Information management

Hace poco la Gerencia de dicha área decidió sin consulta y unilateralmente, amparándose en su jerarquia, que la información del área especializada debería ser compartida a áreas no especializadas (2 de sus gerencia) con el argumento de que dicha Gerencia es "dueña" de la información y se debe compartir toda clase de información.

(Case: One of the Bank's Management has 4 reports of which one is a specialized area that provides key information for the Bank's Offers (scores), that area has designed, developed, validated, followed up, generated protocols Of security and is responsible to any Audit (i nternal and external) and to the XXXXX Regulator, on all Bank's score and has done this in this way for several years.

Recently the Management of this area decided without consultation and unilaterally, based on its hierarchy, that the information of the specialized area should be shared with non-specialized areas (2 of its management) on the grounds that said Management is "owner" of the Information and should share all kinds of information.)

1- Las Gerencias son "dueñas" de la información que produce una de sus áreas especializadas (la gerencia no es especializada) y pueden distribuirlas a voluntad o discrecionalmente?

(Managers are "owners" of the information produced by one of their specialized areas (management is not specialized) and can distribute them at will or discretion?)

Answer: Yes, managers can be considered "owners" of that information, because they are ultimately accountable by all information handled by their subordinated areas (top management is ultimately responsible for all organization's information). Now regarding the distribution decision, you should verify what is defined in the procedures established by the area that provides the information. (e.g., in which conditions information can be shared). Generally, this kind of decision is based in risk assessments that shows the risks involved in such decision.

2 - La jerarquía es suficiente para disponer discrecionalmente de los activos críticos del Banco?

(Is the hierarchy sufficient to dispose of the Bank's critical assets at its discretion?)

Answer: Again, you should verify what is defined in the procedures established by the area that provides the information. Generally, depending the sensitivity level of the information, more than one area or person should approve information sharing.

These articles will provide you further explanation about Information management:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

These materials will also help you regarding Information management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Thanks for your answer. But I have a doubt: in the case of the example when you say : "... you should verify what is defined in the procedures established by the area that provides the information" ... what do you mean by "area"? The Management or the specialized area that reports to said management? Also, another doubt: if the Management owns the information .. why it should be subject to the procedures of the area that provides the information and that I understand is the specialized area. Finally: There is no formal risk analysis that has been raised to the Board. As I wrote, the security policies were defined by the specialized area because there are no such policies in the Management. And one of the Security policies was not to share information with non-specialized areas.
What should the specialized area do?

1 - In the case of the example when you say : “… you should verify what is defined in the procedures established by the area that provides the information” … what do you mean by “area”? The Management or the specialized area that reports to said management?

Answer: I meant the specialized area that reports to management. In your text you mentioned that was this specialized area that designed, developed,and is using the security protocols.

2 - If the Management owns the information .. why it should be subject to the procedures of the area that provides the information and that I understand is the specialized area.

Answer: Because there are situations where if the information owner's actions do not follow specific procedures the responsible area (in this case, the specialized area) cannot ensure proper information protection. Changing information classification level or the list of who can access them is one of them.

3 - Finally: There is no formal risk analysis that has been raised to the Board. As I wrote, the security policies were defined by the specialized area be cause there are no such policies in the Management. And one of the Security policies was not to share information with non-specialized areas.

What should the specialized area do?

Answer: The specialized area should consider providing a brief risk analysis showing the risks related to sharing that information with non-specialized areas for management evaluation. Based on this analysis management can decide to assume the risks and share the information, or consider the risks unacceptable and decide for another course of action (e.g., do not share the information, change the report content sent to non-specialized areas to minimize sensitive information sharing, etc.). The important thing here is that management makes a decision with clear information about risks involved on hands.

Additionally the specialized area should consider reviewing its procedures and protocols to include the performing of regular risk assessments. This can help anticipate potential risks.