You asked
Please could you tell me:
Does your organisation have a formal policy regarding the production of information and or cyber security risk assessments?
a. If yes, please can you provide a copy of the above policy?
Does your organisation hold a register of Information and/or cyber security risk (outside that of the corporate risk register), and if yes:
a. Please can you list the top ten Information and/or Cyber Security Risks?
b. How many risks are there in total on the register?
c. Please state how many risks would be categorised as the highest risk level (i.e. Critical)?
d. Please state how many risks would be categorised as the second highest risk level (i.e. Critical)?
e. Please state how many risks would be categorised as the third highest risk level (i.e. Critical)?
f. How many risk levels do you have in total (i.e. 5)?
Do any of the identified information and or cyber security risks also exist on the corporate risk register?
a. If yes, what are those risks?
When undertaking an information / cyber security risk assessment, does the authority follow a structured risk assessment process?
a. If so, what is that process?
Does your orgnisation follow ISO31000 when undertaking an information / cyber security risk assessment?
Does your orgnisation hold ISO27000 accreditation ?
Does your organisation have a policy of adhering to any information security standard or framework (i.e. ISO27000, NIST etc)?
a. If yes, please provide a copy of the above policy?
Does the authority have the following roles within the origination:
a. Chief Security Officer (CSO),
i. If yes, which role does the CSO report into?
b. Chief Information Security Officer (CISO)
i. If yes, which role does the CISO report into?
c. Head of Information Security (Hd InfoSec)
i. If yes, which role does the Hd InfoSec report into?
Who within your organisation who is accountable for undertaking information / cyber security risk assessments (i.e. Chief Information Security Officer, Head of Information Security, Head of Information Technology) ?
Who within the authority is responsible for undertaking information / cyber security risk assessments (i.e. Chief Information Security Officer, Head of Information Security, Head of Information Technology) ?
How many people within the organisation are responsible for undertaking information / cyber security risk assessments?
Does the person(s) responsible for undertaking information / cyber security risk assessment:
a. Have any formal training in this regard?
i. If so, what was it?
b. Have any industry qualifications/certification in this regard?
i. If so, what are they?
How many people (permanent and contractors) currently work for the authority?
How many people (permanent and contractors) currently work for the authority in information technology roles?
How many people (permanent and contractors) currently work for the authority in information / cyber security roles?
We said
Thank you for your request. Please find the answers to each of your questions here:
Does your organisation have a formal policy regarding the production of information and or cyber security risk assessments?
We have a corporate risk management policy that applies to all areas of the business including security. The policy describes our approach to managing risk and provides the practical steps to be taken to identify and manage risks within the Authority Risk Appetite. A security risk management policy is in place, which supports the corporate risk policy.
a. If yes, please can you provide a copy of the above policy?
Please see the document 'Security risk management policy'.
Contact details of members of staff are considered as personal data and will be withheld under s.40(2) of the Freedom of Information Act 2000.
Does your organisation hold a register of Information and/or cyber security risk (outside that of the corporate risk register), and if yes:
Yes
a. Please can you list the top ten Information and/or Cyber Security Risks?
The specific detail of each risk is withheld as this knowledge could provide insights into our level of IT protection and therefore aid anyone wishing to launch an attack on our IT systems. We therefore find S31(1)(a) to be engaged - the prevention or detection of crime. To use this exemption, we are required to consider the public interest test, and whilst we note there are public interest arguments in favour of transparency and disclosure, we have decided that these are outweighed by other public interest factors that are in favour of non-disclosure. Principally we consider that release of the information requested would prejudice our ability to maintain and run a secure and safe IT network. This is an essential function for all government departments and is particularly important for ONS which processes personal and economic information on its systems.
However, the key risk types that we consistently identify and mitigate against are: data breach, data loss and denial of service.
b. How many risks are there in total on the register?
The security risk register has 53 open risks.
c. Please state how many risks would be categorised as the highest risk level (i.e. Critical)?
Critical open risks = zero
d. Please state how many risks would be categorised as the second highest risk level (i.e. Critical)?
High open risks = four
e. Please state how many risks would be categorised as the third highest risk level (i.e. Critical)?
