Information Security Framework Review Policy

1. Purpose and scope

1.1. The University’s Information Security Framework must remain fit for purpose. Accordingly, this policy establishes a requirement for an annual review of the Information Security Framework and defines the objectives and scope of that review and related responsibilities.

1.2. This policy covers the University’s Information Security Framework using the same scope as set out in the Information Security Policy.

2. Relationship with other policies

2.1. This policy forms part of the Information Security Framework. It should be read in conjunction with the Information Security Policy and all supporting policies.

3. Policy

3.1. The Information Security Framework shall be reviewed annually to:

3.1.1. ensure that the framework as a whole remains fit for purpose;

3.1.2. determine whether it has achieved its intended outcome(s) over the past year;

3.1.3. review the objectives going forward and to identify opportunities for continual improvement.

3.2. The review shall include consideration of the status of agreed actions from previous reviews, changes in the external and internal environment that are relevant to the framework, outcomes from testing of the framework, and feedback on the information security performance.

3.3.      The review shall not prevent important and urgent corrective actions being instigated in the interim arising from information security incidents, as per the Information Security Incident Management Policy.

3.4. The review shall provide:

3.4.1. an assessment of achievement of the information security objectives as set out in the Information Security Policy, which shall include an assessment of metrics gathered, the outcomes of the key information assets risk assessments, and any perceived barriers to implementing the recommended information security controls.

3.4.2. a review of progress from previous reviews' action plans, including any barriers to progression of agreed actions.

3.4.3. a review of the Information Security Policy with an assessment of the continued relevance of the information security objectives towards achievement of the University’s strategic objectives and any relevant changes in the external environment.

3.4.4. a review of opportunities for continual improvement, including identifying any new metrics to be gathered, modifying the information security controls in place, and identifying ways of further embedding information security into the University’s normal business processes.

3.5. The outcomes of the Annual Review shall be presented in a report submitted to the Professional Services Board.

3.6.  The report shall be accompanied by:

3.6.1. an Action Plan with responsibility for each action being assigned to an identifiable individual and a timescale applied.

3.6.2. a proposed schedule of Information Security Framework testing.

3.7. Progress against actions shall be monitored within the year by the Information Security Operations Group.

4. Roles and responsibilities

4.1. The Chief Operating Officer and University Secretary, in their role as the Senior Information Risk Owner, is the sponsor for this policy, and responsible for approving the need to develop or substantively amend the policy, for presenting the final draft to the approving body and for ensuring that their policy-making documents comply with, and are monitored and reviewed in line with the Cardiff University Policy for the Development of Policy-making Documents.

4.2. The Senior Information Risk Owner is responsible for ensuring that an annual review of the Information Security Framework has been conducted in accordance with this policy.