Information management

Information assurance

Policing is an information-led activity, and information assurance is fundamental to how the police service manages many of the challenges faced in policing today. It is vital for maintaining public confidence and for the efficient, effective, safe and secure conduct of operations and services. Without robust information assurance governance and processes, there is a significant risk of compromise, potentially leading to the facilitation of crime, public safety issues, hindrance to investigations, financial loss, damage to organisational reputation and, consequently, a reduction in confidence from the public and partners.

Information assurance provides the mechanism by which the police service identifies risk and satisfies itself, the public and partners that security arrangements are fit for purpose and that identified risks are managed effectively, collectively and proportionately. It underpins all areas of policing in support of the strategic policing requirement and other statutory responsibilities, for example the Data Protection Act 1998 (DPA).

Introduction

This APP applies to police information whether it is locally owned or part of a national system, for which chief officers are data controllers in common. A data controller in common is a person (either alone or jointly, or in common with other persons) who determines the purpose for which and the manner in which any personal data are, or are to be, processed.

A national police information system is:

  • one that is provided for the police community as a whole and managed centrally, and
  • used by at least 10 forces, and
  • when the Home Office (HO) has a contractual relationship with the service provider and/or the service management of the system.

National systems include those delivered:

  • by or on behalf of the HO, such as the police national database (PND), the police national computer (PNC), the violent offender and sex offender register (ViSOR) and the national identification system (IDENT1)
  • by other law enforcement agencies or through distributed components operated by forces, such as HOLMES
  • to provide interconnectivity between law enforcement and other agencies, for example, through the criminal justice extranet (CJX) or PSN
  • to facilitate law enforcement agencies’ information sharing with external communities and connectivity, such as criminal justice secure mail (CJSM).

Each national system must be accredited in accordance with the National Policing Accreditation Policy and have an assigned national accreditor. Accreditation ensures that risks are known, understood and managed in accordance with the risk appetite.

Information assurance (IA) provides the confidence that information systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users.

A national approach aims to:

  • provide and promote IA advice to all police personnel
  • embed IA culture as a core business process/activity in the police service at national and local levels, that aligns across force/agency boundaries
  • be clear on ownership and management of IA
  • clearly define the information risk management framework and processes, so that individuals have a common understanding of the identification, assessment and treatment of risks
  • develop IA standards and procedures so that they remain current and relevant to policing objectives and approaches.

For further information see National Approach to Information Assurance 2014 – 2017.

Governance

Governance is provided by:

  • the national senior information risk owner (NSIRO) – the national policing lead for information management business area (IMBA)
  • the police information assurance board (PIAB)
  • national information asset owners (IAO)
  • national accreditors.

Structures at national level are governed by the following policies:

Information risk management structure

The governance structure for information assurance includes forces, national systems, national policing, government departments and delivery partners. Force/agency senior information risk owners (SIROs) are responsible for information risk within their organisation and the NSIRO is responsible for information risk associated with the national capability.

Information risk management is owned by the NSIRO on behalf of the chief constables’ council and forms part of the SIRO’s overall responsibility in the governance of risk.

The governance structure below identifies the ownership of IA issues at force/agency and national levels.

Information risk management structure

Functions and responsibilities

National senior information risk owner

The NSIRO ensures that information risk ownership for national systems is formally retained by IAOs. The NSIRO:

  • has responsibility for ensuring all national information systems are appropriately risk assessed and identified risks are managed in accordance with the national policing accreditation policy
  • ensures that a framework is in place to monitor and manage aggregated risks
  • considers information risk escalation cases (REC) relating to national police information systems
  • sets and endorses the national policing risk appetite statement
  • represents chief constables’ council for all matters in relation to information assurance and is the final arbiter for all related matters.
Senior information risk owner

The term SIRO is only used for the single individual within each organisation or collaborating organisation who has ownership of the corporate or collective information risks.

Each force/agency must have a SIRO. They are responsible for determining and setting their force risk appetite for their information assets that are not contained within or connected to national systems. SIROs must be aware of the need to act as a community of interest and of the need to manage risk collectively, considering the wider impact of any local decisions on national information, consulting the NSIRO when appropriate.

The SIRO:

  • should ensure the information risk appetite is recorded and incorporated in the risk management processes, and communicated to their organisation
  • is the final decision maker for accepting risks outside the level of acceptance, unless related to national information systems
  • reviews annually and submits the Code of Connection (CoCo) and supporting documents to the national police information risk management team (NPIRMT)
  • prepares and submits the protective security and risk management overview
  • ensures that local governance meets the requirements of the community security policy (CSP)
  • manages and implements national standards at a local level.
National police information risk management team

The NPIRMT provides a range of information assurance functions to the police community. This includes:

