64293 Darmstadt, de
+44 (1707) 362729
Government and our informationDarmstadt, )
How information assurance policies and procedures needs placing at the heart of Government processes, in order to secure citizen data.
Three times in recent months, HMRC has lost sensitive data belonging to citizens. In both cases, it is claimed that HMRC employees did not follow established procedures, something that has been feared and predicted in open discussion in the media. It is hoped that the Government reviews currently being carried out will not be hampered by preconceived ideas or by its terms which prevent any suggestion of "systemic" failure – an obviously uncomfortable conclusion.
It is clear that pushing responsibility for data protection downwards to front-line level has not worked effectively. It is also clear that guidelines are needed at a systems level, so that front-line staff are not put in a position where these mistakes are likely to happen.
Even the best working procedures are useless unless staff are aware of them and they buy into the value they bring to their organisation. Unless both occur, they will not be adhered to.
Security awareness (http://www.vega-group.com/newsroom/infocusnew/informationassurance) training for staff is fundamental to any robust IA policy. Measures must be taken to ensure management oversee and staff recognise their responsibilities. After all, things do not seem that difficult when it comes to health and safety, with fire drills, fire marshals and evacuation procedures, being signed up to by staff and management, acknowledging that procedures are understood and complied with. An obvious difference is that health and safety is underpinned by heavyweight corporate and individual legislation. Staff Terms and Conditions should include commitment to protect ’customer’ information and put the onus on information keepers to identify and apply relevant policy and procedures.
These issues are at the heart of any good Information Security Management System (ISMS) (http://www.vega-group.com/services/informationsecurity/servicelines/index.asp?id=1421,574,4,575) such as ISO27001 (previously BS7799). An ISMS does not provide the solutions – it ensures you think about risk to inform the solutions you do adopt. A common criticism of an ISMS is that it can be a significant overhead on the organisation. Without careful and pragmatic adoption this can be the case, particularly if effort is spent on marginal and subsidiary concerns. However, it can be assumed that citizen data would be the major / highest-value asset in many government departments and must therefore, at a minimum, be dealt with within the ISMS.
Claims that policy was not followed are often cited as a cause for recent incidents. But without being specific to HMRC, what is government policy for handling citizen information? UK Government has information handling policies based on a protective marking scheme (i.e. classification in old parlance), which are to protect our National Security and were originated to keep our secrets secret, such as (at the highest level) location of nuclear weapons, identities of operational security services personnel, and specification of weapons.
Although policies have been updated to include aspects that have a more current relevance, such as availability and integrity, does that make them suitable for use in government departments dealing with ’customer’ information? A point to note is that labelling information does not in itself do anything; it is only an indicator to a set of appropriate procedures. So, unless they have been developed and staff are aware of and use them, the labelling is a waste of time.
A labelling scheme is certainly required – perhaps one based on the Government protective marking scheme – but whose set of hierarchical procedures are based on impact and risk relevant to their organisational operations and the information they handle. It should be widely applicable to government departments, with each defining locally how they are applied. Again, this works for health and safety – we know we have to be able to evacuate a building, but each building has a different layout.
A good example demonstrating the need for a specific labelling policy is regarding the impact of ‘brand damage’ or ’loss of reputation’. In the recent HMRC incidents, it is claimed that the potential risk to the citizen was minimal. The stolen laptop had the hard disk encrypted and a successful identity theft or removal of funds would need more information than that "lost in the post". The real damage to the HMRC and Government is loss of reputation leading to the resignation of what is understood to be a well regarded senior civil servant.
Additionally, under current policy, very highly classified information can be sent by courier (albeit approved ones and signed for), while restricted information can be sent in the external post and internal mail. It would be interesting to know how 25 million citizen records would be labelled and what the permitted transport mechanism is.
Within the current reviews, it is likely that technical architecture of government systems will come under scrutiny. There are many examples where major IT "primes" were paid very large sums of money by the Government to develop technical security solutions. Frequently, they didn’t work and when they did they got in the way of efficient business and were therefore switched off. Basic technical security should not be difficult and off-the-shelf functionality from Windows, Active Directory and Databases etc should suffice in most cases. This generally comes down to good configuration and management.
One aspect that can not be avoided by procedures or technology is trust in your staff, especially your system administrators and managers. As a result, references must be followed up, sound governance is required and audits should be checked, because unless you do, staff, either by accident or maliciously, will always be able to circumnavigate practical technical security.
Though the recent examples of serious Government lapses in information security around citizen data has not resulted in a loss to citizens’ bank accounts, it has certainly resulted in a loss of public confidence in the Government’s ability to handle sensitive information. Moving forward, therefore, information assurance (http://www.vega-group.com/newsroom/infocusnew/informationassurance) policies and procedures must be defined in a way that is relevant to current day operations, but just as importantly, communicated to all staff to enable them to become fully aware of and adhere to them, to ensure the integrity and security of highly sensitive ‘customer’ information.
Keywords: Information, assurance, security, governance, Government consulting, Defence consulting, consulting, consultancy, data protection, Information Security Management System, ISMS, national security, labelling, risk management.
Die Nutzung von hier veröffentlichten Informationen zur Eigeninformation und redaktionellen Weiterverarbeitung ist in der Regel kostenfrei. Bitte klären Sie vor einer Weiterverwendung urheberrechtliche Fragen mit dem angegebenen Herausgeber. Bei Veröffentlichung senden Sie bitte ein Belegexemplar an firstname.lastname@example.org.