StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

The General Plans of Information Risk Management - Assignment Example

Cite this document
Summary
The paper "The General Plans of Information Risk Management" presents the principles stated in the Company IRM Policy. are elaborated in this Company IRM Plan document. All Clayton Electronics businesses are required to implement this Plan but may extend requirements if appropriate…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER94% of users find it useful
The General Plans of Information Risk Management
Read Text Preview

Extract of sample "The General Plans of Information Risk Management"

FLAYTON ELECTRONICS INFORMATION RISK MANAGEMENT PLAN Rationale Information is a valuable asset and essential to the business (Avison & Fitzgerald 1995). Flayton Electronics is committed to protecting the information throughout its Lifecycle in line with its value, sensitivity, the risks to which it is exposed and in a manner consistent with legal, regulatory and contractual arrangements. Flayton Electronics operates under a Key Risk framework supported by Risk and Control frameworks and Company Policies. The purpose of this plan is to detail the minimum level of controls to which business must adhere to ensure that the Flayton Electronics information is adequately protected. There are some information risk controls that are designed through other policies and plans. These controls apply to all information, whether in electronic, paper, portable devices or in other forms, to ensure the Flayton Electronics information related risk is managed appropriately. Scope This plan applies to: (a) Flayton Electronics and all its subsidiaries (including any consolidated entity acquired via a debt-for-equity swap or created through a joint venture); and (b) All employees of any entity within paragraph (a) above; for the purposes of this document, "employees" includes employees, agency workers, consultants and contractors, irrespective of their location, function, grade or standing. It does not apply to: (a) Any entity in which the Flayton Electronics has any interest and which is a non-consolidated entity, or to any employee of any such entity; or (b) Any entity which has been consolidated for IFRS accounting purposes*, provided Flayton Electronics has neither legal nor operational control. * such entities are likely to be property owning vehicles with a related Flayton Electronics loan which is in default and where Flayton Electronics has current and unilateral enforcement rights but does not have legal ownership/control. Controls The principles stated in the Company IRM Policy are elaborated in this Company IRM Plan document. Where the policy document states ‘what’ principles must be followed, this plan indicates ‘how’ the controls must be implemented. All Flayton Electronics businesses are required to implement this Plan, but may extend (add) requirements if appropriate. General Requirements This section covers the general plans of Information Risk Management. Controls The controls included in this section are: Compliance with the Company IRM Policy and Plan Conformance testing and assurance Consistent reporting of risk incidents Employee responsibilities and training Ref. Principle 3.1 Businesses must have adequate processes and procedures to comply with this policy and supporting IRM plans. Control statements 3.1.1 The business key risk owner must ensure that the control statements in this plan are implemented, maintained and operating effectively. Ref. Principle 3.2 Businesses must implement a conformance testing and assurance program (Kranacher, Riley & Wells, 2011). Control statements 3.2.1 The Business Head of IRM must define and agree an evidence-based conformance testing program with Company IRM and execute at least annually. Ref. Principle 3.3 Businesses must implement a consistent and effective approach to the reporting of information risk incidents. Control statements 3.3.1 Employees must report information risk incidents in accordance with the Company Internal Risk Event Policy. Ref. Principle 3.4 Businesses must maintain a record of employee training and attestations. Control statements 3.4.1 Businesses must maintain records on employee training and attestations. Ref. Principle 3.5 Employees must be aware of their information risk management responsibilities. Control statements 3.5.1 Businesses must implement the Company IRM minimum training requirements. Information Classification and Handling Objective Manage Flayton Electronics information effectively during its Lifecycle to reduce the risk of information loss, misuse, unauthorized change or disclosure (McNurlin, Sprague, & Bui, 2009) . Controls This section of the Company IRM plans, aims to set out the minimum baseline plans which apply to the classification and handling of information assets, in all formats or media, created or received by Flayton Electronics (or on its behalf) in the performance of business activities. Information Classification is the process of identifying and classifying information assets to ensure that they are handled, distributed, stored and disposed of in accordance with their criticality and sensitivity. A failure to classify and handle information assets correctly could lead to potential data leakage events and ultimately regulatory fines, reputational and financial damage (Wood-Harper and Avison, 1990). Ref. Principle 3.7 Businesses must educate employees on how to use the Flayton Electronics classification scheme to identify and handle information assets owned by the business in accordance with their criticality and sensitivity. Control statements 3.7.1 Businesses must publish the Company IRM plan information classification and handling plans including detail on how information assets should be handled and protected in accordance with their level of criticality and sensitivity. 