Username: Save?
Password:
Home Forum Links Search Login Register*
    News: Welcome to the TechnoWorldInc! Community!
Recent Updates
Three-year-olds groomed o...
by Saniya Abraham
[April 24, 2024, 11:48:22 AM]
How robots are taking ove...
by Saniya Abraham
[April 24, 2024, 11:48:22 AM]
Australia PM calls Elon M...
by Saniya Abraham
[April 24, 2024, 11:48:22 AM]
US Senate passes bill tha...
by Saniya Abraham
[April 24, 2024, 11:48:22 AM]
Google to delete records ...
by Saniya Abraham
[April 03, 2024, 06:11:00 PM]
UK and US sign landmark d...
by Saniya Abraham
[April 03, 2024, 06:11:00 PM]
Will Truth Social solve T...
by Saniya Abraham
[April 03, 2024, 06:11:00 PM]
Billie Eilish and Nicki M...
by Saniya Abraham
[April 03, 2024, 06:11:00 PM]
Musk attacks 'dumb eco-te...
by Saniya Abraham
[March 06, 2024, 02:45:27 PM]
Bitcoin price briefly top...
by Saniya Abraham
[March 06, 2024, 02:45:27 PM]
Facebook and Instagram re...
by Saniya Abraham
[March 06, 2024, 02:45:27 PM]
iPhone China sales slide ...
by Saniya Abraham
[March 06, 2024, 02:45:27 PM]
Three apologises again as...
by Saniya Abraham
[February 14, 2024, 02:00:39 PM]
Subscriptions
Get Latest Tech Updates For Free!
Resources
   Travelikers
   Funistan
   PrettyGalz
   Techlap
   FreeThemes
   Videsta
   Glamistan
   BachatMela
   GlamGalz
   Techzug
   Vidsage
   Funzug
   WorldHostInc
   Funfani
   FilmyMama
   Uploaded.Tech
   MegaPixelShop
   Netens
   Funotic
   FreeJobsInc
   FilesPark
Participate in the fastest growing Technical Encyclopedia! This website is 100% Free. Please register or login using the login box above if you have already registered. You will need to be logged in to reply, make new topics and to access all the areas. Registration is free! Click Here To Register.
+ Techno World Inc - The Best Technical Encyclopedia Online! » Forum » THE TECHNO CLUB [ TECHNOWORLDINC.COM ] » Techno News
 Government and our information
Pages: [1]   Go Down
  Print  
Author Topic: Government and our information  (Read 437 times)
webitpr
Elite Member
*****


Karma: 2
Offline Offline

Posts: 879


View Profile
Government and our information
« Posted: January 14, 2008, 10:10:35 PM »

Summary:
How information assurance policies and procedures needs placing at the heart of Government processes, in order to secure citizen data.

Body:
Three times in recent months, HMRC has lost sensitive data belonging to citizens. In both cases, it is claimed that HMRC employees did not follow established procedures, something that has been feared and predicted in open discussion in the media. It is hoped that the Government reviews currently being carried out will not be hampered by preconceived ideas or by its terms which prevent any suggestion of “systemic” failure – an obviously uncomfortable conclusion.

It is clear that pushing responsibility for data protection downwards to front-line level has not worked effectively. It is also clear that guidelines are needed at a systems level, so that front-line staff are not put in a position where these mistakes are likely to happen.

Even the best working procedures are useless unless staff are aware of them and they buy into the value they bring to their organisation. Unless both occur, they will not be adhered to.

Security awareness (http://www.vega-group.com/newsroom/infocusnew/informationassurance) training for staff is fundamental to any robust IA policy. Measures must be taken to ensure management oversee and staff recognise their responsibilities. After all, things do not seem that difficult when it comes to health and safety, with fire drills, fire marshals and evacuation procedures, being signed up to by staff and management, acknowledging that procedures are understood and complied with. An obvious difference is that health and safety is underpinned by heavyweight corporate and individual legislation.

