Moving on from the 2007 data loss by HMRC

• Article 23 of 33
• SC Magazine, October 2010
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages

A half-day training course is mandatory for all staff and recruits, followed by annual online refresher training. “We have put all of our security guidance in one site on our intranet so it is easy to find, but we also put the key things everyone needs to know in a handy pocketbook we gave to all staff.”

HMRC annually reviews its entire business, but individual processes are also reviewed more frequently. “Senior management is aware that there was not to be a single ‘fix', so it has committed to change for the long term and set itself challenging, three-year targets to improve security,” says Brooker. If there is a security incident, he adds, “we will investigate the causes and seek to rectify the root cause. We specifically encourage people to report concerns or risks as soon as possible.”

It seems to be working. Kerry Davies, who heads KPMG's government sector information protection business, says Brooker has been able to alter HMRC's corporate culture. “Instead of using fear, uncertainty and doubt, he has put out the message that good security is good business – it's a business enabler rather than a road block.”

But of those two missing disks, although heads have rolled, including that of HMRC chairman Paul Gray, nothing has been heard: neither HMRC nor the police has been able to trace them.

Coalition policies
With a new coalition government in power – at a time of massive planned spending cuts – no one is sure exactly what is going to happen to information assurance. While the coalition has expressed a commitment to protecting Britain against cyber terrorism, it has no specific policies about IA and is unwilling to comment further until after the comprehensive spending review.

Security minister Baroness Pauline Neville-Jones has said that central government departments will need “understanding and confidence… to make the bold decisions demanded by our future strategy for ICT. Essential efficiency savings will not be realised if departments fail to protect personal data, resulting in a loss of public trust.” She has also announced the forthcoming merger of the Office of Cyber Security and the Cabinet Office's Central Sponsor of Information Assurance.

James Nunn-Price, associate partner at Deloitte, says he sees signs of low morale at CESG, with staff worried about the threat of redundancies. The government's IT policy is “wrapped up in the National Security Council cyber security agenda. The focus will be on crime, targets of terrorism.”

Vistorm's Peter McAllister says: “The fear of forthcoming cuts is causing infosec thinking to become more radical – but pragmatic, rather than ideological. It is turning out to be game-changing.

“Previously unaskable questions are being asked. The idea of outsourcing used to be very hard to get across, now we're getting signs of traction. It can generate large savings, so we can now have the conversation.” Cloud computing for government – the ‘g-cloud', as it's known – is likely to become a high priority, because of the cost-savings involved.

McAllister believes the general attitude of the coalition to business means the way industry engages with government is going to change. “There will be better access for SMEs,” he says.

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages