The agency head is accountable for information security within their agency.

]]> This section covers the role of an agency head with respect to information security.

]]> In some agencies and bodies, the person responsible for the agency or body may also be referred to as the CEO, Director General, Director or similar title specific to that agency.  In such cases the policy for the agency head is equally applicable.

]]> When the agency head’s authority in this area has been devolved to a board, committee or panel, the requirements of this section relate to the chair or head of that body.

]]> The Agency Head is also the Accreditation Authority for that agency. See Section 4.4 – Accreditation Framework.

]]> Smaller agencies may not be able to satisfy all segregation of duty requirements because of scalability and small personnel numbers.  In such cases, potential conflicts of interest should be clearly identified, declared and actively managed for the protection of both the individual and of the agency.

]]> Refer also to Compliance By Smaller Agencies in 1.2.8 for information on joint approaches and resource pooling.

]]> Where an agency head chooses to delegate their authority as the Agency’s Accreditation Authority they should do so with careful consideration of all the associated risks, as they remain responsible for the decisions made by their delegate.

]]> The most suitable choice for delegated authority is a senior executive who has an appropriate level of understanding of the security risks they are accepting on behalf of the agency.

]]> Where the agency head devolves their authority the delegate MUST be at least a member of the Senior Executive Team or an equivalent management position.

]]> When the agency head delegates their authority, the delegate SHOULD be a senior executive who understands the consequences and potential impact to the business of the acceptance of residual risk.

]]> Where the head of a smaller agency is not able to satisfy all segregation of duty requirements because of scalability and small personnel numbers, all potential conflicts of interest SHOULD be clearly identified, declared and actively managed.

]]> Without the full support of the agency head, security personnel are less likely to have access to sufficient resources and authority to successfully implement information security within their agency.

]]> If an incident, breach or disclosure of classified information occurs in preventable circumstances, the relevant agency head will ultimately be held accountable.

]]> The agency head MUST provide support for the development, implementation and ongoing maintenance of information security processes within their agency.

]]>