iQuda IT Information Risk Management Policy
Date of this version: 06/10/2016
This policy has been created to help to manage information risk at iQuda Ltd.
Information risk is managed within work areas; all staff take responsibility for information risk. Management are to be tasked with:
- ensuring that the information assets within their departments are managed and confidential information is safeguarded:
- reporting on breaches of information security.
iQuda Ltd places a high level of importance placed upon minimising information risk and safeguarding the interests of our clients, staff and iQuda Ltd itself.
Information risk is inherent in all administrative and business activities and everyone working for or on behalf of iQuda Ltd continuously manages information risk. The business owners recognise that the aim of information risk management is not to eliminate risk, but rather to provide the structural means to identify, prioritise and manage the risks involved in all of iQuda Ltd’s activities. It requires a balance between the cost of managing and treating information risks with the anticipated benefits that will be derived.
The business owners acknowledge that information risk management is an essential element of broader information governance and is an integral part of good management practice. The intent is to embed information risk management in a very practical way into business processes and functions. This is achieved through key approval and review processes / controls.
The Information Risk Policy has been created to:
- Protect iQuda Ltd, its staff, clients and stakeholders from information risks where the likelihood of occurrence and the consequences are significant;
- Provide a consistent risk management framework in which information risks will be identified, considered and addressed in approval, review and control processes;
- Encourage pro-active rather than re-active risk management;
- Provide assistance to and improve the quality of decision making throughout iQuda Ltd;
- Meet legal or statutory requirements; and
- Assist in safeguarding iQuda Ltd’s information assets.
The iQuda Ltd Senior Information Risk Owner (SIRO) (Anthony Jones) is responsible for coordinating the development and maintenance of information risk management policies, procedures and standards for iQuda Ltd.
The SIRO is responsible for the ongoing development and day-to-day management of iQuda Ltd’s Risk Management Programme for information, privacy and security.
Information risk assessments will be performed at least once each year on all information assets. The risk assessments will include:
- A risk register specifically for information risk
- agreed mitigation plans
- details of any assumptions
- external dependencies for information management
- specific actions required to control risk, with expected completion dates
The SIRO shall advise the business owners on information risk management strategies and provide periodic reports and briefings on Program progress.
Risk Management Documentation
Risks are managed in accordance with ISO 27001 standards. To this extent, we operate a risk management document through which regular risk assessments are conducted. Each reach that we identify has resolution or mitigation actions attached to it. This approach ensures that we continually reduce the amount of risk in our environment. Please refer to the QRA iQuda Risk Assessment Document.
This policy is applicable to all areas of iQuda Ltd and adherence must be included in all contracts for outsourced or shared services. There are no exclusions.
This policy is to be made available to all iQuda Ltd staff and observed by all members of staff.
There will be ongoing professional development and educational strategy to accompany the implementation of this policy.
Key definitions are:
The chance of something happening, which will have an impact upon objectives. It is measured in terms of impact and likelihood.
The outcome of an event or situation, expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. There may be a range of possible outcomes associated with an event.
A qualitative description or synonym for probability or frequency.
- Risk Assessment
The overall process of risk analysis and risk evaluation.
- Risk Management
The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects.
- Risk Treatment
Selection and implementation of appropriate options for dealing with risk. Conceptually, treatment options will involve one or a combination of the following five strategies:
- Avoid the risk
- Reduce the likelihood of occurrence
- Reduce the consequences of occurrence
- Transfer the risk
- Retain/accept the risk
- Risk Management Process
The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risk.
Appendix 1: Information assets include
- Personal and other information, including
- Databases and data files
- Back up and archive data
- Audit data
- Paper records (client records, supplier records and staff records)
- Paper reports
- System / process documentation
- System information and documentation
- Operations and support procedures
- Contracts and agreements
- Applications and systems software
- Data utilities
- Development and maintenance tools
- External storage devices (USBs, External hard drives etc).
Priority must be given to information assets that comprise or contain personal information about clients or staff.