EN exam prep questions

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

Housing Risk Management

1.5 This policy meets the guidance provided by the ICO on data security breach management.

FRAUD & THEFT POLICY & RESPONSE PLAN

Transfer of Housing Benefit Investigations to the Department for Work and Pensions Single Fraud Investigations Service (SFIS)

INVEST NI RISK MANAGEMENT STRATEGY AND POLICY

Risk Management Framework. Group Risk Management Version 2

Reporting of Voluntary Tax Compliance Schemes 2014 Applications for permission to reproduce all or part of this publication should be made to: Page 2

GENERAL RISK CONTROL AND MANAGEMENT POLICY

ANTI-FRAUD POLICY AND RESPONSE PLAN FOR BARLOWORLD LIMITED

Approved by: Diocesan Council 17 December 2015

ANTI-FRAUD, BRIBERY AND CORRUPTION POLICY AND STRATEGY THE VIEW TRUST

Effective Assurance Frameworks

Meeting of Bristol Clinical Commissioning Group Governing Body

Responding to Privacy Breaches

British Library Risk Management Policy Framework (2017)

INTERNATIONAL SOS. Data Protection Policy. Version 1.8

STEPPING INTO THE A GUIDE TO CYBER AND DATA INSURANCE BREACH

ANTI FRAUD, BRIBERY AND CORRUPTION POLICY

NYA International. Crisis Prevention and Response Services for Private Clients

NZ Transport Agency Page 1 of 23

ANNUAL GOVERNANCE STATEMENT FOR THE POLICE AND CRIME COMMISSIONER FOR NORFOLK AND THE CHIEF CONSTABLE FOR NORFOLK

PROCESS FOR RESPONDING TO PREVENT / EXTREMISM Freedom of Information Act REQUESTS

The Co-operative Academies Trust Anti-Fraud and Anti-Bribery Policy. Approved by the Trust Board on 21 April 2016 Implementation from 22 April 2016

PRINCE2 Sample Papers

RISK REGISTER POLICY AND PROCEDURE

Goodman Group. Risk Management Policy. Risk Management Policy

Consultation Paper No. 7 of 2015 Appendix 4. Abu Dhabi Global Market Rulebook Market Infrastructure Rulebook (MIR)

Risk Management Strategy

Whistleblowers Protection Act 2001 Policy and Procedures ABN

Documentation Control. Hazard Identification, Risk Assessment and Management Procedure. (This document is linked GG/CM/007- Risk Management Policy)

Anti-Fraud Policy. Version: 8.0 Approval Status: Approved. Document Owner: Graham Feek. Review Date: 07/12/2018

RISK MANAGEMENT POLICY. Head of Corporate Development and Change. Policy owners

RISK COMMITTEE TERMS OF REFERENCE. The Board has resolved to establish a Committee of the Board to be known as the Risk Committee.

RISK MANAGEMENT PROCEDURE GUIDANCE

Risk Assessment Process. Information Security

Trust Board Meeting: Wednesday 9 July 2014 TB

Risk Appetite Statement

South Lanarkshire College Risk Management Policy and Procedures

Procedure: Risk management

NHS North Somerset Clinical Commissioning Group Risk Management Strategy and Framework

Whistleblowing Policy

Financial Services Authority

Conflicts of interest: a guide for charity trustees

SECURITY MANAGEMENT Manage critical incidents as a security practitioner

APPENDIX 1. Transport for the North. Risk Management Strategy

Data Protection Privacy Notice for people not directly involved in the accident

RISK MANAGEMENT FRAMEWORK OVERVIEW

INTERNATIONAL NETBALL FEDERATION LIMITED ANTI-CORRUPTION CODE INDEX

ANTI-CORRUPTION POLICY

Anti-money laundering and countering the financing of terrorism the Reserve Bank s responsibilities and approach

INTEGRATED RISK MANAGEMENT FRAMEWORK (STRATEGY AND POLICY)

