The Government ICT strategy will deliver a standardised environment in which converged services can evolve to meet public sector business needs in a cost-effective and business-enabling way. The environment has two key characteristics which will shape the Information Assurance (IA) elements of the strategy. These can be summarised as:
- Complexity: the Government environment will comprise interconnecting services operating across multiple organisational boundaries within the public sector
- Convergence: the convergence of voice and data services will support flexible working, minimising business dependence on location whilst providing access to data and IT functionality using fixed and mobile communications seamlessly
Against this complex environment, the use of information will remain central to the challenges facing the public sector – whether in improving health outcomes, tackling child poverty, or protecting the public from crime and terrorism. Information assurance – confidence in the security, integrity and availability of information systems – is essential to underpin the challenge of delivering personalised services via ICT, as well as making us more effective and efficient.
The National Information Assurance Strategy (NIAS) was published in 2003 and updated in 2007. The NIAS aims by 2011 to create “A UK environment where citizens, businesses and government use and enjoy the full benefits of information systems with confidence”. However, the management of information risk has not always enjoyed the high profile it now holds. A number of reviews of high profile data losses have highlighted significant issues. For example:
- Accountability for information risk was not always clear
- Policy was complex and did not always keep pace with business change
- The necessary culture to comply with policy and protect information properly was not in place
The Cabinet Secretary’s Data Handling Review (DHR) was published in June 2008. The DHR set out significant changes in the way that Government departments address IA issues, with a strong focus on personal data. These changes can be divided in to 4 main areas:
- New mandatory policy measures: a series of mandatory minimum measures are now in place across government, including encryption of removable media and compulsory testing of the resilience of systems by independent experts
- Cultural change: More than 300,000 civil servants dealing with personal data have undertaken mandatory annual training. Cabinet Office has also made Privacy Impact Assessments mandatory for new projects, as recommended by the Information Commissioner
- Stronger accountability: data security roles within departments have been standardised and enhanced to ensure clear lines of responsibility
- Increased scrutiny: Departments report annually on their performance in handling information risk, and the Information Commissioner has begun conducting spot checks of government departments
At the centre of Government, the governance of Information Assurance has been improved and strengthened with enhanced oversight now in place at Ministerial and senior official levels. Furthermore, CESG (the information assurance arm of GCHQ) have expanded their responsibilities in supporting the delivery of IA in government and have put in place a process of transformation to support their new role.
The vision for information security and assurance remains the realisation of a UK environment where citizens, businesses and Government use and enjoy the full benefits of information systems with confidence. Good progress has been made through improvements in the handling of personal data in the last year, but in the next decade this progress must be consolidated and embedded into the way Government delivers services through ICT. In the light of the complex, converged environment set out above, IA will be built into every public sector ICT system from requirements capture through design to implementation. This will deliver the technical and process controls that will enable citizens, public bodies and their delivery partners to match their risk appetite with their risk exposure, in the knowledge that systems have been designed with IA integrated from the outset.
Three principles will underpin and enable the delivery of the IA element of the Government ICT strategy: partnership, professionalism and pace.
- Partnership: Public sector organisations will need to work together to deliver the right IA outcomes. In particular Cabinet Office will work closely with its key partner CESG (the National Technical Authority for IA) and CPNI, to drive implementation as well as to engage with the IA Industry that is vital to the success of this strategy
- Professionalism: There will be recognised and widespread professionalism in IA encompassing those in risk ownership roles in the public sector, Industry partners, and government IA profession specialists
- Pace and agility: will become the dominant characteristic of design-to-market delivery of IA capability, evaluation of products and services, response to incidents and management of risk impact
The changes and principles set out above will not, on their own, be sufficient. Information Assurance is a broad and cross cutting area of Government business. The recent Digital Britain report, the Cyber Security initiative, the development of Knowledge and Information Management all have implications for the way that Government protects and handles information. This will be reflected in a refreshed National IA Strategy, which will incorporate the coordination and delivery of the cross-cutting IA elements of each of the ICT strategy work strands. Finally, the process of change begun by the Data Handling Review must be sustained and deepened. The culture of protecting information must be consolidated; policy must remain responsive, relevant, clear and accessible; and the new governance arrangements at the centre of Government must fully mature.
This is my profession. And sadly this proposal does nothing to address the real issue which is privacy. The proposal covers lost discs and memory sticks but says nothing about how the privacy of the public’s personal data is to be protected from town-hall snoopers and others as the join their systems together. What’s needed is a proper information asset and classification scheme aligned with individual role descriptions in each public sector entity and full individual authentication for all systems. Otherwise mistakes are far too easy to make and we will face the nightmare scenario of the local planning clerk being able to see how many points are on your driving licence and the taxman knowing the ins and outs of your appendectomy.
Since when did governments do complexity; this is the reason ordinary people require professional politicians.
I have to agree with James Rigby Here, Privacy is a major issue. Under current rules (or those proposed) a submission on your local councils website as an example. Can be shared with any department they see fit to choose. The same applies right across the board where local Government and Central Government are involved. A system that allows open sharing of Private information between departments, yet such strict access for private peoples access to their own information, is ridiculous.
So the tories publicly leak a document and then ask us about information security, oh the irony! I like your little pictures at the top, by the way, of police and firefighters and schoolkids – I hope you got permission to publish the last ones! I’m surprised you didn’t opt for fluffy kittens, as they’re about as close to a government IT document as the others are. A picture of a PC and racks of servers would have been better, no?
“the Government environment will comprise interconnecting services operating across multiple organisational boundaries within the public sector”
The best form of information security is separation, obviously this conflicts with accessibility just like the lock on my front door conflicts with accessibility to my house.
Sharing information across departments is bad for us. The easiest way for organised criminals to defraud the Tax Credits system is for them to buy data from HMRC civil servants.
I’m not sure we should allow Civil Servants to keep so much data about us. Had the Stasi possessed as much data about the citizens of East Germany as HMG has about us and the ability to link it all together 20 years ago do you think the Berlin Wall would have been demolished?
Imagine you do something that might embarrass HMG e.g. survive a rail crash and then start asking awkward questions: http://www.telegraph.co.uk/news/uknews/1396529/Outrage-over-Labour-dirty-tricks-email.html
Yes let’s not share information between Departments and just have more Victoria Climbie and Baby P cases… and on a more trivial basis have to inform every Department about changes of address details and forget things like on-line car tax renewal which require information sharing. Such short sighted comments on this sight
I have tried to avoid talking directly about FLOSS, I’m not trying to sell-in.
However the time has come to parody Churchill on democracy – it is the worst form of software apart from all the others.
Whatever one thinks about any software, no information strategy should be trumped by a software company’s paranoia regarding piracy. including…
http://www.theregister.co.uk/2009/12/14/office_2003_lock_out_bug/
The government’s approach to data, software, ICT might make me foam at the mouth, but I can (pretend) to comfort myself that somewhere, somehow, the government will listen to democratical based reason.
A software vendor (place of origin is not relevant, though I _suppose_ if it were UK based there might be more control) has not such oversight.