The challenge
The “Houses of Parliament” comprise the House of Commons and the House of Lords. The nature of parliamentary business inevitably involves massive volumes of information, much of it sensitive in nature. Ensuring the security of this information is of paramount importance, whether it is stored on traditional media or electronically.
Information is increasingly being held in cloud environments. The Senior Information Risk Owners (SIROs) for both houses recognised the need to create a new information assurance process to address this situation.
The solution
As the cloud information assurance process needed to be implemented from scratch, the client sought outside expertise. Ascentor was selected to provide a CCP Lead Accreditor experienced in assessing client needs and establishing pragmatic and proportionate solutions.
We quickly introduced a risk appetite statement for both Houses that reflected the concerns of the two SIROs and laid the groundwork for how information risks were to be treated.
All new projects using cloud-based solutions were then assessed based on information sensitivity and allocated one of three different assurance paths. The greater the sensitivity of the information, the greater the assurance level required.
As the assurance process became established and SIROs were able to make decisions based on informed risk, the process expanded to include information held on internal systems.
The result
The assurance process is now well-established. The SIROs and other senior figures in Parliament receive regular updates on the residual risks associated with their information hosted in cloud-based solutions. Risks are regularly reappraised and managed to ensure they stay consistent with the risk appetite statement and continually improve.