The General Plans of Information Risk Management - Assignment Example

FLAYTON ELECTRONICS INFORMATION RISK MANAGEMENT PLAN Rationale Information is a valuable asset and essential to the business (Avison & Fitzgerald 1995). Flayton Electronics is committed to protecting the information throughout its Lifecycle in line with its value, sensitivity, the risks to which it is exposed and in a manner consistent with legal, regulatory and contractual arrangements. Flayton Electronics operates under a Key Risk framework supported by Risk and Control frameworks and Company Policies. The purpose of this plan is to detail the minimum level of controls to which business must adhere to ensure that the Flayton Electronics information is adequately protected. There are some information risk controls that are designed through other policies and plans. These controls apply to all information, whether in electronic, paper, portable devices or in other forms, to ensure the Flayton Electronics information related risk is managed appropriately. Scope This plan applies to: (a) Flayton Electronics and all its subsidiaries (including any consolidated entity acquired via a debt-for-equity swap or created through a joint venture); and (b) All employees of any entity within paragraph (a) above; for the purposes of this document, "employees" includes employees, agency workers, consultants and contractors, irrespective of their location, function, grade or standing. It does not apply to: (a) Any entity in which the Flayton Electronics has any interest and which is a non-consolidated entity, or to any employee of any such entity; or (b) Any entity which has been consolidated for IFRS accounting purposes*, provided Flayton Electronics has neither legal nor operational control. * such entities are likely to be property owning vehicles with a related Flayton Electronics loan which is in default and where Flayton Electronics has current and unilateral enforcement rights but does not have legal ownership/control. Controls The principles stated in the Company IRM Policy are elaborated in this Company IRM Plan document. Where the policy document states ‘what’ principles must be followed, this plan indicates ‘how’ the controls must be implemented. All Flayton Electronics businesses are required to implement this Plan, but may extend (add) requirements if appropriate. General Requirements This section covers the general plans of Information Risk Management. Controls The controls included in this section are: Compliance with the Company IRM Policy and Plan Conformance testing and assurance Consistent reporting of risk incidents Employee responsibilities and training Ref. Principle 3.1 Businesses must have adequate processes and procedures to comply with this policy and supporting IRM plans. Control statements 3.1.1 The business key risk owner must ensure that the control statements in this plan are implemented, maintained and operating effectively. Ref. Principle 3.2 Businesses must implement a conformance testing and assurance program (Kranacher, Riley & Wells, 2011). Control statements 3.2.1 The Business Head of IRM must define and agree an evidence-based conformance testing program with Company IRM and execute at least annually. Ref. Principle 3.3 Businesses must implement a consistent and effective approach to the reporting of information risk incidents. Control statements 3.3.1 Employees must report information risk incidents in accordance with the Company Internal Risk Event Policy. Ref. Principle 3.4 Businesses must maintain a record of employee training and attestations. Control statements 3.4.1 Businesses must maintain records on employee training and attestations. Ref. Principle 3.5 Employees must be aware of their information risk management responsibilities. Control statements 3.5.1 Businesses must implement the Company IRM minimum training requirements. Information Classification and Handling Objective Manage Flayton Electronics information effectively during its Lifecycle to reduce the risk of information loss, misuse, unauthorized change or disclosure (McNurlin, Sprague, & Bui, 2009) . Controls This section of the Company IRM plans, aims to set out the minimum baseline plans which apply to the classification and handling of information assets, in all formats or media, created or received by Flayton Electronics (or on its behalf) in the performance of business activities. Information Classification is the process of identifying and classifying information assets to ensure that they are handled, distributed, stored and disposed of in accordance with their criticality and sensitivity. A failure to classify and handle information assets correctly could lead to potential data leakage events and ultimately regulatory fines, reputational and financial damage (Wood-Harper and Avison, 1990). Ref. Principle 3.7 Businesses must educate employees on how to use the Flayton Electronics classification scheme to identify and handle information assets owned by the business in accordance with their criticality and sensitivity. Control statements 3.7.1 Businesses must publish the Company IRM plan information classification and handling plans including detail on how information assets should be handled and protected in accordance with their level of criticality and sensitivity. 3.7.2 Businesses must educate employees on information classification and handling standards in order to ensure employees are aware of how to identify and protect critical and sensitive information. 3.7.3 Businesses must ensure that information assets handled through any social media channel adhere to the control requirements documented in Company IRM control requirements for Social Media. Ref. Principle 3.8 Businesses must establish and implement a process to identify and protect the most critical and sensitive information assets using a risk based approach. Control statements 3.8.1 Businesses must identify and protect their critical and sensitive types of information asset using a risk based approach. 3.8.2 Businesses must assess, track, mitigate and report the external supplier information risk and control position on a regular basis. The frequency of information risk reporting to each Business Unit IRM function must be not less than quarterly. Records Management Objective Ensure Flayton Electronics records are appropriately identified, retained, retrieved and disposed of in accordance with timescales outlined by legal, regulatory and business requirements. Controls This section of the Company IRM plan aims to set out the minimum baseline controls which apply to the management of records, in all formats or media, created or received by Flayton Electronics (or on its behalf) in the performance of business activities. Records Management is the practice of identifying, categorising, archiving and maintaining information about a business in the form of records (Prentice,2010). Flayton Electronics is committed to protecting, retaining and disposing of its records in accordance with its relevance and the risks to which it is exposed, in a manner consistent with legal, regulatory and contractual requirements. The minimum requirements outlined in this section are intended to provide an end to end records management standard to ensure that Flayton Electronics records are identified, retained, retrieved and disposed of in accordance with legal, regulatory and business requirements, throughout its lifecycle. The aim of which is to: Meet mandatory legislative and regulatory