WRITTEN ON November 26th, 2007 BY Chris Smith AND STORED IN Uncategorized

I feel quite strongly that
– Protective marking (as in Gov protective marking) is not a solution
-The major risk is loss of public confidence in Gov and not to citizens’ bank accounts
-The root of the problem is not with technical solutions though they will help if pragmatically applied
-The problem is with information-assuranace policy and procedure not being defined in a way relevant to current day operations.
-And even if the procedures exist, staff are not aware of them or fail to apply them – i.e. a cultural issue…

It is clear that pushing responsibility for data protection downwards to front-line level has not worked effectively. It is also clear that guidelines are needed at a systems level so that front-line staff are not put in a position where these mistakes are likely to happen.

Even the best working procedures are useless unless staff are aware of them and they “buy-in” to the value they bring to their organisation. Unless both occur then they just will not be followed.

Security awareness training for staff is fundamental in any robust IA policy. Measures should be taken to ensure management oversight and staff recognition their responsibilities. This does not seem so difficult when it comes to Health & Safety. Fire drills, Fire Marshalls, evacuation procedures, staff and management signatures acknowledging that procedures are understood and working are commonplace. An obvious difference is that Health and Safety is underpinned by heavyweight corporate and individual legislation.

Staff Terms and Conditions should include commitment to protect “customer” information and put the onus on them to find out and apply relevant policy and procedures.

These issues are at the heart of any good Information Security Management System (ISMS) e.g. ISO27001 (previously BS7799). An ISMS does not provide the solutions – it ensures you think about risk to inform the solutions you do adopt. A common criticism of an ISMS is that it can be a significant overhead on the organisation. Without careful and pragmatic adoption this can be the case, particularly if effort is spent on marginal and subsidiary concerns However, I suspect that citizen data would be the major / highest-value asset in many government departments and therefore at a minimum this should be dealt with within the ISMS.

That policy was not followed as a cause for recent incidents is a frequent comment. Without being specific to HMRC, what is government policy for handling citizen information? UK Government has information handling policies based on a protective marking scheme (i.e. classification in old parlance). These are to protect our “National Security” and originated to keep our secrets secret, for example at the highest level: location of nuclear weapons, identities of operational security services personnel, specification of weapons etc. Policies have been updated to include aspects that have a more current relevance such as availability and integrity but does that make them suitable for use in government departments dealing with “customer” information? A point to note is that labelling information does not in itself do anything, it is only an indicator to a set of appropriate procedures, so unless they have been developed and staff are aware of and use them, the labelling is a waste of time.

A labelling scheme is certainly required, perhaps one based on the government protective marking scheme, but whose set of hierarchical procedures are based on impact and risk relevant to their organisational operations and the information they handle. It should be widely applicable to Government Departments, with each defining locally how they are applied. Again this works for Health & Safety – we know we have to be able to evacuate a building but each building has a different layout.

A good example demonstrating the need for a specific labelling policy is to do with the impact of “brand damage” or “loss of reputation”. In the recent HMRC incidents it is understood that the potential risk to the citizen was minimal. The stolen laptop had the hard disk encrypted and a successful identity theft or removal of funds would need more information than that “lost in the post”. The real damage to the HMRC and government is loss of reputation leading to the resignation of what is understood to be a well regarded senior civil servant.

Also under current policy very highly classified information can be sent by courier (albeit approved ones and signed for). Restricted information can be sent in the external post and internal mail. It is an interesting question to ask what would 25,000,000 citizen records be labelled as and what would be the permitted transport mechanism – internal mail?

A final point about security as part of technical solutions. I have worked for a number of major “primes” where very large sums of money have been paid by government to develop security solutions. Frequently they didn’t work and when they did they often got in the way of efficient business and so were switched off. Basic technical security should not be difficult and off-the-shelf functionality from Windows, Active Directory and Databases etc should suffice in most cases. This generally comes down to good configuration and management. But at the end of the day you still need to trust your staff – your system admin/managers most of all and others less so. So take up references have good governance and check audits etc because unless you do, staff either by accident or maliciously, will always be able circumnavigate practical technical security.