By Elaine Berry,2014-11-13 13:01
18 views 0
ISO 27001

    CAB(09-10)13 CABINET

    Information Security of Personal Data within the Welsh

    Assembly Government


1. This paper highlights the results of the Welsh Assembly Government’s self 1assessment facilitated by CESG against the Security Policy Framework and

    Information Risk Return that was submitted to the Cabinet Office in June

    2009. The paper outlines activities and plans taken in the areas of

    information security and management of personal data by the Welsh

    Assembly Government. It is recommended the Cabinet note the action taken.

    The Issues

    2. The Welsh Assembly Government continues, as it has always done, to take data

    protection seriously and has measures in place to ensure that the personal data

    held within the Assembly Government and through the delivery chain is

    safeguarded and privacy rights are respected.

    3. The Assembly Government not only seeks to comply with the Data Protection Act,

    but also to deliver the commitment to always respect privacy as contained within

    our Code of Practice on Public Access to Information and Information Assurance


    4. The Assembly Government is also certified to the Information Security standard

    ISO 27001 and was successfully re-accredited to this standard in March 2009. The

    standard covers all aspects of information security, from controlling access to

    information to training and awareness of staff.

    Security Policy Framework and Information Risk Return

    5. At the end of 2008, the Cabinet Office replaced its security guidance with the

    mandatory Security Policy Framework (SPF). The SPF contains the primary

    protective security policy and guidance on security and risk management for HM

    Government Departments and associated bodies. It sets out 70 mandatory

    requirements. The SPF introduced an annual reporting requirement to Cabinet

    Office which covered the 70 mandatory requirements and a specific section

    relating to information risk. Whilst aspects of Information Security are devolved to

    the Assembly Government, the SPF requirements mostly remain a reserved

    matter for central government.

     1 CESG is the National Technical Authority for Information Assurance


    CAB(09-10)13 CABINET

    6. As a devolved administration, the Assembly Government is not mandated to report information risks to Cabinet Office but voluntarily completed the full return to demonstrate good practice and establish common standards for protective security. Assembly Government Sponsored Bodies compliance information was not

    included in the 2008/09 return after consultation with Cabinet Office. This is being reviewed for 09/10.

    7. The Assembly Government completed the Security Policy Framework (SPF) and Information Risk Report (IRR) for the Cabinet Office in June 2009. The report contained a comprehensive and objective report on the actions that the Welsh Assembly Government has taken during the year to manage information risks, along with any outstanding issues that need to be addressed.

    8. The Assembly Government return showed that we met all 70 mandatory measures set out in the SPF and has a high compliance scoring against performance and progress made in implementing Information Assurance measures across the Assembly Government. In particular, we scored highly on the leadership, governance and communication aspects of the return.

    The activities below have contributed to the outcome of the assessment: ; the Information Assurance Strategy was endorsed by the Strategic Delivery and

    Performance Board. The strategy provides a framework to ensure that

    information is protected, accurate and resilient and the accompanying action

    plan ensures the Assembly Government continues to drive forward actions in

    this area;

    ; the Information Asset Owner (IAO) role is starting to be embedded across the

    Assembly Government. The aim of these key senior officials is provide

    assurance that information risks are understood and managed and protection is

    given at the right level across all Departments;

    ; IAOs wrote to all major party delivery partners and analysed the returns to

    provide the organisation with assurance that delivery partners are securely

    processing and storing the personal data they hold on our behalf. Whilst the

    level of assurance is still not complete, the level of assurance has increased

    throughout the year and the process is on-going;

    ; the Level 1 “Protecting Information” e-learning training course has been rolled

    out as mandatory to all staff. To date 86% staff have registered for the course; ; completion of a security compliance questionnaire across all high and medium

    risk systems enabled system owners to identify risks and put in place

    appropriate remedial measures. IAOs have also been involved in the process to

    ensure that all risks are known and managed appropriately;

    ; introduction of a monthly Security Bulletin to Director Generals, Directors and

    IAOs has ensured awareness across the organisation of security incidents and

    provided a greater understanding and ownership of security risks and issues; ; development of a number of policies and procedures to mitigate information risk

    such as a strict policy governing the use of mobile devices i.e. laptops and

    removal of personal data from site is now in place.


    CAB(09-10)13 CABINET

    9. In order to continue to build on the results of our assessment Information Management Division continues to drive forward a number of activities to ensure that information is stored securely and that staff are provided with the knowledge and awareness needed to handle data in an appropriate way. These include: ; development of a Code of Practice for Sharing Personal Data. The Information

    Commissioner’s Office will be invited to endorse it;

    ; further development of guidance for staff handling personal information; ; further embed the IAO role across all Departments and provide specific IAO


    ; consider the implications of embedding Privacy Impact Assessments across the

    Assembly Government and how they can be applied to our processes; ; consider extending the principles of ISO 27001 (the International Standard for

    Information Security Management) to new developments in the Assembly


    ; consider the options on Assembly Government Sponsored Bodies compliance to

    the mandatory requirements in the Security Policy Framework;

    ; roll out the Level 2 “Protecting Information” e-learning training course to all

    relevant staff;

    ; ongoing audit and spot check programme to provide assurance that policies and

    procedures are followed;

    ; roll out security compliance questionnaire to all low risk systems.

    10. The Cabinet office will use our return for analysis, along with those from

    Whitehall Departments, to report to Parliament in the Autumn on progress made

    in information risk. Briefing to Assembly Government Ministers will be provided

    once it is known what information will be contained in the final report to


Finance Requirements and Governance Implications

    11. There are no additional financial implications as a result of this paper as the costs of delivering the actions set out in the Information Assurance Strategy Action Plan can be accommodated within existing and planned administration costs budgets for example, encryption is being met as part of the ICT Transformation Project, and ERDMS is included within the Knowledge Programme. FP clearance BP3508. Business Unit clearance PPCS/JJ/28-09-09


    12. A security communication plan is in place and both the Information Security and

    the Access to Information teams work with the PPCS and Internal

    Communications teams to ensure awareness of security and data issues.


    CAB(09-10)13 CABINET


    13. That you note actions being taken and future briefings will be provided when Cabinet Office determine what information will go to Parliament.

14. That you note that the Head of Information Security and the Departmental

    Security Officer can provide specific advice and information in relation to

    any issues raised by the above and advise on general threats and

    challenges, and can provide one-to-one security briefings for Ministers and

    their Private Offices.

15. That you note updates on information security and data protection matters to

    Cabinet are on an annual basis.

16. Joined Up Working

    Whilst there has been no direct consultation in producing this paper other than between the Access to Information Unit and the PPCS Resilience branch, the Departmental Security Officer and Information Security branch work regularly with all Departments across the Welsh Assembly Government, supporting them to comply with legislation and ensure interests of those whose information we hold is appropriately protected. Forums and a Community of Practice are regularly held to ensure engagement in the key issues.

    Rt Hon Rhodri Morgan AM

    First Minister

    October 2009


Report this document

For any questions or suggestions please email