The organisation has appropriate management policies and processes in place to govern its approach to the security of network and information systems.
This means the board will lead the organisational security management of your network and information systems, with corresponding policies and processes that articulate the organisation’s risk appetite and tolerance. Organisational management of your network and information systems should be fully integrated with usual decision making structures, processes and working culture.
There should be clear governance structures with well-defined lines of responsibility and accountability for the security of network and information systems, enabling an effective decision making authority. Channels for communicating and escalating risks should be accessible and well-understood. Senior leadership should understand the direct impact which security risk can have on the core delivery of services and this should be reflected in wider decision making.
The following requirements are placed on government departments:
Government Organisations shall meet the CAF requirements of the relevant Government Profile under this principle.
The Government Functional Standard GovS 007: Security (Security Standard). The Security Standard sets out the requirement for government organisations to have a defined and established governance and management framework for security. This framework should account for the authority limits, roles and rules for making business decisions, degrees of autonomy, assurance needs, reporting structure, accountabilities and responsibilities, together with the appropriate management practices, processes and associated documentation needed to meet this standard. For devolved administrations, organisations should adhere to the security functional standard and policy owned by its principal executive or devolved government body.
HM Treasury and the Government Finance Function provides guidance on risk governance within the Orange Book. It sets out several roles, responsibilities and governance bodies which should be used to effectively report on, assess and treat broader risks across your organisation. It explicitly references the ‘three lines of defence’ risk model which articulates how risk bodies should fit together to provide risk resilience.
Governance of Cyber Risk forms part of NCSC’s Risk Management Guidance. It sets out the key components of good governance including the definition of governance structures, delegation of decision making to accountable individuals and the implementation of clear reporting structures.
The NCSC’s Board Toolkit provides resources designed to support essential cyber security discussions between the Board and their technical experts. As well as providing an introduction to cyber security for Board members, it deals with a number of important aspects of cyber security that the Board should engage with, explaining why it is important and providing recommendations on what Board members should be doing. It also includes an Annex summarising legal and regulatory aspects of cyber security.
The Audit Committee Handbook and the Audit and Risk Assurance Committee Handbook Annex J Cyber Security by HM Treasury provides specific guidance for Audit and Risk and Assurance Committees (ARACs). It details how to provide assurance to the Board that the organisation is properly managing its cyber risk including appropriate risk mitigation strategies. All ARACs should be made aware of this guidance and may wish to consider appointing a cyber security champion for the organisation.
Further information can be found on NCSC’s website.
OFFICIAL