Identity Governance: Protect-Policy

Filed under: Governance,Policy,Risk,Security — lenand @ 9:48 am
Tags: , ,

The Cabinet Office has completed some DRAFT policy documents on an Identity Assurance Framework.  In June 2011 they were “Final Draft approved for external review”.  There is some very good work documented with significant implications if the recommendations are acted upon.  They have been circulated to a limited extent, but every page has been protectively marked as:



The marking indicates that there are risks in widely circulating the documents.  It is a clear warning to Quarkside not to publish them and contribute to open debate.   On inspection, the criteria for assessing PROTECT (Sub-national security marking) assets are:

  • cause distress to individuals;
  • breach proper undertakings to maintain the confidence of information provided by third parties;
  • breach statutory restrictions on the disclosure of information cause financial loss or loss of earning potential, or to facilitate improper gain;
  • unfair advantage for individuals or companies;
  • prejudice the investigation or facilitate the commission of crime; 
  • disadvantage government in commercial or policy negotiations with others.

Surely “external review” should mean what it implies, and that the Cabinet Office should obtain feedback from more experts before the policy is cast in bronze.  There are enormous implications to Local Authority and Voluntary sector service providers. Couldn’t the draft be published for consultation and made unrestricted less than six months after internal approval?



IG Assets: Data Quality and ISO 8000

Filed under: Assets,Governance,Standards — lenand @ 11:25 pm
Tags: , , ,

 “Without trusted information government would have to exist on hunch and guesswork.”

The quotation above came from the Eurim report on “Improving the Evidence Base“.  It’s another way of saying that data quality matters.  Quality is an attribute of information assets, a primary dimension in the 7 Dimensional Information Governance framework (7DIG).  The Audit Commission provide the dimensions of data quality as:

  • Accuracy – accurate enough for the intended purpose.
  • Validity – recorded and used incompliance with relevant requirements.
  • Reliability –  reflect stable and consistent data collection processes across collection points and over time.
  • Timeliness – captured as quickly as possible after the event or activity and made available within a reasonable period of time.
  • Relevance – relevant to the purposes for which it is to be used.
  • Completeness – data requirements should be clearly specified based on the information needs of the body, and data collection processes matched to these requirements.

The now defunct Data Connects Forum also commissioned an excellent report on Data Quality Management. It has a framework which inspired the 7DIG framework.  A lot of work went into developing the detailed recommendations and supporting software tools.  However, as with the Eurim report, it is the work of a small group of professionals.  Neither refer to nor comply with any international standard.  ISO standards are produced by a wider body of people over long consultation period.  ISO standards have to be rigorously tested.

ISO 8000 is the Emerging Standard for Data Quality.  It has been many years in gestation with ISO TC184/SC4, the ISO subcommittee that looks after industrial data. However, it has been recognised from the start that this standard could have a much wider usage.  Should the UK Public Sector be interested?  Perhaps the Cabinet Office and LeGSB should keep an eye on progress, in case it could help to improve the quality of shared data.


Liam Maxwell: One year later

It is more than a year since Liam Maxwell’s  “Better for Less” was published.  What has been achieved from the 69 pages of ideas? It obviously made the right impression because he is now working in the Cabinet Office in a one year appointment from September 2011


Our goal should be to deliver to the online population frontline public services with minimal, possibly zero, administrative cost, freeing up cash for more effective, intermediary-based, service delivery for those not online, and also as savings. This is already happening in some areas of local government and driving taxes down. It is happening in other countries, making service delivery better. It is time the biggest component of the British economy, its bloated state, started to learn these lessons.

How does it work? 5 principles underlining all IT in government We base our approach on a small number of core principles

1) Openness

a. Open Data – government data must be transparent
b. Open Source works – its concepts should be applied to processes as much as to IT
c. Open Standards will drive interoperability, save money and prevent vendor lock-in
d. Open Markets – competition creates efficient market-based solutions.

2) Localism – the centre may set the standards, but local deployment is best.

3) Ownership and Privacy

a. It’s our data, government can have access but not control over personal data.
b. Government should be accountable for data protection and proper use.

4) Outcomes matter more than targets.

5) Government must be in control of its programmes, not led by them.”

Let’s look to see how successfully the principles have been incorporated into the Government ICT Strategy.

1. Open data, open standards and open source are clearly stated objectives. And open markets are part of the procurement objective.

2. Localism does not get a mention, according to word search. This is a gaping hole, but perhaps Liam will explain this when he speaks at the SOCITM conference in November.

3. Alarmingly, neither privacy nor data protection are words within the strategy.  The objective for “Risk Management Regime” has implied elements for both, but the metrics concentrate system security – not anything based on citizen data protection.

4. Outcomes are potentially the most important gap in the strategy. There’s too much concentration on internal, central government processes. The four objectives for using ICT to enable and deliver changeare not really focussed on citizen outcomes.

5. Governance of programmes is an implicit role for the “Public Expenditure (Efficiency and Reform) Cabinet sub-committee (PEX(ER))“. There are twelve senior people named, with representatives from MOD, MOJ, HMRC, HO, DoH, DWP and Cabinet Office.   That  should be enough people. However, Quarkside thinks that UK plc should also have representation from departments with responsibility for improving the ICT skill base of the country. Shouldn’t DfE and BIS have something useful to contribute? And if localism is really important, why doesn’t DCLG have a place on the high table?

Quarkside gives “Better for Less” 40 marks out of a possible 100 for influencing the agenda. In the old days, this was a ‘Pass’ at A level. So not too bad. However, it would not have secured you a place in one of the top universities.


Low Confidence in Government ICT Strategy

We should be pleased that Government has published “Government ICT Strategy – Strategic Implementation Plan”.  It is evidence of a controllable top-down approach and provides an easily digestible 77 pages of prose that should give us all confidence that the full programme will be delivered.  There are 19 Objectives and 19 Programme Key Milestones in the document.  Looking deeper, each of the objectives has a project team and its own set of Key Milestones.  Hence there is   a total of about 60 Key Milestones. So, bottom-up, people are working diligently.  However, there is a risk that they may be too constrained to look at the overall programme.  By observation, it’s the people at the bottom who know what is really going on – but they are rarely asked their opinion.  Quarkside recommends that a cross-section of staff are interviewed on their level of confidencethat the overall programme objectives will  be met.  The initial impression is that there are too many objectives  with  low confidence of success.


This is the list of Objectives from the table of contents.

Objective 1: Reducing Waste and Project Failure, and Stimulating Economic Growth

  1. Asset and services knowledgebase
  2. Open source
  3. Procurement
  4. Agile
  5. Capability
  6. Open standards for data
  7. Reference architecture
  8. Open technical standards
  9. Cloud computing and applications store

Objective 2: Creating a common ICT infrastructure

10. Public services network (PSN)

11. Data centre consolidation

12. End user device strategy

13. Green ICT

14. Information strategy

15. Risk management regime

Objective 3: Using ICT to enable and deliver change

16. Channel shift

17. Application Programme Interfaces (APIs)

18. Online government consultation

19. Social media


Quarkside has mapped the Key Milestones (M) with the Objectives (O)



Key Milestone Date


100% of central departments have access to the ICT Asset and Services Knowledgebase and can input, discover and output data

September 2011



Cloud Computing Strategy published

October 2011



End User Device Strategy published and delivery programme commenced

October 2011



Green ICT Strategy published

October 2011



ICT Capability Strategy published

October 2011


2, 6, 8

First release of a draft suite of mandatory Open Technical Standards published December 2011


First draft of reference architecture published

December 2011



Publication of cross-government information strategy principles

December 2011



High level information risk management governance process designed agreed

December 2011



Roll-out of ‘lean’ sourcing process

January 2012



Data Centre standards published

February 2012



Core PSN capabilities delivered and services available to allow sharing of information between customers regardless of whether they are on the new PSN or legacy environments

