Only rarely does the bloggosphere publish such a complete and balanced review of information assurance. It was so difficult to challenge any point that Quarkside has only extracted some points for brevity. Toby Stevens quoted in full an article that was originally published by Big Brother Watch in their book “The state of civil liberties in Modern Britain”.
It is prefaced on “The Department of ‘No’”
- NO central information assurance function in the Government. It is thinly spread among many agencies. For example the Cabinet Office is responsible for CESG, the Cabinet Office Security Policy Division (COSPD) and the Office of Cyber Security and Information Assurance (OCSIA). The MOD and other departments do their own thing.
- “NO ‘Government Chief Information Security Officer’ or ‘Office for Government Information Assurance’. … no one individual or organisation accepts accountability for the proper governance of data in the public sector“. “Each department and agency has to pay to support its own security infrastructure rather than drawing upon the economies of scale that might be achieved by a central security team working for the common good of government. The information assurance environment is far from cost-effective.”
- NO rational Information Risk Management. Security incidents will always occur, and the public sector culture is to look for someone to blame. As a result, public authorities are unable to obtain cost-effective information security controls.
- NO Secure Systems. “Local authorities and arm’s length bodies very often fail to comply with government security standards simply because they don’t know that those standards even exist, and if they do, they can’t gain access to either the standards or cost-effective individuals who are able to assist them.“
- NO Privacy by Design. “How else could designs such as the ill-fated Contactpoint, or the NHS Summary Care Record, be allowed to exist where hundreds of thousands of users can access millions of individuals’ sensitive private records?“
- NO Open Source Software. “Without a vendor to pay for security testing the patches and updates under the current regime, open source software will remain largely inaccessible for government.”
However, the report is not entirely negative. Seven recommendations are given which seem to show great common sense. Again, it is worth reading the full document and not just scan the list below:
- Appoint a pan-government Chief Information Security Officer as a new focal point for information assurance.
- Create a government CISO Council.
- Consolidate existing duplicate information assurance services.
- Ease the administrative security regime for lower-value data.
- Sort out the existing mess of unaccredited Whitehall systems.
- Voluntarily accredit open source software where appropriate.
- Develop the information assurance profession.
“If we want an information assurance function that really supports public authorities, and that can deliver more for less, then these changes are cheap and easily done. We simply have to ask OCSIA to reform the information assurance function, give that office the power to do so, and support it when it encounters inevitable resistance from within the security establishment. All it takes is the will to say ‘YES’.”
Thanks are due to Robin Wilton for tweeting Toby Steven’s blog entry.