NOT PROTECTIVELY MARKED
Policy: / Information Security, Accreditation, and Risk Management Policy v9.00Approved date: / 27th Nov 2015
Owner: / This document is owned by the Director of Professional Standard Department (PSD), on behalf of the SIRO, with the endorsement of the Constabulary’s Information Security Board
For release under Freedom of Information? / Yes
Supporting procedures also in policy library: / Information Security, Accreditation and Risk Management Policy Supporting Procedures
Contact for advice: / Records & Information Security Manager, PSD.
Telephone 0300 124 0113 x58523
Equality Analysis
This policy has been assessed as having no identified potential impact in relation to protected groups with regards to:
Ø Age
Ø Disability
Ø Sex
Ø Sexual Orientation
Ø Gender reassignment
Ø Marriage and Civil Partnership
Ø Pregnancy and Maternity
Ø Race or Religion
1. Aim
The overall aim of this policy is to provide the broad framework for information assurance throughout Cumbria Constabulary (‘the Constabulary’) and ensure that the information and information systems of the Constabulary meet the requirements of UK legislation and the NPIRMT[1] National Policing Community Security Policy (‘CSP’).
It has been written to ensure that security guidance is in place to maintain the confidentiality, integrity and availability of information held within the Constabulary and;
· give confidence that all new information systems meet the requirements of the national security standards for police information.
· provide guidance for the information of all personnel ensuring awareness of their responsibilities and accountability for information security.
· help the Constabulary fulfill its legal and regulatory obligations, and support compliance with relevant NPCC and NPIRMT guidance and the national HMG Security Policy Framework.
· help drive improvement of organisational processes to embed their trustworthiness in terms of their integrity and quality as fit for purpose to support business objectives, whilst providing assurance that associated information risks are being managed effectively
2. Scope
The policy applies to all personnel working for Cumbria Constabulary and the Office of the Police and Crime Commissioner for Cumbria (OPCC) including Police Officers, Special Constables, Police Staff, OPCC Staff, volunteers, temporary personnel and trusted employees from agencies and partner organisations who by the nature of their role receive access to Cumbria Constabulary information and information systems.
The policy is owned by the Director of PSD on behalf of the Deputy Chief Constable as Senior Information Risk Owner and will be administered by the Records & Information Security Manager (RISM).
3. Terms and Definitions
Information security – provides the assurance that risks to the confidentiality, availability or integrity of information and the systems that handle them are assessed and managed.
Information assurance - the confidence that the information held by the Constabulary is reliable and secure.
Accreditation – a structured assessment of the protective need. The risk assessment methodology of ‘HMG Information Security Standard Numbers 1&2 Supplement - Technical Risk Assessment and Risk Treatment’ (Apr 2012) describes such a structured assessment. All results from this assessment have to be documented in the form of the Risk Managed Accreditation Document Set (RMADS). When the Accreditor accepts the RMADS the particular system can be implemented. Re-accreditation has to be conducted every other year or when major changes to the system are implemented. Where the Accreditor considers that any residual risk does not fall within acceptable parameters, the matter will be referred to the Senior Information Risk Owner (SIRO).
4. The Policy
Cumbria Constabulary operates using the Intelligence Led Policing model and is therefore dependent upon information and consequently the systems upon which information is processed. Due to the current dependence of almost all organisations upon information communications technology (ICT) the content of this document relates largely to ICT information systems, however, the security of manually held information is equally important.
At a national level the National Police Chiefs Council (NPCC) acknowledges the necessity for a strategy for the security of information processes throughout the criminal justice community. Their agreement to support compliance with the BS/ISO 17799 is set out in the National Policing Community Security Policy (CSP), which details the strategy for the security of information processes throughout the community and forms a framework for other subordinate policies and procedures.
Failure to implement and comply with the requirements of the CSP will minimise the Constabulary’s ability to connect to the Criminal Justice Extranet or Public Sector Network and consequently national systems that are delivered over it and other national communications services including Airwave.
This Policy provides baseline security requirements in order to ensure that the information held within the Constabulary is reliable, secure and private. The purpose of this Policy is to enable the information processes of Cumbria Constabulary, and help achieve compliance with CSP.
The loss, damage, wrongful destruction or wrongful disclosure of information could result in substantial costs to the Constabulary as well as embarrassment or loss of public confidence.
Policy Statement
Cumbria Constabulary recognises the importance of its information assets and the need for proper and effective management of information processes. In support of this, it is important that there are sufficient and adequate information security safeguards and countermeasures in place to provide the continued security of Constabulary information and information systems. In this context information security is characterised as the preservation of:
a) Confidentiality – ensuring that information is accessible only to those authorised to have access and protecting sensitive information from unauthorised disclosure or intelligible interception.
b) Integrity – safeguarding the accuracy and completeness of information and processing methods.
c) Availability – ensuring that authorised users have access to information and associated assets when required.
The ‘Cumbria Constabulary Information Security, Accreditation and Risk Management Policy Supporting Procedures’ v9.00 provides additional information about the delivery of this Policy including Roles and Responsibilities and other detailed guidance.
Further information and a copy of the ACPO Information Systems Community Security Policy (CSP) is available from the RISM, PSD.
5. Implementation
Implementation will be based on the Policy being available to those personnel who have a specific role/responsibility in relation to it, whilst informing all other members of staff about their general responsibilities in relation to information management.
Communication of the Policy will make use of existing channels in addition to targeted communication to key personnel.
6. Monitoring & Review
In accordance with the Constabulary’s respective Race, Disability and Gender equality schemes and with reference to the Cumbria Constabulary Equality and Diversity Strategy 2012 - 2016, this Policy will be monitored by the Policy Owner on an on-going basis for implementation issues, consistency of application and the potential for discrimination.
Relevant statistics will be recorded by the Director PSD in relation to all reports of any breach or complaint about this policy, amended as appropriate where a concern is identified, and also formally reviewed at each revisal.
This Policy will be reviewed in line with the published review schedule, normally annually. It will also be reviewed whenever new legislation/guidance which may have an impact is introduced.
The monitoring of this policy will be done by:
· Reviewing the Policy and associated documentation to ensure the policy is still relevant.
· Reviewing the implementation of the policy by consultation with key personnel responsible for implementation of and adherence to it.
· Reviewing records of any equality or diversity issues noted by the Director PSD.
· Reviewing the relevant data in relation to any related matters pursued in accordance with the Fairness at Work (Grievance Resolution) Policy.
· Consideration of any changes in legislation that need to be accommodated.
· Consideration of any other feedback that has been received.
Monitoring of the processes and systems outlined in the accompanying ‘Supporting Procedures’ to this document will be the same as for the Policy itself.
In the event that an individual feels disadvantaged by the requirements of any policy or procedure or where they perceive there to be an impact which is intentionally or unintentionally unfair, the matter should be dealt with in accordance with the Policy and Procedure Review Process / Selection Processes Appeals Procedure contained within the Fairness At Work (Grievance Resolution) Policy and Procedure. This information will also be monitored and considered when reviewing the policy.
Information Security, Accreditation and Risk Management Policy v9.00 (27th Nov 2015)
Page 1 of 4
NOT PROTECTIVELY MARKED
[1] NPIRMT is the National Policing Information Risk Management Team