addresses the issues around the lack of an effective security accreditation process. This document forms the closure statement for the completion and
Accreditation process that includes the requirements that:
· Analysis takes place of e2e implementation on a per subsystem basis to validate that controls have been designed and implemented correctly.
· Security design assurance reviews take place before systems are implemented.
· Design assurance activities continue during the implementation phase to ensure designs are complied with (see Recommendation 6 above).
· A robust and reliable audit trail for Security Accreditation and in-built checks on compliance are in place.
· A ...view middle of the document...
An ISMS document and TOR to be produced reviewed and approved.
Finally, the ISMS is the description of a system not just a document. I would recommend that a review takes place in 6 – 9 months to conform all the elements of the ISMS are in place and working.
The roles and responsibilities are not consistent with ISMS – in particular who are the
Security Audit and Compliance Manager
Information Security Risk Manager
Security Incident Manager
Risk treatment plan – we are still at odds over this. It is still far too generic. How are these risks actually being managed? That is what treatment means | Add the following text to the risk treatment plan as further context: “The process for security risks are owned by the customer facing business unit (i.e. the information custodians are the Acute BU and the C&MH BU). They own the risk treatment plan and its resolution. They will allocate responsibility to the appropriate control owners (usually P&SD/GCSO in many cases) and will report on the progress of these plans into the ISMF and JSAG.” IAD: The response is missing the point. The distinguishing feature of an RTP over and above the risk assessment is the indication of how risks will be dealt with. Your own ISMS states this. The details of risk treatment are what have been lacking so far. The options for treatment are to: 1) Knowingly accept the risk as it falls within the organisation's "risk appetite", in other words management deem the risk acceptable, compared to the cost of improving controls to mitigate it. The risk appetite for information security is the contract, the BT Health SSP and the associated syops etc. so this is not an easy way of evading information security...