A new approach to information security in the public sector, an area of major concern following recent high-profile losses of citizen data and with the possibility of an ID card system on the horizon, was set out at this month’s Society of IT Management (Socitm) annual conference in Newport, Wales.
Harvey Mattinson, lead consultant on risk management and information assurance professionalism at the security services’ IT protection arm CESG (http://www.cesg.gov.uk/), told delegates the traditional government document tags such as ‘confidential’ or ‘secret’, which simply indicated levels of privacy, have outlived their usefulness for most purposes.
For local government, a new system has replaced these tags with ‘business impact codes’ marked from 0 to 6, corresponding to the level of adverse impact on an organisation should the information be compromised. The codes for local government, drawn up in liaison with Socitm, assess issues such as the effect on business continuity; potential embarrassment to the organisation; or threat to staff or citizens’ safety.
Appropriate levels of action should then be taken by each authority to ensure the availability, integrity and confidentiality of each type of data, Mattinson said.
Action ranges from simply “being aware there are bad guys out there when you connect”, for level one information, to taking steps such as firewalls to deter skilled attackers (levels 2 and 3); taking more sophisticated steps to detect and resist attacks (level 4); and defending with all means possible (levels 5 and 6).
In the past CESG had placed an emphasis on product assurance, testing products and certifying them appropriate to use in various security situations, but this approach too had been replaced with a recommendation that authorities assess each security set-up in a live environment.
One key to security is defence in depth, Mattinson said: councils should “build up layers” and not rely on a single system.
“We are not that interested any more in product assurance: I need to know that all my products in a line will deter, detect or defend.”
Neither should councils fall into the trap of thinking that IT security is purely a technical problem with technical solutions, Mattinson said.
“Don’t look for a purely technical solution: I’ve never been able to solve a risk management problem using technology alone.” In fact, there are four elements to any solution: physical, personal, procedural and technical, he said. It was also the case that the majority of security breaches are caused by someone inside the organisation, whether intentionally or unintentionally.
The strongest security systems will be expensive, Mattinson admitted: “the higher the rating, the more it will cost to protect”.
But ultimately, IT managers should not fear security as a complex area to tackle. “Keep it simple – security is common sense. You do it all the time – you just need to manage it.”
NOTE: For full reports from Socitm ’08 in Newport, written for the society by E-Government Bulletin editor Dan Jellinek, see: http://fastlink.headstar.com/lgdc1 .