Moving on from the 2007 data loss by HMRC
- Article 23 of 33
- SC Magazine, October 2010
The loss in 2007 by Her Majesty's Revenue and Customs of 25 million people's details was a major warning to the public sector. Rob Buckley says that the private sector should also take heed
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages
The Cabinet Office developed the idea of the SIRO as early as 2004, but it wasn't until the HMRC incident and Poynter's data handling review that the measure took on its current importance.
Now present throughout the public sector, particularly in the NHS, SIROs are different to CISOs, in that they are executives familiar with information risks and whose focus is the management of information risk at board level. The idea is that someone who understands the value of data and the importance of not losing it should be on the board to advocate measures and to point out problems with departmental plans that might bring about data loss.
SIROs have typically either come from an IT background within government or been recruited from industry. Martin Bellamy, the Cabinet Office's CIO and SIRO, came from the department of health and is a former KPMG partner, while Bill McCluggage, his deputy, was SIRO for the Northern Ireland Civil Service, after being IT director for Harland and Wolff Heavy Industries.
James Nunn-Price, associate partner at Deloitte, says the post of SIRO has helped considerably with information assurance. “It is very good to have a mandated board member for risk.”
Peter McAllister, who leads the ‘Close in Government' cyber security practice at HP's Vistorm, says: “The SIRO has had a dramatic effect. It is still bedding down, but now you have someone who is personally liable in the event of a breach, in a way there hasn't been before.” McAllister says it is not necessarily a very attractive post to have. “It is so vulnerable to mistakes,” he says.
However, SIROs may be becoming less effective as they become less hands-on. Nunn-Price says that the degree to which the SIRO is involved in day-to-day matters varies widely. He's noticing that the SIROs are tending to be more occupied with board-level matters. “These days, we see more junior people in meetings, instead of SIROs. Last year, most of the SIROs would have gone, now we have IT managers and CSOs.” He says the risk is that SIROs are going to end up as figureheads, with decisions in the hands of junior staff lacking senior knowledge. “If IA isn't represented on the board, how can it be kept on the agenda?” he wonders.
What HMRC did next
Following the 2007 incident and the 2008 Poynter Report, HMRC had to take a long look at its procedures. “HMRC was in the process of conducting an internal review of data security from a process view,” says Jeff Brooker, head of security and business continuity for HMRC. “The incident accelerated what we were doing and raised the profile of staff security awareness. Changes were driven by the acting chairman. Support at the highest levels of management really helped.”
HMRC created all the job roles specified by the Poynter Report and by the Cabinet Office. This included recruiting a CISO, a SIRO and appointing a ‘data guardian' for every directorate. “The data guardians support their business director on security matters, champion security within their business unit and have been invaluable in helping coordinate change,” says Brooker.
Most of the processes and technologies HMRC implemented were driven by the Poynter Report, but they were also generated internally in response to Cabinet Office recommendations and advice from external partners, including James Nunn-Price, associate partner at Deloitte. “When we went into HMRC, it was like doing the whole of Sarbanes-Oxley again. We did what we did around Basel and SOX and reapplied that to the government space.” He says the risk-based approach was new to HMRC, used to “a compliance mentality. What we brought from the private sector was risk management.”
Some things were rapidly deployed, such as removing the ability to write data to USB devices or disks from standard desktop profiles. HMRC has also implemented network access control and has created secure online channels for sending bulk information electronically – there's no longer the need to courier mobile media with 25 million people's details. “In general, we have tried to reduce unnecessary movement of information, setting up a central service to track all of our data movements, helping to monitor where we are sending things and to verify their safe arrival,” says Brooker.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages