CPS Approach to Security and Information Management

Introduction
Annex A: Security and Information Management Programme
Annex B: Governance and Terms of Reference – Security and Information Management Group
CPS Information Management, Information Assurance, and Security policies and strategies

Introduction

The information landscape continues to change within the CPS and wider criminal justice. Key to maintaining public confidence and delivering successful objectives and deliverables is high quality Information Risk Management, taking a business proportionate response to risk management whilst looking to reduce risk to CPS reputation and cooperation from the public and other stakeholders. The intent of this document is to set out the CPS strategic approach to enable success, underpinned by a revised governance structure.

Managing and securing our information better is a vital element of delivering the vision described in The Public Prosecution Service: setting the standard, and is a key enabler of business transformation. Delivering high quality standards in the management and security of our information reflects the ethos of the CPS Core Quality Standards enabled through continuous engagement with the Information Commissioner's Office, CESG and The National Archive. It is set within the context of other strategic influences including: the HMG Data Handling Report 2008 and the HMG Information Matters Strategy. The CPS also has to comply with legislation including the Public Records Act (1958, 1967), Data Protection Act (1998) and Freedom of Information Act (2000).

In delivering improvements and the above aims, we need to embrace a holistic approach to Security and Information Management. This will enable the CPS to provide the right information securely, processed by suitably vetted staff. It will also provide information accessibility in the right circumstance i.e. at the right place, at the right time, to facilitate the right decision, in order to deliver the right effect and achieve the right outcomes.

CPS technology investments, through the Transforming Through Technology (T3) Programme, in a single infrastructure and new software tools and capabilities will enable excellence in Information security, assurance, management and exploitation within CPS and beyond. However, during the transitional period of technological innovation we need to continue to monitor standards of management and protection for paper-based information systems.

A vital component needed to underpin information transformation activity is skilled, competent and well motivated staff in security, information management and protection, to extract the maximum from our information capability. This will be driven by the wider government's information management and information assurance professionalism, and staff training, underpinned by security and information policies, procedures and protocols.

The Security and Information Management Group (SIMG) will support the Senior Information Risk Owner (SIRO) in discharging his responsibilities, with advice and assurance from a range of sources. The SIRO reports to the CPS Board.

In developing this approach, the programme has been split into five Tiers and two distinct areas of activity - Security and Information Management. These are described in Annex A. The Approach also takes account of existing forums, building on these to enhance the governance arrangements at Annex B.

Bill Fullerton
Head of Information Management Division

Back to the top

Annex A: Security and Information Management Programme

1. Strategy

Security

Protective Security, including physical, personnel (including vetting and training) and information security, is an essential enabler to make CPS work better. Security risks will be managed effectively, collectively and proportionately, to achieve a secure and confident working environment

Information Management

CPS meets obligations under Public Records, Freedom of Information and Data Protection Acts

2. Policy

Security

Ultimate responsibility for CPS security policy lies with the Chief Executive, who must manage security risk within the parameters of the Security Policy Framework (SPF)
All CPS employees, including delivery partners and 3rd party suppliers have a collective responsibility to ensure that assets (information, property and staff) are protected in a proportionate manner from terrorist attack, and other illegal or malicious activity
CPS and criminal justice system (CJS) agencies must be able to share information (including personal data) confidently knowing it is reliable, accessible and protected to agreed standards
CPS and CJS agencies must employ staff (and contractors) in whom they can have confidence and whose identities are assuredCPS business needs to be resilient in the face of major disruptive events, with plans in place to minimise damage and rapidly recover capabilities
For buildings, staff and general information security, CPS uses the ISO 27001 compliance toolkit designed by the Departmental SU
For Information Management Systems that are IT based, CPS uses the Information Assurance Maturity Model as a measure of compliance
For Business Continuity Management, CPS uses BS 25999.

Information Management

CPS records consistent with the Public Records Act and DPA principles.
Information providing evidence of the functions, policies, procedures, decisions, actions and other key activities in HQ and the Areas, is recorded
Recorded information can be retrieved promptly to aid decision-making and increase CPS effectiveness and efficiency
Records created or received in the course of business are retained in accordance with retention schedules
Records worth preserving permanently, due to their administrative, research or historical value, are identified and safeguarded
CPS records stored economically, retrieved readily, reviewed regularly and disposed of in accordance with retention schedules
Effective policies on Data Protection, Data Sharing and Freedom of Information procedures are in place
An effective Publications Scheme is maintained.

3. Legislative and Mandatory Measures

Security

Security Policy Framework – 70 Mandatory Measures
Information Assurance Maturity Model and Information Assurance Assessment Framework
Third Party business critical suppliers

Information Management

Public Records Act compliance
FOI response - 20 working days
DPA response - 40 calendar days
Publications Scheme
Information Management Assessment
Privacy Impact Assessments for Information Systems
Data Sharing Protocols

4. Delivery through

Security

DSO and Departmental Security Unit
Incident Management
Information Asset Owners
Information Management Advisers
Security operational guidance that underpins mandatory measures
Training and development
Awareness raising activity
Protocols
Contractor performance
Facilities Management performance
HQ physical security
Effective Risk and Issue management

Information Management

DRO and Information Management Unit
Information Asset Owners
Information Management Advisers
Information Management operational guidance that underpins statutory requirements
Training and development
Awareness raising activity
Protocols
Contractor performance - Iron Mountain
Effective Risk and Issue management

5. Compliance

Security

Certificate of Assurance
ISO 27001 compliance toolkit
BS 25999
Cabinet Office reporting – SPF and Information Assurance Maturity Model (as at Tier 3 above)
Audit

Information Management

The National Archive
Ministry of Justice (MOJ) performance reporting
Criminal Case Review Commission
Information Commissioner
Audit

Back to the top

Annex B: Governance and Terms of Reference – Security and Information Management Group

Background

Information is a key asset within Government, but it can also become a key liability. The CPS Departmental Accounting Officer (AO), through the Senior Information Risk Owner (SIRO) and the Information Asset Owners (IAOs), are accountable for the adequate security, management and protection of information which is collected, processed and stored within the CPS. To do so, the CPS must put in place effective Information Management (IM) and Information Risk Management (IRM) processes and procedures. The CPS Board will also need to be assured that these arrangements are sufficient to reveal what impact the range of programmes will have on CPS information management and risk.

The growing need for departments to share information in response to the Information Matters Strategy and Transformational Government means that common standards need to be applied across government. This is to ensure that those accountable and responsible for IM and IRM can have confidence that the information will be handled appropriately when it is passed to others. As well as legislative standards, the HMG Security Policy Framework lays down mandatory standards to be applied by departments. However, in addition to these standards there is a body of tools, frameworks and best practice measures that will assist CPS in discharging its obligations to enact effective IM and IRM.

Aim

It is a Cabinet Office requirement that the SIRO report directly to the Board on Information Risk. The creation of the CPS Security and Information Management Group (SIMG) will provide the governance to assist the CPS SIRO put in place an effective change programme to improve IM and IRM. The SIMG will oversee the programmes of work required to enable the CPS SIRO and CPS Board to be assured that IM and IRM is being embedded within the Department. CPS Board members will be assured that the CPS complies with the statutory requirements embodied in the Public Records Act, Data Protection Act, Freedom of Information Act, Human Rights Act and other similar legislation, as well as mandated policy requirements within CPS and third party suppliers.

Objectives

The objectives of the SIMG are to set the conditions and environment that will enable the CPS to:

Embed a high quality IM and IRM culture in the CPS
Ensure implementation of policies and best practice procedures
Ensure compliance through effective assurance measures

Responsibilities

The SIMG is responsible for supporting the CPS SIRO and the CPS Board by:

Advising on issues of corporate liability and developments
Developing CPS Security and Information Management strategies for approval
Developing and approving CPS Security and Information Management policies
Overseeing an effective change programme to improve CPS Security and Information Management, Information Risk Management and Assurance compliance
Setting the conditions that enables the CPS to embed a cultural change and development programme
Establishing a compliance regime to assure the CPS Board that the strategic approach is achieving legislative and mandatory requirements, and the desired outcomes in the business
Setting the conditions to ensure Performance

Key Roles

The SIMG will sit at least twice per annum, and include the following key roles:

Chair – will be the CPS SIRO, who is also a member of the CPS Board. The SIRO will ensure that the direction of the Security and Information Management Programme is aligned with the business.
CPS CIO - will ensure that development of Information Systems and their Interfaces enable information to get to the right place under the right circumstance, whilst meeting legislative, statutory and mandatory requirements
Director HR - will ensure all cultural change aspects are met, that all personnel vetting processes run by the vetting unit in Liverpool is efficient and effective, and that training and development activity meets Cabinet Office requirements
Senior Area Business Manager - will ensure the security and information management strategy, policies and programme delivers against front-line business requirements
Head of Information Management Division - on behalf of the SIMG, develop strategy, policies and a programme of work to deliver legislative and mandated requirements, and advise as appropriate. Will lead the development and delivery of the SIM Programme, as approved by the SIMG. Will provide appropriate briefings on progress and draft CPS Board briefings for SIMG approval. Will ensure secretarial support for the SIMG

Assurance and Compliance

The Assurance and Compliance regime will include the following:

Areas will report through the use of toolkits and Certificate of Assurance
Information Management Division will report to Cabinet Office through the Security Policy Framework and Information Assurance Maturity Model
Information Management Division will report to the Ministry of Justice for DPA and FOI Act statistics and issues, and to The National Archives on Public Records Act issues
Internal Audit will conduct performance checks
The Information Commissioner is the ultimate regulator on the use and integrity of information. From 2010 onwards the office will have the power to undertake inspections, both ad-hoc for incidents and under a more general inspection programme

Security and Information Management Governance

The diagram below shows the governance structure for Security and Information Management from the working groups up to the CPS Board

governance diagram

The DSO and DRO report directly to the Head of Information Management Division. Assurance reports will be provided to SIMG from Heads of IT Security, Vetting Unit, Procurement/Estates, and the Business Continuity Manager.

The SIMG will be supported by the under-mentioned who will report for each meeting, and attend on request:

Departmental Security Officer (DSO) - Responsible for policy on all security matters. Provides advice and guidance to Information Asset Owners (IAOs) and Information Management Assistants (IMAs). Ensures delivery of a departmental training and development programme including Protecting Information, for all staff and senior managers, IAOs including senior CPS staff, and IMAs. Manages security incidents and compliance. Will report on performance to Cabinet Office and the SIMG
Departmental Records Officer (DRO) and Data Protection Officer - Responsible for policy on FOI, DPA, Public Records Act and HRA (Article 8 - right to privacy). Provides advice and guidance to IAOs, IMAs and CPS staff. Input to training and development delivery. Will report on performance to MoJ, TNA and SIMG
IT Security Officer - Will ensure alignment of the SIMG and IT Security Working Group and escalate appropriate technology and infrastructure issues that impact the SIM Programme. Will report on performance
Vetting Unit Manager - Will report on personnel vetting issues and performance
Procurement/Estates Manager - Will report on estate issues and CPS contracts that are impacted by security and information management. Will provide reports on physical security of HQ buildings and in particular Rose Court via HQ Head of Facilities Management. Will report on performance
Business Continuity Manager - Will report on business continuity arrangements and performance
Corporate Risk Management Advisor - Will advise on the impact and effectiveness managing wider corporate risks and the standards required for the Departmental Statement of Internal Control