Post-Class Quiz: Information Security and Risk Management Domain

NHS WEST NORFOLK CLINICAL COMMISSIONING GROUP RISK MANAGEMENT STRATEGY AND POLICY FRAMEWORK

Honest and ethical behaviour policy

ANTI-MONEY LAUNDERING POLICIES, CONTROLS AND PROCEDURES

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

Independent review commissioned by Ministry of Social Development. Security Response Programme Final Review

ABBOT GROUP LIMITED TO PAY 5.6 MILLION AFTER CORRUPTION REPORT

Short, engaging headline

Board Risk Appetite Statement

Transcription:

Document Name File Name ACPO/ACPOS Information Risk Appetite Statement ACPO_ACPOS Information Risk Appetite v1_3.doc Authors Adam Clark and James McLelland Reviewer James McLelland (15/05/2012) Authorisation ACPO PIAB, ACPO IMBA, ACPOS IM Signed version held by NPIA Information Assurance Capability Team NPIA ( Policing Improvement Agency) 2012 All rights reserved. No part of this publication may be reproduced, modified, amended, stored in any retrieval system or transmitted, in any form or by any means, without the prior written permission of the Policing Improvement Agency or its representative. For additional copies, or to enquire about the content of the document, please contact the Information Assurance team at the following e-mail address: information.assurance@npia.pnn.police.uk For copyright specific enquiries, please telephone the NPIA Police Library on 01256 602650. Page 1 of 6

Information Risk Appetite Statement Purpose of Document The purpose of this document is to inform force/agency s, Information Asset Owners, and force/agency Accreditors/Projects/programmes and other interested parties of the Information Risk Appetite and its implications. This document should be read in conjunction with the BRG on Risk Appetite and for further detail the ACPO/ACPOS Information Risk Appetite and Risk Escalation Case Guidance document. It has two distinct foci: 1. Information Systems risk management and governance. 2. Force/agency risk management and governance, involving Information Systems. Requirement It provides a baseline for managing information risks for Information Systems for example PND, PNC, ViSOR, Holmes, Ident1, etc and Police Infrastructures, e.g. CJX and xcjx, based on the need to protect information that is shared by various police forces, law enforcement agencies, government and voluntary bodies. When addressing risk it is important the controls applied are pragmatic, appropriate and cost effective (PACE), and the Information Risk Appetite will assist forces/agencies, Projects/ Programmes and others to manage information risks by setting out delegation authority for accepting or escalating identified information risks regarding Information Systems and the data they hold regardless of its business impact level or protective marking. The Information Risk Appetite forms part of the overall national IA governance for information risk management in the Police Service and is owned by the (see the ACPO/ACPOS IA Governance guidance for further information). The Information Risk Appetite The Information Risk Appetite has been set at Cautious for Information Systems. This has been agreed and endorsed by the, ACPO PIAB, ACPOS IARC, and ACPO IMBA. The Information Risk Appetite is reviewed on an annual basis or as required. The Information Risk Appetite reflects the need for the police service to protect and risk manage the information it handles, as compromise of its confidentiality, integrity and availability could impact police, personal or sensitive information and increases risks to the compliance or legal standing of the organisation. In agreeing the Information Risk Appetite the, ACPO PIAB, ACPOS IARC and ACPO IMBA considered a number of categories of risks assessing the risk appetite for each (see Appendix A) in light of their understanding of the Police Threat Model based on threat assessments promulgated by the CPNI, the CESG and SOCA. The Information Risk Appetite applies to all Information Systems. It also applies to local force/agency systems, which are connected directly or indirectly to Information Systems for example; force/agency e-mail services and force/agency networks that are connected to the CJX or xcjx, or use data from Information Systems for example, through an interface to update or retrieve information from Information Systems to local force/agency systems, such as PNC Phoenix or locally developed systems/applications. The must be informed of any residual risks which affect Information Systems and is the final arbiter on those residual risks, as set out in the delegation matrix at Appendix B. Page 2 of 6