  • maintaining the National Approach to Information Assurance 2014 ‒ 2017, associated policy and guidance
  • supporting the chief constables in their role as data controllers in common under the DPA
  • ensuring that risks to police information held on national systems are managed through an accreditation framework and meet the expectations of the NSIRO
  • ensuring that the security of connections (police service and non–police) to national information systems meets the national information risk appetite
  • providing a central resource for all police security incident reporting, and investigating incidents relating to national systems
  • auditing compliance with police service IA standards and policies of third-party suppliers and delivery partners to national policing
  • approving supplier/service providers facilities to handle/process policing data.
Police information assurance board

The PIAB provides the strategic lead on the development, implementation and evaluation of IA within national policing. It is the authority under which the assessment and improvement of IA is undertaken and is custodian of the CSP on behalf of the community (CSP community of forces and agencies). It supports the framework for sharing information and promotes good practice in data management by forces/agencies and the wider community.

It is responsible for:

  • acting as the information risk management governing body for all national policing systems and the accreditation process that governs the management and connection to them
  • providing support to the police community on the use of new and existing information and communications technology (ICT) and data sharing without compromising its IA responsibilities
  • promoting a culture of responsible and compliant data sharing to ensure public safety and enhance operational effectiveness (jointly with the information sharing portfolio)
  • considering and approving changes and developments to the National Approach to Information Assurance 2014 ‒ 2017 and national policing IA policies, guidance and procedures
  • proposing the National Policing Risk Appetite Statement
  • providing the authority for, and overseeing the delivery of, the annual Police Security Risk Management Overview
  • reviewing data loss and security incidents and providing guidance to reduce the impact of incidents.
Information asset owner

The term IAO is used for the corresponding function at project, programme or organisational unit level.

The NSIRO nominates an IAO for each national system, and force SIROs nominate an IAO for each local force system. The IAOs are accountable for the confidentiality, integrity and availability of their information asset and are responsible for identifying and managing risk.

The IAO:

  • identifies and assesses the information risks and decides whether they are acceptable, raising a REC when appropriate
  • monitors and reports on risks allocated to them on an ongoing basis
  • accepts information risks on behalf of the SIRO within agreed parameters
  • is responsible for ensuring that the information systems assigned to them have current accreditation.
Information security officer

The information security officer (ISO) is responsible for the development and implementation of information security policies and procedures within their force/agency in accordance with:

Additional responsibilities include:

  • assuring and accrediting local information systems
  • providing information security advice to the SIRO and the wider organisation
  • providing an incident reporting service on behalf of the force
  • facilitating information security awareness, education and training.

The role of the ISO and the accreditor may be combined. Should this occur, the impartiality of the accreditor function must be maintained.

Accreditor

The accreditor acts as an impartial assessor of the risks to information systems. Their function is to ensure that systems are sufficiently secure to be placed into, and continue to function in, operational service. They accredit systems on behalf of the SIRO.

Within the police community there are national accreditors and force accreditors.

National accreditors:

  • review the level of residual risk of national police systems
  • administer the CoCo for national police systems
  • approve force connections to national services to ensure that they meet national standards for connectivity.

Force accreditors:

  • review the level of residual risk within a force
  • accredit the local force network and request approval from a national accreditor for connection to national systems and networks
  • may accredit regional or shared systems which do not qualify as national systems.

The role of the accreditor and the ISO may be combined. Should this occur, the impartiality of the accreditor function must be maintained.

National policing community security policy

The overarching IA policy for the police service is embodied in the National Policing Community Security Policy. The CSP provides appropriate and consistent protection for the information assets of member organisations whether national, collaborative or local assets. The IMBA and PIAB, have ownership of the national policing CSP.

Aims of the community security policy

The aims of the CSP are to:

  • ensure compliance with statutory requirements and meet the expectations of the police service to manage information securely
  • assure the Cabinet Office that police service elements of the critical national infrastructure (CNI) and police service connections to government networks and services are appropriately protected.

Community security policy compliance

Forces and organisations are required to show compliance with the CSP. Compliance provides assurance that risks to shared information are managed to a level acceptable to the whole community.

The NPIRMT monitors and reviews national policing CSP requirements. Compliance is provided through:

For further information see organisations that are members of the CSP.

Protective security risk management overview

Forces/agencies are required annually to provide a completed protective security and risk management overview (PSRMO) to the NPIRMT. The content of the overview each year is decided by the PIAB. The NPIRMT reviews and collates the force/agency returns and presents them to the PIAB.

The community code of connection

Compliance with the CoCo provides a level of assurance to the police community that information shared between connected organisations, and accessed on national networks and systems, will be appropriately protected and no additional risks will be introduced into the wider policing community.

Organisations connecting to national police information systems must seek approval from the national accreditor for the police service on an annual basis, providing evidence of compliance with the CoCo. Significant changes to ICT infrastructure should be notified in the form of an updated CoCo at the time of change. This is in the form of a template developed by the NPIRMT.

For further information see:

  • The Community Code of Connection (CoCo)
  • Statement of Compliance to the National Policing Community Code of Connection (police)
  • Statement of Compliance to the National Policing Community Code of Connection (non-police).

