9.0 Information Risk Management Organization
Effective Information Technology (IT) risk management ensures IT related risks (IT Risk) are
appropriately governed and effectively addressed within the organization and is enabled by establishing
a management framework that initiates and controls the deployment of IT and risk management both
internally and in conjunction with contracted Third Parties (where a business need for external services
exist).
Minimum Requirements:
9.1 Information Security & IT Risk Management
9.1.1 Accountability and responsibility for the management of IT Risk and the ACE IT
Risk Management Framework must be clearly assigned and documented.
9.1.2 There must be a clearly defined and documented IT Risk Management structure
in place globally which includes regional participation.
9.1.3 Compliance with the ACE IT Risk Management Framework must be reviewed by
the Global CISO on an annual basis.
9.1.4 Regular assessment of IT controls will be completed by regional IT resources and
the Global Security Team, with independent audits performed by ACE Internal
Audit.
9.1.5 IT Risk Management is scheduled to be a standing agenda item at quarterly
Global Operations Risk Management meetings and reported annually to the ACE
Enterprise Risk Management Board (or as required).
9.1.6 Periodic reporting of IT Risks facing the region and enterprise must be reported
to the Global CISO and Regional CXO executives.
9.1.7 An IT Risk Management Framework must be defined, documented and reviewed
annually.
9.2 Policy and standards
Page 9 of 40
9.2.1 Framework
9.2.1.1 The Policy and supporting standards must be defined or reviewed by
the Global Security Team and must follow the framework as set forth in
this Policy and certified by the Global CISO.
9.2.1.2 The Policy must be reviewed annually. Draft policies and standards
must be referred to other stakeholders (as required e.g. audit, human
resources, legal, etc.) for comment prior to certification.
9.2.1.3 The security architecture standards matrix will be reviewed annually by
the Global Security Team and made available on the ACE Intranet.
This document