Centralisation of information security within the Government of Jersey (FOI)Centralisation of information security within the Government of Jersey (FOI)
Produced by the Freedom of Information officeAuthored by Government of Jersey and published on
24 June 2024.Prepared internally, no external costs.
Request
The latest annual report for the States of Jersey Group states that, by incorporating Health and Community Services (HCS), Children, Young People, Education and Skills (CYPES), and the States of Jersey Police (SoJP) into the Modernisation and Digital directorate, this has allowed a more thorough approach to cyber risk assessment and management.
The SoJP publish their senior structure online and this includes references to their Information Security Manager.
A
Please clarify the position; has the information (including cyber) security function been fully and wholly centralised within Modernisation and Digital or does the SoJP maintain independent responsibility for their information security?
B
In the absence of anything being published for the structures within HCS and CYPES, please confirm if their respective information security functions are independent or centralised under Modernisation and Digital?
Response
A
The States of Jersey Police (SoJP) maintain a dedicated Information (including cyber) security function under the control of the Chief Officer. The SoJP manage their information (including cyber) risk in accordance with the National Police Chiefs Council (NPCC) frameworks and standards and are accountable to the NPCC Police Information Assurance Board for compliance.
Given the highly sensitive nature of a risk register, the content is heavily restricted and routinely accessible only by SoJP personnel and Police Digital Service (PDS) Cyber Compliance teams. Where required, elements of risk assessments may be shared with the Modernisation and Digital team to ensure appropriate technical mitigation.
The SoJP work with key partners in reviewing and accessing information risks, this includes but is not restricted to the PDS National Management Centre, Government of Jersey, The National Cyber Security Centre and the Jersey Cyber Security Centre.
B
The Health & Community Services (HCS) and Children, Education, Young People and Skills (CYPES) departments are registered as data controllers. As such they are responsible for implementing appropriate technical and organisational security measures to ensure the security of personal data. They are supported by Modernisation & Digital, who develop corporate polices and standards for information security and ensure cybersecurity measures are in place across the core network.