Information assurance policy

Policy overview

Information, and the systems used to process information, are important assets in the provision and effective management of our services.

We need to achieve a reasonable level of assurance to manage and protect information.

  • created by us
  • entrusted to us by:
    • members of the public
    • our strategic partners
    • other third-party organisations

Information assurance (IA) provides the mechanism by which we achieve this. It supports us:

  • to meet our statutory, regulatory, and third-party obligations
  • to help mitigate information risk
  • to deliver effective services

IA is a set of multi-disciplinary structures, policies, processes, and controls and we implement these at an organisational level.

This policy aims to outline our commitment and approach to implementing an IA framework.

This policy applies to:

  • all information that we process, regardless of format
  • all information systems that we operate or manage

Information assurance roles and responsibilities

We have the following in place:

  • Senior Information Risk Owner (SIRO) - has overall responsibility for information risk ownership at Director level.
  • Information Asset Owners - ensures that we handle and manage specific information assets appropriately.  Information Asset Owners own information risk for their assets.
  • Head of Information Assurance – manages the IA team and is responsible for developing and implementing the aims of the IA policy.
  • Information Governance Manager and Officers – responsible for providing information governance guidance and support to us.
  • Records Manager and Officer – responsible for providing support and guidance across all aspects of records management.
  • Information Security Officer – responsible for the implementation of information security policy and compliance.
  • Data Protection Officer – a statutory role primarily responsible for ensuring the council meets its obligations under data protection law.

In addition to the IA specific roles outlined above:

  • Chief Information Officer – acts as the lead on the management and implementation of our technology 
  • Head of Cyber Security – acts as the technical lead for all strategic and operational cyber security matters
  • Council managers – responsible for ensuring that:
    • the requirements of the IA framework are integrated into service procedures
    • that staff comply with all relevant IA policies in their area of responsibility
  • All staff – responsible for ensuring they meet the requirements of the IA framework. This includes complying with individual policy requirements and undertaking mandatory training.

Information assurance framework

We will develop an IA framework that aims to:

  • treat information and information systems as important assets by ensuring their confidentiality, integrity, and availability
  • embed an IA governance structure that sets out roles and responsibilities of key staff
  • apply appropriate information risk management to recognise and manage information risk
  • maintain compliance with relevant legislation, for example, the UK General Data Protection Regulation and Data Protection Act 2018
  • maintain compliance with third party information obligations placed upon us
  • ensure we collect, use, manage, and share information appropriately and legitimately
  • provide IA policies, procedures and controls which support staff in the delivery of our services.
  • ensure that staff are:
    • appropriately trained
    • aware of their responsibilities
    • have access to appropriate support and guidance

Training and awareness

We acknowledge that training and awareness play an important part in creating a culture that takes IA seriously. Therefore, we will ensure:

  • mandatory training is in place and accessible to every member of staff, including:
    • data protection
    • information security
    • records management
  • we communicate regularly with staff to encourage good practice and raise awareness
  • IA staff proactively engage at every level of the organisation to:
    • raise awareness
    • support all managers and staff
    • ensure a focal point is available to all staff for IA advice and support

Compliance

All our employees have a contractual responsibility to be aware of and conform to our :

  • values
  • rules
  • policies
  • procedures

Breaches of policy may lead to the employee going through our disciplinary procedure in accordance with:

  • the Code of Conduct
  • our disciplinary policy and procedure

We may revoke access to our information and information systems to individuals who are not our employees and who fail to comply with our policies.

Further Information

For further information or guidance please contact IA@lincolnshire.gov.uk.