Accreditation

National policing has mandated the accreditation of police ICT services to manage risks to police information held in national information systems. The accreditation service for national information systems is provided by the NPIRMT on behalf of the police service. National information systems require accreditation annually, or when there is a significant change to a system.

For further information see:

Management of information risk

Risk appetite

The SIRO must establish the risk appetite statement for the information assets under their control. This enables IAOs and accreditors to make effective risk management decisions and defines the extent to which risks must be mitigated or escalated.

Insufficient guidance on legitimate, acceptable levels of risk may develop an overly cautious (risk averse) culture which results in a failure to seize important opportunities that maximise performance. Conversely, excessive risk may be accepted without regard to the potential impact. The alignment of risk exposure to risk appetite maximises business performance through taking acceptable risks when developing and delivering services.

An accreditor or an IAO can only deviate from the risk appetite with the authority of the SIRO following an information REC. In relation to national systems or nationally connected systems, this authority needs to come from the NSIRO.

The level of risk appetite and, therefore, the severity of subsequent risk controls will vary for different information asset types. National policing has categorised its information assets as:

Police marketing and communications
Information generated, collected, stored and used for internal and external marketing and communications.
Personal data
Personal data, as defined by the DPA, of all staff (permanent and contract).
Public/citizen
Personal data, as defined by the DPA, of all citizens collected, stored and used by the police.
Commercial/procurement/supplier
Information collected, stored and used throughout the procurement process.
Police corporate information
Information generated, collected, stored and used by the corporate functions of forces. Includes policy, security metrics etc.
Sensitive personal data
Sensitive personal data, as defined by the DPA, of all staff (permanent and contract) and citizens.
National security commercial/procurement/supplier
Information collected, stored and used throughout the procurement process of systems and services related to national security.
Personal data – staff in sensitive posts
Personal data, as defined by the DPA, that, for example, identifies officers in certain roles related to covert intelligence gathering.
National security corporate information
Information generated, collected, stored and used by the corporate functions of forces and directly related to management of national security. Includes policy, security metrics etc.
Covert intelligence
Information generated, collected, stored and used in the course of covert intelligence operational processes.
Counter terrorism
Information generated, collected, stored and used in the course of counter terrorism operational processes.

The national police information risk appetite applies to all national police information systems. It also applies to force/agency systems which are connected directly or indirectly to national police information systems.

For further information see:

Residual risk

Residual risk is the level of risk perceived to exist after security controls have been implemented to reduce the risk initially identified in the risk assessment. Residual risk is minimised through countermeasures.

Risk escalation case

A REC escalates information risks that are deemed to be outside the level of acceptance by certain personnel involved in information risk management in an organisation. These information risks are escalated to the SIRO, who will decide on how to manage the notified information risk. The NPIRMT will manage cases where it is necessary for a REC to be raised for national information systems or nationally connected systems.

Detailed information on how to create a REC and the approval and consideration can be found in National Policing Information Risk Appetite Statement and National Policing Information Risk Appetite and Risk Escalation Case Guidance.

Information security incidents – reporting and monitoring

Forces/agencies are required under the National Policing CSP to provide the NPIRMT with quarterly statistical information on slow-time security incidents and to report fast-time incidents.

The slow-time quarterly reports are used to monitor and report on current threats/incidents faced by the policing community. The information is incorporated into the national policing information threat model. It includes the frequency, future likelihood of occurrence and any specific impacts this would have on national policing.

The PolWARP procedure requires forces/agencies to report fast-time security incidents to the NPIRMT that may affect other members of the policing community. Appropriate action can then be taken to prevent widespread confidentiality, integrity or availability issues occurring. This information is also used to monitor and report on current threats to the police service and feeds into the national policing information threat model (available from the NPIRMT on request).

In order for forces/agencies to support this process, they are required to have their own local security incident procedures.

Police warning, advice and reporting point

An information security incident is a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security. PoLWARP is supported by the Centre for the Protection of National Infrastructure (CPNI) and has been widely adopted by other government departments and local authorities throughout the country.

A security incident can also be described as any suspected failure in information security, namely:

  • accidental or deliberate unauthorised destruction of information
  • accidental or deliberate unauthorised modification of information
  • accidental or deliberate unauthorised disclosure of information
  • deliberate and unauthorised unavailability of the system
  • unauthorised access to the system
  • misuse of data and theft of assets containing information
  • any contravention of the information security policy or security operating procedures
  • any other event which affects security of information.

Forces/agencies are expected to have their own local security incident procedures that include deciding whether the incident is likely to have immediate or serious repercussions for the rest of the CJX/PSN communities.

Where they assess the incident as having only local impact, it should be dealt with following their local procedures, and then reported to PolWARP as part of the regular return of security incidents.

Forces are required to:

Page last accessed 26 March 2017