Implications The level of the Information Risk Appetite provides specific guidance for and force/agency Accreditors, project owners and senior information risk owners. It indicates to and force/agency Project Owners the extent to which they need to mitigate risks to information that are inherent in new systems. It informs and force/agency Accreditors and force/agency Information Asset Owners (System Owners) when they are able to sign off a risk as being acceptable to the business, by virtue of it being within the risk appetite. If a risk is outside of the risk appetite then it will be escalated to the or force/agency Senior Information Risk Owner () depending on the level of the residual risk, for a decision on whether to accept it, invest in mitigating it, or avoid the risk. It guides the force/agency Senior Information Risk Owner () in the organisation; to whom the information risks are escalated to and, in the types and levels of information risk they can accept on behalf of their organisation. It informs the force/agency and Systems IAO when they are required to escalate residual risks (using the Risk Escalation Case process) to the (see Delegation Matrix at Appendix B). Where a Force/agency network or system connects directly or indirectly to the CJX or xcjx it potentially offers a route, which could enable unauthorised or malicious access to or attacks on Information Systems or the data they hold. The implication of this is those force/agency networks and systems are expected to adopt the Information Risk Appetite when assessing risks and setting out delegation authority in their respective force/agency and this will form part of the approval to connect to those Information Systems. This statement does not restrict forces/agencies from taking decisions that may involve risks to the security of information. Rather it ensures that such decisions are properly assessed and have accountability at the appropriate level. Where residual risks 1 are identified through accreditation of local systems e.g. if the force/agency system connects to or uses data from a Information System and the residual risk would need to be escalated to the force/agency (as determined by the appropriate delegation matrices, see Section 3.9.6 of the ACPO/ACPOS Information Risk Appetite and Risk Escalation Case Guidance document). If the residual risk is outside the delegated authority of the force/agency, as at Appendix B, then the force/agency would need to escalate those risks to the for a decision using a Risk Escalation Case. Further detail on this can be found in Section 4.3.5 of the ACPO/ACPOS Information Risk Appetite and Risk Escalation Case Guidance document. Some individual force/agency systems, which connect directly or indirectly to Information Systems may, with the approval of the, qualify for Tolerance levels, which vary from the Information Risk Appetite. For example when systems are delivering political or operational imperatives, or have become directly critical to police that need a more Open Tolerance to Risk. Conversely information systems, which handle information which is politically sensitive, or passes sensitive information to parties with questionable handling procedures, may have a more minimalist tolerance of risk. Section 3.10 of the ACPO/ACPOS Information Risk Appetite and Risk Escalation Case Guidance document deals with Tolerance for individual information systems. Force/agency s should set and endorse a risk appetite for their force or agency. This can be viewed as an up-front decision on what level of risk is acceptable and conversely, what level of risk demands a balance of risks and reward at a more senior level than the Accreditor. Guidance on how to set risk appetite can be found in section 3.9 of the ACPO/ACPOS Information Risk Appetite and Risk Escalation Case Guidance document. 1 The term residual risk implies that some countermeasures are in place, so that inherent risks may be mitigated in part or in full. Page 3 of 6

Appendix A Information Risk Appetite Assessment Table. The following table was used to assess the Information Risk Appetite following the process in Appendix C of the ACPO/ACPOS Information Risk Appetite and Risk Escalation Case Guidance document. The organisation s attitude to the different categories of risk was assessed, in the political and operational context. The pervasiveness of the risk through the organisation was also assessed. The Risk Appetite column uses the Categories of Risk Appetite definitions. The Overall Appetite is a simple aggregation of the Risk Appetite Column and could be considered the Information Risk Appetite for the whole organisation. Category Sub-Category Risk Appetite* Justification Police Service Operations, covering: Public Order, Public Safety and Law Enforcement (Taken from HMG IS 1 (Part 1) Appendix A Business Impact Level Table A2) Impact on Life and Safety Protection of life and property: is there a risk to the life and property of individual/individuals? Impact on provision of Emergency Services Disruption to the emergency services Impact on fighting Crime Hindrance to the ability to fight (prevent and detect) crime: e.g. If critical data to an investigation is lost, either in real time or in slow time e.g. if forensic data is modified rendering it uncertain or useless e.g. if operational data is disclosed giving advance warning to criminals MINIMALIST The police are there to protect the lives of the public and any injury or loss of life or loss of or damage to property as a result of police actions or inactions would attract criticism. Therefore there is a low appetite for risks to safety of the public, and indeed to police officers and criminals. The emergency service is a core service of the police and is subject to a level of expectation by the public. Disruption to emergency services, particularly as a result of failures by the police itself, would be severe enough to attract criticism. Breach or compromise of is to be avoided, particularly when time and effort has been invested in the operation. Tactical risks to may be weighed up with strategic benefits. How is this Risk in the business? Impact on Judicial Proceedings Compromise of judicial proceedings e.g. if evidence was tampered with e.g. if evidence is lost e.g. if evidence is disclosed at the wrong time MINIMALIST By the time judicial proceedings are launched there is a known suspect in mind and therefore failure to prosecute successfully could represent a failure of police, both to police staff and to the public. Hindrance or failure of judicial proceedings, resulting from a security breach by police, is to be avoided. Damage to police/ agency reputation and credibility Police is high profile in the national media and in the public eye. Mistakes and information security breaches could result in high profile scandals and criticisms, which damages the relationship with the public and with government, and effectively increases the scrutiny and potentially the bureaucracy of police work. Page 4 of 6

