Information Risk Policy

A useful policy document for communication to the organisation. Updated at a particulate Date.

Scope and Purpose

• The Information Risk Policy and Policy Standards specify the requirements for information risk management for "the organisation"
• For the purpose of this Policy:
  • The term "information" covers both information and data, irrespective of whether these are physical or electronic formats.
  • Information security refers to the confidentiality, integrity, and availability of Information and Information Systems (including Networks).
• The policy related Policy Standards are designed to enable the Organisation to:
  • Maintain the security, privacy and quality of its information and that of customers and stakeholders.
  • Maintain records of business activities
  • Make well-informed / timely decisions by having the right access to the right information of the right quality.

Roles and Responsibilities

In line with the Risk Management Strategy, and Risk Management Accountabilities:

• All personnel must be responsible for identifying, understasnding and using the information and information systems required to perform their business activities appropriately. This includes:
  • Following defined processes to:
    • Protect the security and privacy of information
• The Board must be ultimately accountable for the effectiveness of the Organisation's information risk management
• All Business Leaders are accountable for:
  • xxxx
  • xxxx
  • xxx

Policy Requirements

All Personnel must:

• Protect the confidentiality, integrity, availability and quality of Organisation Information (including our customers' information) and Information Systems. See Use of Information and Information Systems
• Business Leader Accountabilities:
  • All business leaders must:
    • Identify, assess, monitor and report, accept and take action on Information Risk. See Operational Risk Profiling
    • Manage Information Risk when developing, acquiring, changing and decommissioning information systems and processes. Refer Systems and Process Development Lifecycle Policy Standard
    • Embed information risk management in the employment lifecycle, and make all personnel aware of their responsibilities for managing Information Risk. See Personnel Management Policy Standard
    • Identify, classify, and handle information securely. See Information Classification and Handling Policy Standard
    • Keep complete and accurate business records. See Record Management Policy Standard, Record Retention Schedule.
    • Understand and govern data quality by identifying and managing Critical Data Elements (CDEs), understanding information flows (e.g. data lineage), and ensuring appropriate tagging (e.g. metadata). See Data Management Policy Standard
    • Only grant access to Information to Personnel who have a business "need to know". Identify and manage Segregation of Duty conflicts. See Access Control Policy Standard
    • Only provide information to external parties (including cloud-hosted services) who have been approved, and are controlled and monitored. See Third party and Cloud Engagement Policy Standard

Policy Exemptions

An exemption is required where a business is unable to comply with the mandatory requirements of this Policy for a defined period of time no greater than 12 months and immediate action cannot be taken to achieve compliance.

• The Approval Authority delegates the approval of exemptions to the Policy Owner.
• Exemption Requests must be submitted to the Policy Owner and will be granted at their discretion. Refer to the Exemption Procedure Guide for further detail.

==Policy Exceptions

• An exception is required where a business is unable to comply with the mandatory requirements of this Policy for a defined transaction and immediate action cannot be taken to achieve compliance.
• The Policy Owner delegates the approve of exception to the Senior Executive of CISO.

Policy Breaches

Policy Change

• Administrative change to this policy must be submitted to the Policy Owner and will be approved at their discretion
• All other changes to this policy must be submitted to the Approval Authority and will be approved at their discretion.

Related Documents

• Operational Risk Management Framework
• Operational Risk Management Policy
• Model Risk Policy
• Physical Security Policy