March 2012



A set of open standards for data adoption established and progressed by government departments, driven by the Open Standards Board

June 2012



50 accredited products on the Government Application Store

December 2012



Full implementation of End User Device Strategy commences

January 2013



Agile techniques used in 50% of major ICT-enabled programmes

April 2013


9, 10

80%, by contract value, of government telecommunications will be PSN compliant

March 2014



50% of central government departments’ new ICT spending will be transitioned to public cloud computing services

December 2015



Cost of data centres reduced by 35% from 2011 baseline

October 2016

It is pure co-incidence that there are 19 items in the Objectives list and 19 Key Milestones.  That some Milestones support several objectives is fine, and not an issue.  However, none of the four Objectives for “Using ICT to enable and deliver change” seem to get a mention, namely:

16. Channel shift

17. Application Programme Interfaces (APIs)

18. Online government consultation

19. Social media

This is not mischievous arm-chair auditing.  It demonstrates one of the duties of a risk manager to check that ALL objectives are visibly targeted in projects. The Programme should either drop the objectives under change control, or revise the implementation plan.  The latter is obviously preferable, because they are the only ones that have impact on citizen services.  The first 15 objectives are largely internal and focus on efficiency, not effective service delivery.

Confidence in Outcomes

Confidence in ICT Strategy Implementation

Quarkside has used the Confidence Management method to review the Milestone Plan.  The Confidence Chart dramatically shows the impact of omitting four of the Strategy objectives. How is it possible to give any level of confidence that they will be achieved when they are not related to any Milestones? Admittedly, the results were obtained from a sample of one person; just think how more useful this would be if more people were sampled at each level in the programme teams.  There will be some interesting results that would make immediate sense to Ministers – who are reliably expected to look at only one sheet of paper.  The average  level of confidence in the overall programme is just 50%.  Surely this  would be important to Ministers if it was a true reflection   of what the Civil Servants think is likely to happen in the future. It is just like a doctor sticking a thermometer in a patient’s mouth – not a diagnosis.

The Governance structure includes a Director of ICT Futures, Liam Maxwell.  He has been appointed and has begun work to horizon scan and improve capability to identify risks and exploit new technologies (Action 28).  Liam Maxwell should be made aware of this innovative method devised by an SME.  Any objective with less than 50% confidence should surely have a prominent place on the risk log.  It is far more effective to sort out any issues at this early stage than wait until it is too late to correct them.  The end results of all large programmes can be predicted during the first 30% of their planned time period. Liam Maxwell should try and ensure that each of the project implementation teams own risk logs can be compared objectively.  The current sets of top three risks in each sub-delivery area are purely qualitative. They cannot be compared to identify which are truly the biggest programme risks.  Educating project teams to use the Crilog Risk Index is one possible way of ranking every risk in the Programme.


Pan Government Arrogance

Filed under: Governance,Policy,Politics — lenand @ 7:42 am
Tags: , , , , , , , , , , , , ,

The Local Government Delivery Council (LGDC) was established in 2007 to support the Chair, in the role as one of two local government representatives on the Cabinet Office Delivery Council. The Delivery Council was the pan government body chaired by Sir David Varney, to drive the transformation of public services so these became, ‘better for the citizen, better for staff and cheaper for the tax payer’.

