Roles and Responsibilities
HMG Information Assurance requires the nomination of a number of very specific roles:-
Senior Information Risk Owner
The nomination of a Senior Information Risk Owner (SIRO) is a Mandatory Requirement of the Security Policy Framework.
Mandatory Requirement 35a describes the role of a SIRO as:- “a Board level individual responsible for managing departmental information risks, including maintaining and reviewing an information risk register (the SIRO role may be combined with other security or information management board level roles)”.
The SIRO is the representative at board level who understands the strategic business goals of their organisation and how these may be impacted by failure of information assets. The SIRO is responsible for ensuring that management of information risks are weighed alongside the management of other risks facing the organisation such as financial, legal and operational.
Information Asset Owner
The nomination of an Information Asset Owner (IAO) is a Mandatory Requirement of the Security Policy Framework.
Mandatory Requirement 35e describes the role of an IAO as:- “senior named individuals responsible for each identified information asset”.
The IAO role needs to understand what information is held, what is added and what is removed, how information is moved, and who has access and why. As a result they are able to understand and address risks to the information and ensure that information they are responsible for is fully used within the law for the public good and provide written input to the SIRO annually on the security and use of their asset.
Departmental Security Officer
The nomination of a Departmental Security Officer (DSO) is a Mandatory Requirement of the Security Policy Framework.
Mandatory Requirement 4 describes the role of a DSO as:- “responsible for all aspects of Protective Security (including physical, personnel and information security)”.
Central Government Departments and Agencies must appoint a Departmental Security Officer who is responsible for all aspects of protective security, including physical, personnel and information security.
The SIRO may choose to delegate the day-to-day responsibility for information risk management to the IT Security Officer and / or the DSO; however, the SIRO will retain overall accountability.
The role of the DSO is critical in the IA Governance chain as they are responsible for bring all aspects of protective security together. Where the escalation of an information risk management.
Lead Accreditor
The nomination of a Lead Accreditor (LA) is a Mandatory Requirement of the Security Policy Framework.
Mandatory Requirement 35b describes the role of a LA as:- “.... responsible for ensuring the accreditation process meets HMG IA Standards Nos 1 and 2”.
The role of the Accreditor is to act as an impartial assessor of the risks that an ICT system or service may be exposed to throughout its lifecycle in meeting the business requirement and to formally accredit that system or service on behalf of the SIRO.
Accreditors are fully accountable for their decisions to the SIRO. They can be called to account for their actions in a legal proceeding but are not liable in law.
IT Security Officer
The nomination of an IT Security Officer (ITSO) is a Mandatory Requirement of the Security Policy Framework.
Mandatory Requirement 35c describes the role of an ITSO as:- “responsible for the security of information in electronic form”.
The ITSO is responsible for the security of information held in an electronic form.
Communications Security Officer
The nomination of a Communications Security Officer (CommSO) is a Mandatory Requirement of the Security Policy Framework.
Mandatory Requirement 35d describes the role of a CommSO as:- “responsible for handling cryptographic material”.
The CommSO (also known as a Crypto Custodian in some circles) is responsible for handling and managing CESG cryptographic material including key material.
- Support 0845 58 27999
- General 0845 58 27001
- Request a Call / Quote