requirements Reduce legal, regulatory and financial risks (and reputational impact) arising from an inability to retrieve records within prescribed timeframes, or to destroy them securely at an appropriate point Ensure effective management of records for the benefit of our customers, employees and other stakeholders Businesses must adhere to the Records Management Relevant Record storage minimum standards Ensure new systems handling Relevant Records incorporate Records Management requirements These plans must be implemented locally to manage Flayton Electronics Records Management related risk. Ref. Principle 3.9 Businesses must maintain a list of Relevant Records aligned with the retention schedules. These must be reviewed for accuracy and completeness on a periodic basis as determined by the business. Control statements 3.9.1 Records are either Relevant or Non-Relevant. Those that are Relevant (retained for legal, regulatory or business reasons) must be identified and documented on a Business List of Records. Ref. Principle 3.11 Records must be retrievable within required timescales as determined by legal, regulatory and business requirements. Control statements 3.11.1 All Relevant Records must be retrievable within the following timescales: Electronic records to be retrieved within 5 working days Archived electronic and physical records to be retrieved within 15 working days Ref. Principle 3.12 Records which have reached the end of their retention period must be destroyed securely using an approved procedure and within timescales as determined by the business. Control statements 3.12.1 Relevant Records must be destroyed securely within 6 months of the retention expiry date except where a Disposal Hold notice applies. Ref. Principle 3.13 Businesses must adhere to Disposal Hold notices. Control statements 3.13.1 Where there is a known or anticipated legal or regulatory enquiry, all records as defined by an individual Disposal Hold notice must be identified, located and withheld from destruction within 24 hours. 3.13.2 Following the lifting of a disposal hold and upon receipt of legal authorisation, business as usual retention periods must be reapplied within 6 months. Care must be taken to ensure that no other existing Disposal Hold notice applies. 3.13.3 Business Units should consider Company Disposal Hold guidance when implementing Disposal Hold notices. Access Management Objective Access to information assets is authorized, appropriate and attributable. Controls The overall scope of this section is all business applications that hold information assets that are protected through logical access management controls. These principles and controls will be applied to applications and/or information assets commensurate with the business risk. Ref. Principle 3.14 Businesses must ensure that there is individual accountability for user accounts. Control statements 3.14.1 Businesses must ensure that there is a documented process to assign and maintain ownership of all user accounts. This must be reviewed annually. 3.14.2 The accountability of non-personal accounts must be attributable to an individual or a company of individuals. Ref. Principle 3.15 Businesses must have a defined user management process to grant, modify and revoke access to information assets. (Joiner, Mover, Leaver or “JML” Process) Control statements 3.15.1 For each business application, application owners must ensure there is a documented JML process. At a minimum this must include: the authorisation model, detailing requestors, authorisers and those qualified to undertake the change in access management. This process must be reviewed by the business application owner annually. Ref. Principle 3.16 All business application access must be attributable to a Flayton Electronics unique HR identifier. Control statements 3.16.1 The process to grant and modify access to a business application must ensure that new user accounts are created using a unique identifier which can be linked to the employee’s Flayton Electronics Resource ID or equivalent HR record. Ref. Principle 3.17 Authorised users must only have the access rights they need to carry out their role effectively. Control statements 3.17.1 Businesses must ensure that the creation of a new user account must be based upon the concept of least privilege and requests for similar levels of access to other user accounts must not result in excessive privileges being granted. Ref. Principle 3.18 Businesses must ensure that granted user access permissions support any Segregation of Duties objectives. Control statements 3.18.1 Businesses must ensure that the documented access rights, privileges and permissions also include business rules relating to any segregation of duties. This must be reviewed by the business application owner at least annually. 3.18.2 Businesses must ensure that combinations of access permissions within a business application and between business applications consider any segregation of duty requirements. 3.18.3 Where the business application permits, businesses must ensure that an individual does not have access to more than one account per business application. Ref. Principle 3.19 User and access rights must be recertified periodically as determined by the business. Control statements 3.19.1 Businesses application owners must ensure that there is a documented process in place to periodically review user access to business applications. The frequency of review, at a minimum annually, and account coverage must be commensurate with the business risk. The access review process must ensure that: The access rights for all users are appropriate Users must not be able to recertify their own access Ownership and accountability of non-personal (i.e. generic and shared) accounts has been assigned appropriately Business roles, user types, companies and their associated rights are appropriate The review process produces documentary evidence of the recertification, together with the recording of issues arising and subsequent actions taken to address those issues (e.g., account removal, company modification), which is maintained in line with business requirements. Adherence Noncompliance with the Company Policy or Company IRM Minimum Standard must be raised using the Company Dispensations, Waivers and Breaches process and should be accompanied by legal, compliance or privacy opinion where appropriate. If a business plan is breached (but this, in itself, does not constitute a breach of this Company Plan) the business accountable executive must grant approval. This business approval must be documented and retained. It must be made available to Company IRM if requested. References Avison & Fitzgerald 1995, Information Systems Development: Methodologies, Techniques and Tools 2nd ed. McGraw Hill, Maidenhead. Wood-Harper, and Avison 1990 MultiView - an exploration in information systems development, McGraw Hill, Maidenhead Prentice, R., Clinton, D., Gillespie, J., Bizzell, H., & Stone, D. (2010), Business environment and concepts Sedona, Efficient Learning Systems, Inc. Wang, A. & Diesburg, S.M, (2010, November 3). A survey of confidential data storage and deletion methods, ACM computing surveys, 43(1) 2-37. Sprague, R., McNurlin, B. & Bui, T. (2009). Information systems management in practice (8th, ed.), Upper Saddle River, New Jersey: Prentice Hall Kranacher, M.-J., Riley, R. A. Jr., & Wells, J. T. (2011). Forensic accounting and fraud examination. Hoboken, NJ: John Wiley & Sons. Read More