Staff Terms and Conditions should include commitment to protect ’customer’ information and put the onus on information keepers to identify and apply relevant policy and procedures.

These issues are at the heart of any good Information Security Management System (ISMS) (http://www.vega-group.com/services/informationsecurity/servicelines/index.asp?id=1421,574,4,575) such as ISO27001 (previously BS7799). An ISMS does not provide the solutions – it ensures you think about risk to inform the solutions you do adopt.  A common criticism of an ISMS is that it can be a significant overhead on the organisation. Without careful and pragmatic adoption this can be the case, particularly if effort is spent on marginal and subsidiary concerns. However, it can be assumed that citizen data would be the major / highest-value asset in many government departments and must therefore, at a minimum, be dealt with within the ISMS.

Claims that policy was not followed are often cited as a cause for recent incidents. But without being specific to HMRC, what is government policy for handling citizen information? UK Government has information handling policies based on a protective marking scheme (i.e. classification in old parlance), which are to protect our National Security and were originated to keep our secrets secret, such as (at the highest level) location of nuclear weapons, identities of operational security services personnel, and specification of weapons.

Although policies have been updated to include aspects that have a more current relevance, such as availability and integrity, does that make them suitable for use in government departments dealing with ’customer’ information? A point to note is that labelling information does not in itself do anything; it is only an indicator to a set of appropriate procedures. So, unless they have been developed and staff are aware of and use them, the labelling is a waste of time.

A labelling scheme is certainly required – perhaps one based on the Government protective marking scheme – but whose set of hierarchical procedures are based on impact and risk relevant to their organisational operations and the information they handle. It should be widely applicable to government departments, with each defining locally how they are applied. Again, this works for health and safety – we know we have to be able to evacuate a building, but each building has a different layout.

A good example demonstrating the need for a specific labelling policy is regarding the impact of ‘brand damage’ or ’loss of reputation’. In the recent HMRC incidents, it is claimed that the potential risk to the citizen was minimal. The stolen laptop had the hard disk encrypted and a successful identity theft or removal of funds would need more information than that “lost in the post”. The real damage to the HMRC and Government is loss of reputation leading to the resignation of what is understood to be a well regarded senior civil servant.

Additionally, under current policy, very highly classified information can be sent by courier (albeit approved ones and signed for), while restricted information can be sent in the external post and internal mail. It would be interesting to know how 25 million citizen records would be labelled and what the permitted transport mechanism is.

Within the current reviews, it is likely that technical architecture of government systems will come under scrutiny. There are many examples where major IT “primes” were paid very large sums of money by the Government to develop technical security solutions. Frequently, they didn’t work and when they did they got in the way of efficient business and were therefore switched off. Basic technical security should not be difficult and off-the-shelf functionality from Windows, Active Directory and Databases etc should suffice in most cases. This generally comes down to good configuration and management.

One aspect that can not be avoided by procedures or technology is trust in your staff, especially your system administrators and managers. As a result, references must be followed up, sound governance is required and audits should be checked, because unless you do, staff, either by accident or maliciously, will always be able to circumnavigate practical technical security.

Though the recent examples of serious Government lapses in information security around citizen data has not resulted in a loss to citizens’ bank accounts, it has certainly resulted in a loss of public confidence in the Government’s ability to handle sensitive information. Moving forward, therefore, information assurance (http://www.vega-group.com/newsroom/infocusnew/informationassurance) policies and procedures must be defined in a way that is relevant to current day operations, but just as importantly, communicated to all staff to enable them to become fully aware of and adhere to them, to ensure the integrity and security of highly sensitive ‘customer’ information.

Keywords: Information, assurance, security, governance, Government consulting, Defence consulting, consulting, consultancy, data protection, Information Security Management System, ISMS, national security, labelling, risk management.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Copyright © 2006-2023 TechnoWorldInc.com. All Rights Reserved. Privacy Policy | Disclaimer
Powered by SMF 1.1.4 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks
Page created in 0.086 seconds with 23 queries.