Information Risk Policy
Jump to navigation
Jump to search
A useful policy document for communication to the organisation. Updated at a particulate Date.
Scope and Purpose
- The Information Risk Policy and Policy Standards specify the requirements for information risk management for "the organisation"
- For the purpose of this Policy:
- The term "information" covers both information and data, irrespective of whether these are physical or electronic formats.
- Information security refers to the confidentiality, integrity, and availability of Information and Information Systems (including Networks).
- The policy related Policy Standards are designed to enable the Organisation to:
- Maintain the security, privacy and quality of its information and that of customers and stakeholders.
- Maintain records of business activities
- Make well-informed / timely decisions by having the right access to the right information of the right quality.
Roles and Responsibilities
In line with the Risk Management Strategy, and Risk Management Accountabilities:
- All personnel must be responsible for identifying, understasnding and using the information and information systems required to perform their business activities appropriately. This includes:
- Following defined processes to:
- Protect the security and privacy of information
- Following defined processes to:
- The Board must be ultimately accountable for the effectiveness of the Organisation's information risk management
- All Business Leaders are accountable for:
- xxxx
- xxxx
- xxx
Policy Requirements
All Personnel must:
- Protect the confidentiality, integrity, availability and quality of Organisation Information (including our customers' information) and Information Systems. See Use of Information and Information Systems
- Business Leader Accountabilities:
- All business leaders must:
- Identify, assess, monitor and report, accept and take action on Information Risk. See Operational Risk Profiling
- Manage Information Risk when developing, acquiring, changing and decommissioning information systems and processes. Refer Systems and Process Development Lifecycle Policy Standard
- Embed information risk management in the employment lifecycle, and make all personnel aware of their responsibilities for managing Information Risk. See Personnel Management Policy Standard
- Identify, classify, and handle information securely. See Information Classification and Handling Policy Standard
- Keep complete and accurate business records. See Record Management Policy Standard, Record Retention Schedule.
- Understand and govern data quality by identifying and managing Critical Data Elements (CDEs), understanding information flows (e.g. data lineage), and ensuring appropriate tagging (e.g. metadata). See Data Management Policy Standard
- Only grant access to Information to Personnel who have a business "need to know". Identify and manage Segregation of Duty conflicts. See Access Control Policy Standard
- Only provide information to external parties (including cloud-hosted services) who have been approved, and are controlled and monitored. See Third party and Cloud Engagement Policy Standard
- All business leaders must:
Policy Exemptions
An exemption is required where a business is unable to comply with the mandatory requirements of this Policy for a defined period of time no greater than 12 months and immediate action cannot be taken to achieve compliance.
- The Approval Authority delegates the approval of exemptions to the Policy Owner.
- Exemption Requests must be submitted to the Policy Owner and will be granted at their discretion. Refer to the Exemption Procedure Guide for further detail.
==Policy Exceptions
- An exception is required where a business is unable to comply with the mandatory requirements of this Policy for a defined transaction and immediate action cannot be taken to achieve compliance.
- The Policy Owner delegates the approve of exception to the Senior Executive of CISO.
Policy Breaches
Policy Change
- Administrative change to this policy must be submitted to the Policy Owner and will be approved at their discretion
- All other changes to this policy must be submitted to the Approval Authority and will be approved at their discretion.