Moving on from the 2007 data loss by HMRC

• Article 23 of 33
• SC Magazine, October 2010
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages

Davies is working with government agencies to develop a more centralised approach, where suppliers would pay to be accredited by a centralised body, according to various criteria. The agencies would go to this body to find out which suppliers are able to supply the services they need. The advantage of this system is that agencies wouldn't have to investigate suppliers for themselves and would no longer need to perform their own audits. Suppliers would pay for it – but would also save money, since they would no longer have to go through so many audits.

Another post-Poynter change was the conversion of CESG into an advisory agency. Previously, it provided information assurance and security knowledge and advice purely to the likes of the MoD in the ‘top-secret' realm, but now it provides advice and more day-to-day information to other departments and agencies. It tends to be focused on more technical matters, rather than processes, however. In particular, it offers services such as Information Assurance and Consultancy Services (IACS), which test security products to see if they meet government requirements.

“CESG has gone through a lot,” says Deloitte's Nunn-Price. “It has changed quite a bit to improve security. There are more staff now. But they're very technical. They don't really ‘get' people's behaviour or have a culture of risk management. They struggle on the people side and are just at the training and awareness stage.” Next year, CESG's main ‘to do' will be around how to improve the risk culture in the civil service, Nunn-Price adds.

Vistorm's McAllister says: “CESG is small, but it does have some excellent people. For the next year or two, CESG is going to have to identify a number of partner suppliers to drive capability and to upscale in a way that wouldn't be sensible to do with civil servants.”

Government departments are also now more willing to bring in vendors and consultants, sometimes on secondment, to provide advice. “We have a presence in most of the major ministries,” says PricewaterhouseCoopers consultant Simon Doyle. “PwC staff and staff from the other big consultancies have been known to sit in on meetings with other suppliers, carrying civil service rather than PwC job titles, such is the degree of trust,” he says.

“Particularly for the past four years,” says McAllister, “there has been a transactional purchaser-supplier relationship. But more recently, partnership has been the way forward.”

Cyber-Ark's Mark Fullbrook agrees. “They're pushing in the right direction, but it's taking longer than it should. There's a multitude of relationships traditional in Whitehall, with many parties involved, sometimes with long-term relationships going back years. But it's infinitely easier than it ever has been. As more private-sector people are going in, they know each other, they're much more open to new technology, they're changing to more off-the-shelf technology. It's a breath of fresh air.”

How long will the interest in data security continue and how likely is another HMRC-type incident? The coalition government will probably maintain it as a priority in the comprehensive spending review. However, says Fischer, “the pendulum is swinging back past the midpoint. The current breed of SIROs has not lived through – or has forgotten – the problems of 2007. There are one or two indications that SIROs are becoming more and more open in their risk appetite than they were two or three years ago. More and more often, you will hear questions such as ‘Do we have to use CLAS (CESG listed-adviser scheme) consultants, or can we do it ourselves?' ‘Do we have to use CESG assurance schemes, or other schemes that are cheaper?'” And as appetite for risk increases, the chances of another breach occurring are only going to increase, too.

We must hope that, with best practice being followed and calculations made, there will never be another breach as bad as HMRC's. Fingers crossed.

What is a ‘SIRO'?
One of the major recommendations of the 2008 Poynter Report on HMRC's security breaches was that HMRC's CFO should be designated as the department's SIRO (senior information risk officer), “in line with the requirement defined by the Cabinet Office that every department should identify a board member as its SIRO”.

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages