Information risk management policy

Introduction and scope

Aim

This policy aims to set out our approach to information risk management. 

The purpose of information risk management (IRM)

IRM is a key element of information assurance and the corporate governance of an organisation to:

  • ensure risks are considered against organisational benefits
  • assist in exploiting information opportunities whilst maintaining confidence and reassurance that risks are appropriately managed

Information risk management roles

We have in place the following roles to support IRM:

  • Senior Information Risk Owner (SIRO) - the owner of information risk management at Director level. The SIRO has overall responsibility for:
    • information risk ownership within the council
    • shared risks with delivery partners and third-party suppliers 
  • Information Asset Owners (IAO) - an IAO is an individual appointed to ensure that specific information assets are handled and managed appropriately.  IAO's are key risk decision makers across assets they own.
  • Head of Information Assurance, responsible for:
    • the development and implementation of information assurance policy
    • the identification, management and review of information risks
    • supporting the implementation of controls designed to mitigate risk 
  • Information Governance Manager – responsible for providing information governance guidance and support to the council.  This includes supporting service areas who are sharing information.  The role will assist in the identification of information risk.
  • Information Security Officer – provides support to the Head of Information Assurance to develop and implement information security policy and compliance.  The Information Security Officer:
    • manages, on a day-to-day basis
    • risk balance cases
    • assists in the identification and mitigation of information risk

Data Protection Officer – a statutory role that provides advice to the council on data protection legislation.  This includes guidance on the identification and mitigation of privacy risks.

Managing risks

Identifying risk

We use various internal and external sources to identify information risks including:

  • local threat assessments
  • monitoring compliance with the information security management system
  • national advice and guidance
  • security incident reporting
  • technical and procedural failures
  • change management
  • information technology health checks and penetration testing
  • external statutory and regulatory obligations
  • policy exceptions
  • Data Protection impact assessments

Recording risk

  • information assurance risk register - records a summary of general information assurance risks  
  • cyber security risk register - records risks relating to the protection of information systems, and the data that resides on them, from cyber-attacks
  • information security management system risk register - records risks specific to the management of the information security management system and related controls 
  • Data Protection risk register - records risks relating to processing of personal data and its associated legal obligations
  • records management risk register - records risks relating to our records management approach
  • Data Protection Impact Assessments (DPIA) - a DPIA is mandatory for certain types of processing involving personal data.  It will be used to identify and remediate privacy risks

Assessing risk

We use a qualitative risk assessment, based on our corporate risk approach, to assess risk.  The risk assessment will consider the likelihood of an event happening together with the business impact. 

Confidentiality, integrity, or availability of the assets will form part of the assessment. 

A scale of 1 to 4 for likelihood and impact is used in line with the corporate risk model.

Treatment of risk

We will address information risk using four key aspects of internal control:

  • tolerate - the decision on retaining the risk without further action. 
  • treat - the decision to introduce, remove or alter controls so that the residual risk can be reassessed as being acceptable. This must be achieved through the following actions:
    • preventative – stop undesirable events happening for example limiting action to an authorised person
    • corrective – restore normality after the occurrence of undesirable events for example incident management
    • directive – encourage desired behaviour or outcomes for example training staff
    • detective – detect the occurrence of undesirable events for example audit and monitoring
  • transfer – the decision to transfer the risk to another party in order to manage the risk more effectively. Reputational risk cannot be transferred
  • terminate – the decision to avoid the risk completely by withdrawing from a planned or existing activity or set of activities

Monitoring risk

We will monitor and review risks and their factors:

  • context – identifying changes to underlying assumptions or new factors
  • controls – ensuring the controls for risks do not become less effective or irrelevant
  • treatments – ensuring risk treatments are appropriately implemented and maintained

Shared risk

We recognise that ownership of information risk can be shared.  The impact can therefore be external to the council, for example through partnership working.  We will work with our partners to manage risk to ensure organisations can discharge their responsibilities appropriately.

Risk appetite

Risk appetite is an expression of the type and amount of risk we are prepared to take in delivering our services. It must consider that available resources to manage risk are not infinite. Therefore the aim is to adopt an approach which is appropriate.

Information risk is unavoidable. We must adopt an approach to managing risk which is reasonable and pragmatic. The amount of risk which is judged to be tolerable and justifiable is the risk appetite.

To determine our information risk appetite several internal and external factors have been considered:

  • the type and amount of information we process
  • the internal and external threats posed to our information and information systems
  • the harm and, or distress that could be caused to individuals
  • the negative impact on the delivery of our services
  • our legal obligations, for example the Data Protection Act 2018 and UK GDPR
  • the financial loss that we could face
  • the reputational damage that could be caused and the subsequent undermining of public confidence in how we manage and protect information
  • opportunities which may enhance the effective delivery of services   

Considering the above factors the risk appetite for information risks is Cautious.

The following table presents the corporate risk appetite levels:

Appetite levels Description

Averse

  • safe delivery options
  • not willing to accept risk in most circumstances
  • reluctant to take action given uncertainty
  • highly likely to be influenced by experience
Cautious
  • willing to accept some risk – but prefer safe options
  • minimising risk exposure with tight corporate controls over change
Creative and aware
  • creative and open to considering all potential delivery options
  • well measured risk taking whilst being aware of the impact of its key decisions
  •  ‘no surprises’ risk culture
Opportunist
  • collaborative approach to recognise and drive the opportunities that lead to the development of economic and business sustainability and improvement
  • not taking the tried and tested route
  • looking for upside risk
Hungry
  • willing to accept opportunities and delivery options with high inherent risk
  • recognise that not all risks will be known

Further Information

For further information email IA@lincolnshire.gov.uk