3.7.2 Businesses must educate employees on information classification and handling standards in order to ensure employees are aware of how to identify and protect critical and sensitive information. 3.7.3 Businesses must ensure that information assets handled through any social media channel adhere to the control requirements documented in Company IRM control requirements for Social Media. Ref. Principle 3.8 Businesses must establish and implement a process to identify and protect the most critical and sensitive information assets using a risk based approach. Control statements 3.8.1 Businesses must identify and protect their critical and sensitive types of information asset using a risk based approach. 3.8.2 Businesses must assess, track, mitigate and report the external supplier information risk and control position on a regular basis. The frequency of information risk reporting to each Business Unit IRM function must be not less than quarterly. Records Management Objective Ensure Flayton Electronics records are appropriately identified, retained, retrieved and disposed of in accordance with timescales outlined by legal, regulatory and business requirements. Controls This section of the Company IRM plan aims to set out the minimum baseline controls which apply to the management of records, in all formats or media, created or received by Flayton Electronics (or on its behalf) in the performance of business activities. Records Management is the practice of identifying, categorising, archiving and maintaining information about a business in the form of records (Prentice,2010). Flayton Electronics is committed to protecting, retaining and disposing of its records in accordance with its relevance and the risks to which it is exposed, in a manner consistent with legal, regulatory and contractual requirements. The minimum requirements outlined in this section are intended to provide an end to end records management standard to ensure that Flayton Electronics records are identified, retained, retrieved and disposed of in accordance with legal, regulatory and business requirements, throughout its lifecycle. The aim of which is to: Meet mandatory legislative and regulatory requirements Reduce legal, regulatory and financial risks (and reputational impact) arising from an inability to retrieve records within prescribed timeframes, or to destroy them securely at an appropriate point Ensure effective management of records for the benefit of our customers, employees and other stakeholders Businesses must adhere to the Records Management Relevant Record storage minimum standards Ensure new systems handling Relevant Records incorporate Records Management requirements These plans must be implemented locally to manage Flayton Electronics Records Management related risk. Ref. Principle 3.9 Businesses must maintain a list of Relevant Records aligned with the retention schedules. These must be reviewed for accuracy and completeness on a periodic basis as determined by the business. Control statements 3.9.1 Records are either Relevant or Non-Relevant. Those that are Relevant (retained for legal, regulatory or business reasons) must be identified and documented on a Business List of Records. Ref. Principle 3.11 Records must be retrievable within required timescales as determined by legal, regulatory and business requirements. Control statements 3.11.1 All Relevant Records must be retrievable within the following timescales: Electronic records to be retrieved within 5 working days Archived electronic and physical records to be retrieved within 15 working days Ref. Principle 3.12 Records which have reached the end of their retention period must be destroyed securely using an approved procedure and within timescales as determined by the business. Control statements 3.12.1 Relevant Records must be destroyed securely within 6 months of the retention expiry date except where a Disposal Hold notice applies. Ref. Principle 3.13 Businesses must adhere to Disposal Hold notices. Control statements 3.13.1 Where there is a known or anticipated legal or regulatory enquiry, all records as defined by an individual Disposal Hold notice must be identified, located and withheld from destruction within 24 hours. 3.13.2 Following the lifting of a disposal hold and upon receipt of legal authorisation, business as usual retention periods must be reapplied within 6 months. Care must be taken to ensure that no other existing Disposal Hold notice applies. 3.13.3 Business Units should consider Company Disposal Hold guidance when implementing Disposal Hold notices. Access Management Objective Access to information assets is authorized, appropriate and attributable. Controls The overall scope of this section is all business applications that hold information assets that are protected through logical access management controls. These principles and controls will be applied to applications and/or information assets commensurate with the business risk. Ref. Principle 3.14 Businesses must ensure that there is individual accountability for user accounts. Control statements 3.14.1 Businesses must ensure that there is a documented process to assign and maintain ownership of all user accounts. This must be reviewed annually. 