Building the right mind set for information assurance

by Ian Dyson, commissioner, City of London Police

Information management, security and assurance within the cyber debate are often focussed upon the technical challenges and threats. But the key to successfully protecting business against any loss or vulnerability of data and information is through a much more comprehensive information assurance programme. 

Very often, responsibility for this can sit within an IT department or with those with technical expertise. While those experts are required to deliver some of the more complex or technical aspects of the business, the most important thing is for any organisation to have a framework against which they can assess their entire business against vulnerability to the loss of information.

There are now a number of models that can be used to do this. There is the ISO 27000:2013 framework, from the Government there is the Information Assurance Maturity Model (IAMM) and 10 Steps to Cyber Security, as well as other products on the market from the private sector that can provide that holistic framework. These look at the security of information across people, process and technology within a number of dimensions such as governance, procurement, training, etc. 

In order for this to be effective, it requires leadership from the top of the organisation. In the City of London Police, I have chaired a regular information management board with leadership at the senior level of the organisation. Technical experts from information management and IT are attendees and contributors at the meeting but do not lead it.

We have used the information assurance maturity model to self-assess our performance against all of the dimensions (there are six core elements to the model) and there are five tiers of maturity.

Time to mature

It will take any organisation a significant period of time to reach maturity. Investment has to be made in governance, IT infrastructure, training, health checks, maintenance, patching, and clear and auditable policies around the management of information. As part of our continuous improvement approach to information assurance we are also assessing our compliance with the ISO 27000:2013 standard, and will be enhancing our information security management system with these additional controls.

But once achieved it will create a culture that considers information security as a part of its day-to-day business.

It cannot be done by a few people in a department; it has to be across the organisation. The first step we took was to create an information asset register which showed all of the information assets, including services, in which information is held within my police force. I can guarantee every organisation that does this will find there are more assets than was first thought.

Once this inventory was drawn up, an information asset owner (IAO) was assigned to each asset. This needs to be somebody in the business who operates and uses the system on a regular basis and therefore understands what purpose the information is stored for, who is entitled to use it, who should have access and how is that access audited.

Strategic risk manager

We recognised a need to create a two-tier system of asset ownership. So, we also have a  senior information asset owner (SIAO). They have clear authority to manage the strategic risks for the system and can allocate resources to support the IAO in the operation of their asset. We have established six SIAOs and ensured clear reporting lines to myself as the senior information risk owner.

The National Archives provides training for information asset owners and I use this across my organisation. I found it to be extremely beneficial in developing a mindset and a culture within the organisation of good information management. 

So, 18 months on, I now have a robust and accurate information asset register; I have IAOs who understand their business; and I have a regular monthly assessments against red, amber, green made by my information security officer on the vulnerabilities or otherwise of information stored within any system. I have found that by using the IAMM (but it could be any model that looks across all dimensions) one can change the culture of an organisation to one where the biggest vulnerability to information loss, your people, have actually got the right mindset.

This article was first published in Local Leadership in a Cyber Society: Being Resilient by the DCLG led National Cyber Security Programme - Local and iNetwork. Read the other featured articles.