We now learn that the Cabinet Office’s Delivery Council has ceased and there is no longer a pan government body which includes local government representation. Fortunately, an independent LGDC has become the recognised and established body for central government agencies to engage with when they are working with or plan to work with councils to redesign services. They provide one of the few (perhaps the only?) forum where central government departments get to see what other government departments might be planning in relation to local government. Examples from recent meetings have had representatives from:

  • DfT – Blue Badge programme
  • Cabinet Office – Digital Britain, Id Assurance
  • DfE – Employee Authentication Services
  • BIS – UK Broadband programme, Post Office programme
  • DCLG – Central Local Digital Collaboration
  • DWP – Tell Us Once, Universal Credit
  • Home Office – Single Non-Emergency Number (101)

It is good that Local Government has the opportunity to provide feedback from the front-line about the realities of providing face to face services. A neat example is the assumption that broadband is ubiquitous and that claims for benefits could be ‘driven on-line’. It was pointed out that broadband is one of the luxuries that go when a household needs to claim benefits. Another example is a department representative having to apologise to irate Chief Executives about by-passing them in a survey of redundancy costs in a specific service.

The governance of central government projects needs much wider involvement of local government experts. They need to appreciate the diversity of requirements around the country and not assume that a token consultation with a couple of representatives is sufficient. Too much of the initial strategy and architectural work is done by World Class Enterprise Management Consultants; their experience of deprivation is as limited as the policy makers from Whitehall.


Breeder Battle at Id Gurus Gathering

Identity Management was the topic of Eurim’s latest gathering of gurus. The bad news is that three points came clear:

  • The UK has a lacks coordination of both policy and strategy. Each Government department and agency has its own vision and way of moving forward.
  • The advance of standards and software will have to be provided by the private sector – and they need a business model that will eventually show a profit. They will need a secure revenue stream for providing identity management services.
  • The world is moving forward quite happily without UK input. The UK’s position of leadership will change to that of followership at great cost to the economy. Global trade needs trusted identities with supporting agreements on liability and indemnity. The UK Government is not fully engaged in EU or international deliberations. On opportunity may be missed to become the headquarters of an identity governance industry.

There was only one organisation at the table with an eye on the commercial opportunity. Their national network could extend their services to provide identity registration for the public. 90% of the population are within 10 miles of their facilities.  Good for all of us.

Unfortunately, we were left with (at least) three unresolved questions:

  • Which third party credentials will be accepted by Central and Local Government agencies?
  • Who is responsible for governance of all UK identity schemes?  The National Archives as keeper of public records was suggested, but they may not be in the radar of five Cabinet Office working parties.
  • Is a ‘root identity’ necessary?  There were two strongly voiced divergent opinions on ‘breeder documents’. The Chatham House Rule prevents naming the parties. But Quarkside promotes the management of multiple identities (personae), which do not require a ‘root identity’ or ‘unique identifier’.

The good news is that everybody seemed to agree on a definition of identity assurance levels for electronic IDs that will make sense to our MPs.  This is all they have to remember:

  • Level 0: Anonymous – no personal data registered.
  • Level 1: Self-asserted – likely to be the same person returning.
  • Level 2: On the balance of probability – good enough for civil action.
  • Level 3: Beyond a reasonable doubt – good enough for a criminal conviction.

This may have the technical experts reeling – but it is more important to get our politicians moving in the right direction than giving lessons on the differences between the five As: Assertion, Assurance, Authentication, Authorisation and Accreditation.



Top Marks for Big Brother Watch

Only rarely does the bloggosphere publish such a complete and balanced review of information assurance.  It was so difficult to challenge any point that Quarkside has only extracted some points for brevity.  Toby Stevens quoted in full an article that was originally published by Big Brother Watch in their book “The state of civil liberties in Modern Britain”.

It is prefaced on “The Department of ‘No’

