Moving on from the 2007 data loss by HMRC

• Article 23 of 33
• SC Magazine, October 2010
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages

This has meant that technical requirements that had once been glossed over were suddenly being complied with. KPMG's director of information protection and business resilience, Kerry Davies, says that mandates about encryption used to be “quite widely ignored. After the review, people went to town. Now you can't use iPhones, only BlackBerries – because they can be encrypted. All laptops are encrypted. They've gone from worrying about just material to realising that personal data loss can be just as damaging.”

In fact, as well as outlining the legalities of what could be shared and what couldn't, the various recommendations from the reports more or less amount to ISO 27001. “The HMRC incident, the reviews and recommendations that came out of that really stressed the importance of good governance,” says Peter Fischer, a consultant to CESG.

The combined reports have resulted in a sea change throughout government. Fischer, who has been running courses on information security for five years at the UK's National School of Government, hitherto mainly for MoD personnel, says MoD people are now in the minority. “We're having to create new courses to deal with the demand.”

Although each individual government department is still autonomous and can decide for itself how it is going to implement security, it has to report back annually with an audit of its security situation. Unlike the previous tick box approach, the individual departments through their senior information risk officer or ‘SIRO' have to state annually how far along they are, on a scale of one to six, in achieving security objectives – an approach known as the ‘information assurance maturity model' (IAMM). If the department is below a certain standard, action can be taken; each year, the department has to improve on its previous year's score.

It is an approach that Davies calls the “standard of standards” – something so good the private sector would be advised to adopt it, too.

Pre-Poynter, agencies, subsidiary to the various ministries, had little reason to investigate their own security. “Before, agencies were arms-length bodies,” says Deloitte's Nunn-Price. “It was hard for the ministries to tell them what to do, since they could easily say, ‘No, we don't feel like it'. There's a new impetus now.” Even post-Poynter, it was easy for agencies to be masked by their governing ministries and departments, since the ministry filled in the IAMM questionnaire and submitted it on behalf of itself and its agencies, frequently weighting its scores in favour of its own results. This year, for the first time, individual agencies have to fill in their own questionnaires.

This individual approach by all the departments and agencies has both benefits and side-effects. The benefit is that the SIRO of each department can decide how best to tailor security and security budgets for the department's needs. While there is a risk of ‘silo-ing', SIROs do try to share best practice. Peter Fischer says all the SIROs he comes into contact with are interested in mainstays of IT security, such as intrusion detection systems (IDS), technologies for parsing audit records and ways of ensuring ‘forensic readiness' in case of a breach.

While there are some areas of the Poynter report that were technologically prescriptive – much in the same way as PCI DSS mandates particular technologies – other aspects of IA are left to the SIRO's discretion. The Ministry of Defence may have to ensure security in Afghanistan and would rarely have to deal with an individual taxpayer's personal information, for instance, while the opposite is true for the department of work and pensions. Nevertheless, says Sophos UK's head of public sector, Ollie Hart: “At present, it is not clear that the Government is demonstrating best practice. There is still too much reactionary and isolated procurement of data protection software by different areas of government, and IA specialists in individual departments do not have enough power to mandate what data protection strategy their associated agencies should follow. The fact remains that, although positive steps have been taken since the HMRC breach in 2007, these breaches are still happening, with over 1,000 taking place in the public sector since HMRC,” according to the Information Commissioner.

Hart adds that “strong guidance from the very top” is needed to ensure a cohesive approach to data protection across the entire government, including a consistent set of watertight processes and procedures covering all departments and agencies.

The individual approaches taken by departments also lead to duplication and problems for third-party suppliers of services. Individual agencies will go to suppliers to assess how well they comply with their own security needs. This might involve asking them to fill out a questionnaire or it might require a site visit. As a result, according to Davies, a small supplier can find as much as 20 per cent of its day taken up with answering questions from individual agencies – and the questions being asked will usually be the same.

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages