Information Security of Personal Data within the Welsh
1. This paper highlights the results of the Welsh Assembly Government’s self 1assessment facilitated by CESG against the Security Policy Framework and
Information Risk Return that was submitted to the Cabinet Office in June
2009. The paper outlines activities and plans taken in the areas of
information security and management of personal data by the Welsh
Assembly Government. It is recommended the Cabinet note the action taken.
2. The Welsh Assembly Government continues, as it has always done, to take data
protection seriously and has measures in place to ensure that the personal data
held within the Assembly Government and through the delivery chain is
safeguarded and privacy rights are respected.
3. The Assembly Government not only seeks to comply with the Data Protection Act,
but also to deliver the commitment to always respect privacy as contained within
our Code of Practice on Public Access to Information and Information Assurance
4. The Assembly Government is also certified to the Information Security standard
ISO 27001 and was successfully re-accredited to this standard in March 2009. The
standard covers all aspects of information security, from controlling access to
information to training and awareness of staff.
Security Policy Framework and Information Risk Return
5. At the end of 2008, the Cabinet Office replaced its security guidance with the
mandatory Security Policy Framework (SPF). The SPF contains the primary
protective security policy and guidance on security and risk management for HM
Government Departments and associated bodies. It sets out 70 mandatory
requirements. The SPF introduced an annual reporting requirement to Cabinet
Office which covered the 70 mandatory requirements and a specific section
relating to information risk. Whilst aspects of Information Security are devolved to
the Assembly Government, the SPF requirements mostly remain a reserved
matter for central government.
1 CESG is the National Technical Authority for Information Assurance
6. As a devolved administration, the Assembly Government is not mandated to report information risks to Cabinet Office but voluntarily completed the full return to demonstrate good practice and establish common standards for protective security. Assembly Government Sponsored Bodies’ compliance information was not
included in the 2008/09 return after consultation with Cabinet Office. This is being reviewed for 09/10.
7. The Assembly Government completed the Security Policy Framework (SPF) and Information Risk Report (IRR) for the Cabinet Office in June 2009. The report contained a comprehensive and objective report on the actions that the Welsh Assembly Government has taken during the year to manage information risks, along with any outstanding issues that need to be addressed.
8. The Assembly Government return showed that we met all 70 mandatory measures set out in the SPF and has a high compliance scoring against performance and progress made in implementing Information Assurance measures across the Assembly Government. In particular, we scored highly on the leadership, governance and communication aspects of the return.
The activities below have contributed to the outcome of the assessment: ; the Information Assurance Strategy was endorsed by the Strategic Delivery and
Performance Board. The strategy provides a framework to ensure that
information is protected, accurate and resilient and the accompanying action
plan ensures the Assembly Government continues to drive forward actions in
; the Information Asset Owner (IAO) role is starting to be embedded across the
Assembly Government. The aim of these key senior officials is provide
assurance that information risks are understood and managed and protection is
given at the right level across all Departments;
; IAOs wrote to all major party delivery partners and analysed the returns to
provide the organisation with assurance that delivery partners are securely