Internal Controls

R9
addresses the issues around the lack of an effective security accreditation process. This document forms the closure statement for the completion and
Accreditation process that includes the requirements that:
· Analysis takes place of e2e implementation on a per subsystem basis to validate that controls have been designed and implemented correctly.
· Security design assurance reviews take place before systems are implemented.
· Design assurance activities continue during the implementation phase to ensure designs are complied with (see Recommendation 6 above).
· A robust and reliable audit trail for Security Accreditation and in-built checks on compliance are in place.
· A check is carried out to verify that security operating processes have been defined and implemented.
Summarised output from the formal Security Accreditation process should form part of regular governance reporting.
implementing an effective security risk management governance framework.
· A RACI chart of roles and responsibilities at a senior level,
· Principles for the ownership of security risks
· A security risk executive board,
· A standardised risk management methodology that covers the identification of risks, assessment of their likelihood and impact and appropriate treatment
· Reporting procedures
To streamline security governance, the role of the security risk executive board could be discharged by the top level security governance forum proposed at
The Security Remediation Programme to fully implement an effective RACI chart of role and responsibilities at a senior level.
Roles will be addressed through IT Security Governance activity #
Define the Principles for the ownership of security risks.
An ISMS document and TOR to be produced reviewed and approved.

to implement a

Security Risk Executive Board  

A standardised risk management methodology that covers the identification of risks, assessment of their likelihood and impact and...