  • NO central information assurance function in the Government.  It is thinly spread among many agencies.  For example the Cabinet Office is responsible for CESG, the Cabinet Office Security Policy Division (COSPD) and the Office of Cyber Security and Information Assurance (OCSIA).  The MOD and other departments do their own thing.
  • NO ‘Government Chief Information Security Officer’ or ‘Office for Government Information Assurance’. …  no one individual or organisation accepts accountability for the proper governance of data in the public sector“. “Each department and agency has to pay to support its own security infrastructure rather than drawing upon the economies of scale that might be achieved by a central security team working for the common good of government. The information assurance environment is far from cost-effective.”
  • NO rational Information Risk Management.  Security incidents will always occur, and the public sector culture is to look for someone to blame.  As a result, public authorities are unable to obtain cost-effective information security controls.
  • NO Secure Systems.  “Local authorities and arm’s length bodies very often fail to comply with government security standards simply because they don’t know that those standards even exist, and if they do, they can’t gain access to either the standards or cost-effective individuals who are able to assist them.
  • NO Privacy by Design. “How else could designs such as the ill-fated Contactpoint, or the NHS Summary Care Record, be allowed to exist where hundreds of thousands of users can access millions of individuals’ sensitive private records?
  • NO Open Source Software. “Without a vendor to pay for security testing the patches and updates under the current regime, open source software will remain largely inaccessible for government.”

However, the report is not entirely negative.  Seven recommendations are given which seem to show great common sense.  Again, it is worth reading the full document and not just scan the list below:

  1. Appoint a pan-government Chief Information Security Officer as a new focal point for information assurance.
  2. Create a government CISO Council.
  3. Consolidate existing duplicate information assurance services.
  4. Ease the administrative security regime for lower-value data.
  5. Sort out the existing mess of unaccredited Whitehall systems.
  6. Voluntarily accredit open source software where appropriate.
  7. Develop the information assurance profession.

If we want an information assurance function that really supports public authorities, and that can deliver more for less, then these changes are cheap and easily done. We simply have to ask OCSIA to reform the information assurance function, give that office the power to do so, and support it when it encounters inevitable resistance from within the security establishment. All it takes is the will to say ‘YES’.”

Thanks are due to Robin Wilton for tweeting Toby Steven’s blog entry.

Identity Icebergs to sink Universal Credits

Does the Cabinet Office talk to the Cabinet Office – or any other Department for that matter?  Last week’s Local Government Delivery Council also had two related presentations; “Identity Assurance for Public Services” by the Cabinet Office and  “Employee Authentication Services (EAS)” by DfE and DWP.

Put these into the context of “HMG CTO Council – Government Employees Strategy for management of Identities – Version 1.1 – 1 February 2011. ” This noble document has some excellent content as far as it goes – but look at the juicy bits it deems out of scope.

  • “Access control of data within a single system or organisation
  • Entitlements of a validated identity within a single system
  • Authorisation services and other capabilities enabled by identity management
  • Citizen and Individual authentication even for access to government services or visitors to government sites
  • Identity Management of systems, devices and other entities
  • Audit and accounting requirements other than by reference to their need.”

Most, if not all of these are required by real live systems, especially in Local Government.  They are probably the hard bit where most guidance is needed.  Federated identity management protocols do understand how to include these options.  For example the use of Shibboleth 2 in the education sector can easily differentiate between children and teachers in Web based application systems.

EAS has been around for years in DWP.  It has been recently used for the “Tell Us Once” (TUO) project, authenticating for multiple agencies handling common citizen data.  They have discovered the need for, and have implemented, some employee attributes that allow differential access to application systems. This is out of the scope of the strategy above, but they found they had to do it.  Every Local Authority (LA), and there are hundreds of them, needs guidance on this because most do not have the internal skills and knowledge to interoperate with external identity providers (like EAS, but there are lots more). A common standard for federating identity, supported with standard software, is the only sensible way to proceed.

Finally, there was a bomb shell from the Cabinet Office.  As part of the stakeholder engagement process, they presented  “a federated approach through which a person is able to assert a trustworthy identity“.  Here are some of the enlightening aspects of a working federated system:

  • delivered for DWP Universal Credits in April 2012
  • provided ‘by the market’, presumably meaning non-funded
  • dependent on external verification of identity by third parties (such as banks) selected by the citizen
  • LAs will provide an Identity Hub which collects personal data and matches with the external credentials (this is a minefield, not just icebergs)
  • links with biographic, health, wealth and education data by attributes
  • links with DVLA
  • links with an ‘official’ address file
  • not dependent on a centralised identity register
  • Oh, and by the way, it will run on the GCloud. Trebles all round.