3.14.2 The accountability of non-personal accounts must be attributable to an individual or a company of individuals. Ref. Principle 3.15 Businesses must have a defined user management process to grant, modify and revoke access to information assets. (Joiner, Mover, Leaver or “JML” Process) Control statements 3.15.1 For each business application, application owners must ensure there is a documented JML process. At a minimum this must include: the authorisation model, detailing requestors, authorisers and those qualified to undertake the change in access management. This process must be reviewed by the business application owner annually. Ref. Principle 3.16 All business application access must be attributable to a Flayton Electronics unique HR identifier. Control statements 3.16.1 The process to grant and modify access to a business application must ensure that new user accounts are created using a unique identifier which can be linked to the employee’s Flayton Electronics Resource ID or equivalent HR record. Ref. Principle 3.17 Authorised users must only have the access rights they need to carry out their role effectively. Control statements 3.17.1 Businesses must ensure that the creation of a new user account must be based upon the concept of least privilege and requests for similar levels of access to other user accounts must not result in excessive privileges being granted. Ref. Principle 3.18 Businesses must ensure that granted user access permissions support any Segregation of Duties objectives. Control statements 3.18.1 Businesses must ensure that the documented access rights, privileges and permissions also include business rules relating to any segregation of duties. This must be reviewed by the business application owner at least annually. 3.18.2 Businesses must ensure that combinations of access permissions within a business application and between business applications consider any segregation of duty requirements. 3.18.3 Where the business application permits, businesses must ensure that an individual does not have access to more than one account per business application. Ref. Principle 3.19 User and access rights must be recertified periodically as determined by the business. Control statements 3.19.1 Businesses application owners must ensure that there is a documented process in place to periodically review user access to business applications. The frequency of review, at a minimum annually, and account coverage must be commensurate with the business risk. The access review process must ensure that: The access rights for all users are appropriate Users must not be able to recertify their own access Ownership and accountability of non-personal (i.e. generic and shared) accounts has been assigned appropriately Business roles, user types, companies and their associated rights are appropriate The review process produces documentary evidence of the recertification, together with the recording of issues arising and subsequent actions taken to address those issues (e.g., account removal, company modification), which is maintained in line with business requirements. Adherence Noncompliance with the Company Policy or Company IRM Minimum Standard must be raised using the Company Dispensations, Waivers and Breaches process and should be accompanied by legal, compliance or privacy opinion where appropriate. If a business plan is breached (but this, in itself, does not constitute a breach of this Company Plan) the business accountable executive must grant approval. This business approval must be documented and retained. It must be made available to Company IRM if requested. References Avison & Fitzgerald 1995, Information Systems Development: Methodologies, Techniques and Tools 2nd ed. McGraw Hill, Maidenhead. Wood-Harper, and Avison 1990 MultiView - an exploration in information systems development, McGraw Hill, Maidenhead Prentice, R., Clinton, D., Gillespie, J., Bizzell, H., & Stone, D. (2010), Business environment and concepts Sedona, Efficient Learning Systems, Inc. Wang, A. & Diesburg, S.M, (2010, November 3). A survey of confidential data storage and deletion methods, ACM computing surveys, 43(1) 2-37. Sprague, R., McNurlin, B. & Bui, T. (2009). Information systems management in practice (8th, ed.), Upper Saddle River, New Jersey: Prentice Hall Kranacher, M.-J., Riley, R. A. Jr., & Wells, J. T. (2011). Forensic accounting and fraud examination. Hoboken, NJ: John Wiley & Sons. Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(The General Plans of Information Risk Management Assignment Example | Topics and Well Written Essays - 2000 words, n.d.)
The General Plans of Information Risk Management Assignment Example | Topics and Well Written Essays - 2000 words. https://studentshare.org/management/1630495-risk-managment-plan-component
(The General Plans of Information Risk Management Assignment Example | Topics and Well Written Essays - 2000 Words)
The General Plans of Information Risk Management Assignment Example | Topics and Well Written Essays - 2000 Words. https://studentshare.org/management/1630495-risk-managment-plan-component.
“The General Plans of Information Risk Management Assignment Example | Topics and Well Written Essays - 2000 Words”. https://studentshare.org/management/1630495-risk-managment-plan-component.
  • Cited: 0 times