Medium open risks = thirty six
f. How many risk levels do you have in total (i.e. 5)?
Four. They are critical, high, medium and low.
Do any of the identified information and or cyber security risks also exist on the corporate risk register?
Yes
a. If yes, what are those risks?
The specific detail of each risk is withheld as this knowledge could provide insights into our level of IT protection and therefore aid anyone wishing to launch an attack on our IT systems. We therefore find S31(1)(a) to be engaged - the prevention or detection of crime. To use this exemption, we are required to consider the public interest test, and whilst we note there are public interest arguments in favour of transparency and disclosure, we have decided that these are outweighed by other public interest factors that are in favour of non-disclosure. Principally we consider that release of the information requested would prejudice our ability to maintain and run a secure and safe IT network. This is an essential function for all government departments and is particularly important for ONS which processes personal and economic information on its systems.
However, the key risk types that we consistently identify and mitigate against are: data breach, data loss and denial of service.
When undertaking an information / cyber security risk assessment, does the authority follow a structured risk assessment process?
Yes
a. If so, what is that process?
The risk process is a structured hybrid that follows a recognised information security model (ISO27001/Information Security Forum) with risk descriptions and scoring using the Authority risk model. This highlights inherent risk and residual risk levels so that security risks are considered equally alongside other business risks.
Does your orgnisation follow ISO31000 when undertaking an information / cyber security risk assessment?
No
Does your orgnisation hold ISO27000 accreditation ?
No
Does your organisation have a policy of adhering to any information security standard or framework (i.e. ISO27000, NIST etc)?
There is no explicit policy. We utilise the Information Security Forum's Standard of Good Practice which incorporates ISO27000 and NIST security approach and control statements.
a. If yes, please provide a copy of the above policy.
Not applicable
Does the authority have the following roles within the origination:
a. Chief Security Officer (CSO),
Yes
i. If yes, which role does the CSO report into?
National Statistician
b. Chief Information Security Officer (CISO)
No
i. If yes, which role does the CISO report into?
Not applicable
c. Head of Information Security (Hd InfoSec)
No. We have a Deputy Chief Security Officer who has a similar role profile to a CSO.
i. If yes, which role does the Hd InfoSec report into?
The Deputy CSO reports to the CSO.
Who within your organisation who is accountable for undertaking information / cyber security risk assessments (i.e. Chief Information Security Officer, Head of Information Security, Head of Information Technology) ?
The Chief Security Officer (CSO)
Who within the authority is responsible for undertaking information / cyber security risk assessments (i.e. Chief Information Security Officer, Head of Information Security, Head of Information Technology) ?
The Deputy Chief Security Officer and Security Risk Advisors.
How many people within the organisation are responsible for undertaking information / cyber security risk assessments?
Thirteen full time equivalents (FTE) are responsible for undertaking information / cyber security risk assessments.
Does the person(s) responsible for undertaking information / cyber security risk assessment:
a. Have any formal training in this regard?
Yes
i. If so, what was it?
All risk advisors have background experience and qualifications within one or more of the following - IT architecture, software development, security auditing and IT operations.
Relevant professional qualifications, memberships and training e.g. Senior Practitioner level within the NCSC Certified Professional scheme (CCP), SFIA, Institute of Information Security Professionals (IISP), British Computer Society (BCS), Cloud Security Certification (CCSP), ISO27001 Security Auditor.
It's important to have a blend of experience, knowledge and qualifications within a risk advisor team that provides a holistic balanced approach to risk management.
b. Have any industry qualifications/certification in this regard?
Yes
i. If so, what are they?
See the response to question 12.a
How many people (permanent and contractors) currently work for the authority?
We have 4014 permanent full time equivalents (FTE) and 200 contractor / temporary FTE.
How many people (permanent and contractors) currently work for the authority in information technology roles?
The IT department has 385 permanent full time equivalents (FTE) and 26 contractor / temporary FTE.
How many people (permanent and contractors) currently work for the authority in information / cyber security roles?
Our security and information management has 45 permanent/temporary FTEs and 6 contractor FTEs
Download associated with request
- Security risk management policy (59.3 kB pdf)