The aspirations are wonderful, straight out of the junior management consultant’s handbook, but three simple questions illustrate the risks involved:

  1. Does the Identity Management industry, working with hundreds of LAs, have the capacity to deliver in such a time scale?
  2. Does the Cabinet Office (or anybody else?) have a Technical Architecture that is fit for purpose and compliant with the CTO Council strategy?
  3. Identity management ignorance crippled the development of ContactPoint – why is it so much easier and simpler for Universal Credits?


SRP: Cabinet Office smoke screen

Filed under: Governance,Policy,Strategy,Technology — lenand @ 8:46 am
Tags: , ,

It’s good to see from the latest update that the Cabinet Office has taken responsibility for structural reform of ICT (Sections 1.9 to 1.13).  It was intriguing to see something which is entirely sensible:

1.9.i. Increase the Chief Information Officer’s power to integrate ICT across government. (Completed)

But, it begs a few of questions:

  • When was it completed?
  • What was the instrument for increasing that power in central and local government?
  • What tools have been provided to enable this integration?
  • Who is the CIO?

Research of earlier transparency web site records show that:

  • The July baseline only included 5 items in Section 1 (Civil Service Reform).
  • The October 2010 Progress reports can only be generated for months from November 2010 onwards.

There have obviously been a number of changes to the Cabinet Office SRP, but where are the documents?

There are lots more completed actions – but the results do not seem to have been published.  This more like a smoke screen than a telescope for transparency.


SRP: DfE delays obscured

Filed under: Education,Governance,Policy,Politics — lenand @ 12:29 pm
Tags: , , , , ,

Is DfE playing games with reporting on their Structural Reform Plan?  Just let somebody else compare the DfE Baseline from July with their Progress Reports from October and November.

Here are three Quarks

1. Avoidance of finishing tasks

The baseline plan has 41 Actions and 14 milestones.  One can observe that 22, more than half of the actions have no end date.  How very convenient for bureaucrats: job is done when they start – there were no promises to finish.  Can you imagine this state of affairs in a private sector plan?  No.  It is is a recipe for sucking up resources without control or scrutiny.  There are now 30 actions considered to be started and, presumably, ongoing.  Most of these have don’t even have an end-date.

Can you imagine a teacher starting a unit of the curriculum without some concern about when it is due to finish?  They’d be sacked.

2. Avoiding previous months delays

The October report had 3 missed deadlines.  They were sort of carried forward until November or ‘Autumn’.  They have melted from the list of things ongoing or items due to be completed in November.  When do we expect the White Paper now?

The November report said “the Department did not miss any deadlines”.  Isn’t this a tiny bit misleading because there were 5 milestones due to be completed. What has happened to them?

3. Introducing new Actions

New action seem to have crept in to the things in the To Do list.  This is known as ‘Scope Creep’ in the trade.  It is the first hint in predicting potential disaster. Uncontrolled change is the second most important cause of project failure. For the record, wrong initial scope is the primary cause of failure.  All changes need an impact assessment that is approved by the project sponsor, such as the PM, and made fully visible.

For comparison look at how well SIF introduces changes to the specification for interoperability between systems – and how it has been treated by the DfE.  Professional versus amateur.

The risk is that the Implementation Unit might have cursorily scanned the DfE report for red lines, found none and assumed that all is well.  A hard nosed programme manager would immediately smell a rat.  Every complex programme has delays: no delays caused me to look deeper.  Quality Assurance reviews on all the other 13 plans are just as likely to reveal similar hidden changes.  We are still in the dark about when tasks are may be completed.

This is not the way to run the country’s strategic reform policy.

« Previous PageNext Page »

Create a free website or blog at WordPress.com.