Category Sub-Category Risk Appetite* Justification Undermined confidence in the government MINIMALIST As the police are seen as a high profile arm of national government, mistakes and breaches by police have the ability to undermine the government of the day, as government is essentially accountable. This is a similar, but heightened effect to that described above, in terms of the scrutiny and bureaucracy that it would attract. How is this Risk in the business? Financial losses and penalties Budgets are tight and Value for money is required by the public. Financial losses could cause embarrassment as well as put other parts of the police service under strain. Well-informed risks can be taken but financial losses are to be minimised. Legal and Compliance Obligations / OPEN It is important for the police to maintain its compliance and legal standing to avoid criticism and to ensure that the effects of any mistakes can be minimised. A business or operational benefit may justify the breach in compliance, but it should be justified. Loss of private or personal data Loss of private data could place individuals at risk and therefore create more work to protect them after a breach. Police keep information about individuals who may be targeted for violence or persecution. Should an individual be harmed as a result of such a breach, then this would attract criticism. Furthermore this is politically sensitive and there is increased scrutiny on such breaches. OVERALL RISK APPETITE *Categories of Risk Appetite The descriptions of the behaviours are as follows: Averse (Risk Avoidance): Avoidance of risk and uncertainty is a key objective. Exceptional circumstances are required for any acceptance of risk. Minimalist: Preference for ultra safe options that have a low degree of inherent risk and only have a potential for limited business benefit. Cautious: Preference for safe options that have a low degree of residual risk and may only have limited potential for business benefit. Open: Willing to consider all options and choose the one that is most likely to result in successful delivery minimizing residual risk as far as possible, while also providing an acceptable level of business benefit. Hungry (High Risk, High Reward): Eager to realise business benefits and to choose options to achieve this despite greater residual risk. Page 5 of 6

Appendix B Information Risk Appetite Systems Delegation Matrix Residual Risk appetite Risk level Averse Minimalist Cautious Open Hungry Very Low /Force* /Force* /Force* IAO/Force Accreditor Accreditor Accreditor Low Medium Medium- High IAO/Force* Page 6 of 6 /Force* Accreditor IAO/Force* /Force* Accreditor /Force* Accreditor IAO/Force* High Very High * Where force is mentioned it includes agencies who are signatories to the ACPO/ACPOS Community Security Policy. This delegation matrix is to be used where residual risks are in relation to Information Systems. This illustrates that: 1. A force/agency Accreditor can accept residual risks relating to Information Systems that are Very Low, but must escalate to the force/agency any residual risks at Low. Residual risks at Medium or above cannot be accepted by the Force, but must be escalated to the. (The may delegate the handling of the risk to the IAO) while retaining accountability for it. 2. A Accreditor can accept residual risks relating to Information Systems that are Very Low, but must escalate to the System IAO any residual risks at Low. Residual risks at Medium or above cannot be accepted by the System IAO, but must be escalated to the. (The may delegate the handling of the risk to the IAO) while retaining accountability for it.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback