By Elaine Berry,2014-11-13 13:01
15 views 0
ISO 27001

    CAB(09-10)13 CABINET

    Information Security of Personal Data within the Welsh

    Assembly Government


1. This paper highlights the results of the Welsh Assembly Government’s self 1assessment facilitated by CESG against the Security Policy Framework and

    Information Risk Return that was submitted to the Cabinet Office in June

    2009. The paper outlines activities and plans taken in the areas of

    information security and management of personal data by the Welsh

    Assembly Government. It is recommended the Cabinet note the action taken.

    The Issues

    2. The Welsh Assembly Government continues, as it has always done, to take data

    protection seriously and has measures in place to ensure that the personal data

    held within the Assembly Government and through the delivery chain is

    safeguarded and privacy rights are respected.

    3. The Assembly Government not only seeks to comply with the Data Protection Act,

    but also to deliver the commitment to always respect privacy as contained within

    our Code of Practice on Public Access to Information and Information Assurance


    4. The Assembly Government is also certified to the Information Security standard

    ISO 27001 and was successfully re-accredited to this standard in March 2009. The

    standard covers all aspects of information security, from controlling access to

    information to training and awareness of staff.

    Security Policy Framework and Information Risk Return

    5. At the end of 2008, the Cabinet Office replaced its security guidance with the

    mandatory Security Policy Framework (SPF). The SPF contains the primary

    protective security policy and guidance on security and risk management for HM

    Government Departments and associated bodies. It sets out 70 mandatory

    requirements. The SPF introduced an annual reporting requirement to Cabinet

    Office which covered the 70 mandatory requirements and a specific section

    relating to information risk. Whilst aspects of Information Security are devolved to

    the Assembly Government, the SPF requirements mostly remain a reserved

    matter for central government.

     1 CESG is the National Technical Authority for Information Assurance


    CAB(09-10)13 CABINET

    6. As a devolved administration, the Assembly Government is not mandated to report information risks to Cabinet Office but voluntarily completed the full return to demonstrate good practice and establish common standards for protective security. Assembly Government Sponsored Bodies compliance information was not

    included in the 2008/09 return after consultation with Cabinet Office. This is being reviewed for 09/10.

    7. The Assembly Government completed the Security Policy Framework (SPF) and Information Risk Report (IRR) for the Cabinet Office in June 2009. The report contained a comprehensive and objective report on the actions that the Welsh Assembly Government has taken during the year to manage information risks, along with any outstanding issues that need to be addressed.

    8. The Assembly Government return showed that we met all 70 mandatory measures set out in the SPF and has a high compliance scoring against performance and progress made in implementing Information Assurance measures across the Assembly Government. In particular, we scored highly on the leadership, governance and communication aspects of the return.

    The activities below have contributed to the outcome of the assessment: ; the Information Assurance Strategy was endorsed by the Strategic Delivery and

    Performance Board. The strategy provides a framework to ensure that

    information is protected, accurate and resilient and the accompanying action

    plan ensures the Assembly Government continues to drive forward actions in

    this area;

    ; the Information Asset Owner (IAO) role is starting to be embedded across the

    Assembly Government. The aim of these key senior officials is provide

    assurance that information risks are understood and managed and protection is

    given at the right level across all Departments;

    ; IAOs wrote to all major party delivery partners and analysed the returns to

    provide the organisation with assurance that delivery partners are securely