Information Risk Policy

From Glitchdata
Jump to navigation Jump to search

A useful policy document for communication to the organisation. Updated at a particulate Date.

Scope and Purpose

  • The Information Risk Policy and Policy Standards specify the requirements for information risk management for "the organisation"
  • For the purpose of this Policy:
    • The term "information" covers both information and data, irrespective of whether these are physical or electronic formats.
    • Information security refers to the confidentiality, integrity, and availability of Information and Information Systems (including Networks).
  • The policy related Policy Standards are designed to enable the Organisation to:
    • Maintain the security, privacy and quality of its information and that of customers and stakeholders.
    • Maintain records of business activities
    • Make well-informed / timely decisions by having the right access to the right information of the right quality.



Roles and Responsibilities

In line with the Risk Management Strategy, and Risk Management Accountabilities:

  • All personnel must be responsible for identifying, understasnding and using the information and information systems required to perform their business activities appropriately. This includes:
    • Following defined processes to:
      • Protect the security and privacy of information
  • The Board must be ultimately accountable for the effectiveness of the Organisation's information risk management
  • All Business Leaders are accountable for:
    • xxxx
    • xxxx
    • xxx

Policy Requirements

All Personnel must:


Policy Exemptions

An exemption is required where a business is unable to comply with the mandatory requirements of this Policy for a defined period of time no greater than 12 months and immediate action cannot be taken to achieve compliance.

  • The Approval Authority delegates the approval of exemptions to the Policy Owner.
  • Exemption Requests must be submitted to the Policy Owner and will be granted at their discretion. Refer to the Exemption Procedure Guide for further detail.


==Policy Exceptions

  • An exception is required where a business is unable to comply with the mandatory requirements of this Policy for a defined transaction and immediate action cannot be taken to achieve compliance.
  • The Policy Owner delegates the approve of exception to the Senior Executive of CISO.


Policy Breaches

Policy Change

  • Administrative change to this policy must be submitted to the Policy Owner and will be approved at their discretion
  • All other changes to this policy must be submitted to the Approval Authority and will be approved at their discretion.

Related Documents