CHECK THESE SAMPLES OF The General Plans of Information Risk Management

Reducing the Risks of Petrochemical Companies

In order for petrochemical plants to operate with minimal risk, they should be properly planned and designed, and appropriate procedure and guidelines should be implemented in their operation and management.... Name Name of Professor Reducing the Risks of Petrochemical Companies Proposed Guidelines for Use in Industrial Applications Introduction It is generally known that it is impossible to live a life free of risk.... Hazardous wastes, on the other hand, are those which create a considerable risk or possible danger to the health of living beings for these are naturally deadly, constant, and non-degradable....
15 Pages (3750 words) Research Paper

Nuclear Power: Risk Perceptions and Reality

Though, as with any topic the level of information and insight the average person has on these often differs from that of the experts and can consequently lead to a difference in opinions.... Nuclear Power: risk perceptions and Reality Introduction: There are certain issues pertaining to the modern society and the way of life which rise up heated debates on both sides of the argument.... The public risk perception and assessment of the issues visibly colors these concerns- sometimes distorting the actual facts which are present and relying on the phenomena of self-serving bias to firmly entrench the arguments....
10 Pages (2500 words) Essay

General Public Lacks the Knowledge and Time to Contribute To Debates about New Technologies

This is mainly due the assumptions made by policy makers and experts on the level of information that people should access regarding new technology risks.... It is concluded that, the general public lacks the knowledge and time to contribute to debates about new technologies.... This is one way of ensuring that all is taken into account when formulating policies to do with disaster management.... The researcher analyzes the issue when public does lack conclusive knowledge about how these technologies work, and have to rely on the information disseminated by scientists and policy makers....
14 Pages (3500 words) Essay

General Motors Corporation

These would include corporate governance, organisational culture, leadership styles, operational risk management and financial risk management pertaining to the functioning of General Motors.... The underlying concepts pertaining to risk management, financial markets and products, and global perspectives on risk are important aspects.... tatement of Purpose: This Case Study on the general Motors Corporation is for the purpose of investigating the company's downward spiral into possible bankruptcy....
14 Pages (3500 words) Essay

Security & Risk Management

The need for the understanding of risk The studies of risk perception and risk management have resulted in the development of different psychological models of risk perception.... The paper begins with a brief discussion on security management as it is important to first understand the nature of the topic.... ecurity management is a broad term which is used to refer to securing different types of assets of an organization, including the security of the information of an organization....
9 Pages (2250 words) Essay

Security Plan- Human, Electronic Information

nbsp; A recent audit of the information security management system found it to be deficient in some key areas, notably incident response, disaster recovery, and business continuity.... This paper declares that with greater automation of business processes, the potential threats to the organization's physical, human and electronic information holdings have also increased multifold.... The issue of financial and information losses from these software programs have reached such proportion worldwide that computer security is a $30 billion industry now....
17 Pages (4250 words) Essay

Enterprise Risk Management in E-commerce

This report "Enterprise risk management in E-commerce" discusses risk management means assigning a priority to these risks and developing plans and exercises that can poise and alleviate them.... the unintentional cutting of information by a workerscientific breakdown, e.... ebsite despoilment - where the business figure or contents on the website are altered - and bug attacks can guide to marketable awkwardness and smash up to the way the business is considered by its business partners and the general public....
10 Pages (2500 words) Report

Romania Risk Assessment

The aim of this work is to assess and justify the priorities by the government of Romania with regard to risk management.... ntroduction Romania is exposed to a number of natural disasters and man-made risks that include floods, earthquakes, environmental pollution, mining accidents and landslides which cause human and economic losses as well as cause harmful effects on aquatic ecosystems and human health across the country (Information Resources management Association, 2016)....
27 Pages (6750 words) Assignment
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us