Highways Agency Annual Report and Accounts 2011-2012
Highways Agency Annual Report and Accounts 2011-2012
Highways Agency Annual Report and Accounts 2011-2012
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Governance statement: SECTION 6<br />
gaps identified. In their opinion other than the<br />
fraud which occurred in the supply chain <strong>and</strong><br />
was discussed under the Fraud Sub-Committee<br />
heading, there are no significant weaknesses<br />
that fall within the scope of issues that should be<br />
reported in the Governance Statement.<br />
During the year the <strong>Agency</strong> continued to comply<br />
with the Cabinet Office guidance on information<br />
risk management. My Senior Information Risk<br />
Officer’s (SIRO) assessment of information risk<br />
performance is that the <strong>Agency</strong>’s information<br />
assets held on the <strong>Agency</strong>’s business <strong>and</strong><br />
operational IT infrastructure are being managed<br />
effectively <strong>and</strong> appropriate risk controls are in<br />
place.<br />
All existing staff including executive <strong>and</strong> nonexecutive<br />
Board members are required to<br />
sign up to an Acceptable Use Policy before<br />
gaining access to our business IT <strong>and</strong> have<br />
been trained in data h<strong>and</strong>ling. All new staff are<br />
required to complete this training <strong>and</strong> pass a test<br />
demonstrating their underst<strong>and</strong>ing in their first<br />
week of employment.<br />
We continue to pursue a policy of continuous<br />
improvement in our controls <strong>and</strong> have no personal<br />
data related incidents to report. We are trialling<br />
end port control software which once rolled out,<br />
will ensure that no unauthorised devices will be<br />
able to work on our business IT systems. This will<br />
ensure more proactive control of what goes onto<br />
our network <strong>and</strong> support data loss prevention<br />
<strong>and</strong> improve our system security in terms of virus<br />
attack. There have been a small number of cases<br />
of non compliance with processes which have<br />
resulted in disciplinary action but no data loss.<br />
The Information Commissioner’s Office, (ICO), the<br />
independent body responsible for the regulation<br />
of the Data Protection Act 1998, recently<br />
undertook a follow up to their data protection<br />
audit of the <strong>Agency</strong> last year.<br />
ICO has noted the following improvements:<br />
• The <strong>Highways</strong> <strong>Agency</strong> has developed an<br />
Information Asset Management System.<br />
Eventually, all Information Asset Owners (IAO)<br />
<strong>and</strong> Information Asset Administrators (IAA) will<br />
have access to this system <strong>and</strong> will be able to<br />
update the risks associated with their assets.<br />
• The <strong>Highways</strong> <strong>Agency</strong> has utilised The National<br />
School of Government’s (NSG) online DP<br />
training. NSG has now closed so the <strong>Highways</strong><br />
<strong>Agency</strong> has rolled out an action plan to ensure<br />
all staff receive alternative refresher training<br />
<strong>and</strong> new starters are appropriately trained.<br />
• A new email policy has been introduced which<br />
emphasises that emails required as corporate<br />
records must be saved in SHARE (a document<br />
<strong>and</strong> records management system) <strong>and</strong><br />
declared as records.<br />
• The <strong>Highways</strong> <strong>Agency</strong> has established a<br />
Security <strong>and</strong> Business Continuity Forum.<br />
This is chaired by the SIRO <strong>and</strong> members<br />
include the IT Security Officer <strong>and</strong> the IT<br />
Contracts Manager. The Forum will produce<br />
a coordinated risk register <strong>and</strong> issues can be<br />
reported directly to the Board via the SIRO.<br />
• Data Protection Management Information,<br />
including Subject Access Request statistics,<br />
will be included with the Divisional Scorecard<br />
during this financial year.<br />
We have maintained an open <strong>and</strong> close working<br />
relationship with the Major Projects Authority<br />
(MPA). Its confidence in our approach to Gateway<br />
Reviews <strong>and</strong> Government Major Projects Portfolio<br />
(GMPP) scrutiny appears to be strong <strong>and</strong> has<br />
resulted in the delegation of increased levels of<br />
responsibility to our Centre of Excellence. We now<br />
have the authority to manage high risk Gateway<br />
Reviews, in addition to the medium <strong>and</strong> low<br />
risk that we were already delegated. We are in<br />
discussion with the MPA regarding our two entries<br />
on the GMPP; the M25 design, build, finance<br />
<strong>and</strong> operate contract (DBFO) <strong>and</strong> the Managed<br />
Motorways programme. We are currently<br />
negotiating an early removal of the M25 DBFO<br />
from the portfolio, reflecting the good delivery<br />
confidence levels that have been observed from<br />
Gateway reviews.<br />
Our Performance Audit Framework (PAF) is an<br />
assurance <strong>and</strong> process improvement function<br />
within the Network Delivery <strong>and</strong> Development<br />
Directorate that has replaced Integrated Audit<br />
& Assurance. PAF is independent of business<br />
activities <strong>and</strong> the team combines technical<br />
specialists with experienced auditors <strong>and</strong><br />
<strong>Highways</strong> <strong>Agency</strong> <strong>Annual</strong> <strong>Report</strong> <strong>and</strong> <strong>Accounts</strong> <strong>2011</strong>-12