Where do the risks lie when it comes to information security in the public sector?
This was the theme of a one-day conference, organised by Kable, in London this week aimed at public sector professionals involved in safeguarding information security.
The chair of the conference, Gerry O'Neil, said that after the recent bad press surrounding data losses in the public sector - the HMRC disk debacle was cited often during the day - the emphasis is now on trying to restore public confidence in the way government manages our data.
O'Neil, who is also chief executive of the institute of Information Security Professionals, told delegates that new initiatives are being instigated by government with new standards, and the organisational structure of government departments is changing. But at the same time, he said, with new technology, mobile devices, business models, data migrating to new public cloud platforms and new partnerships with the private sector, the question being asked was where do the risks lie in this brave new world?
Clive Blackwell, a researcher on information security at Royal Holloway Univeristy of London, informed the conference that data leaks are getting worse and the problem for public sector is the enormous amount of data bases in use of varying quality - and worringly some still in operation from the 1970s.
The central theme of the conference, held at the Inmarsat Centre in central London, was all about restoring trust and the plain fact that government information security must improve if the public's trust in its data handling is to recover.
Cases and instances such as the Baby P scandal - where data was not used correctly - to the HMRC debacle and the more recent prisoner records coming into the public domain have all served to question the government's integrity on using our data responsibility.
The Audit Commission's report, Nothing but the Truth, said the mishandling of data can and does weaken frontline services (the Baby P case and its effect on social services). Delegates were told that trust is built on honesty and integrity ,it takes time to develop and seconds to destroy. The key is keeping open communications with everyone - and that includes 'data subjects' or service users.
With shared services, data is also shared across more departments, organisations and the waters are becoming muddied on where responsibility for information security lies. Then there is the issue 'clouds' where data such as email accounts are being offloaded by organisations to public and private clouds such as Google.
Cloud computing offers unlimiting scaling, lower costs and is not dependent on machines or physical servers stuck in the basement. But in such a system, who monitors or audits government data and is it segregated from other information floating around in the sky?
Other questions posed at the conference included what type of government data should be outsourced to private companies such as Google or Amazon; how citizens can physically access their data if their don't know where it is; and how to control privileged user and third-party access.
What can be done to improve information security?
It's all down to accountability, said John Colley, a director of ISC(2) a non-profit organisation for IT professionals and a former head of risk security at Barclays and Royal Bank of Scotland. There has to be recognition that security is paramount and the risk to reputational loss through data leakage is just as great as financial loss. He said responsibility should not solely be down to IT departments, but HR, through employee contracts, legal departments checking outsourcing contracts etc all play a part in the way a business functions, understands and is therefore able to manage risk.
Colley concluded that security skills should be built into business functions, with someone responsible for assessing and managing risks and delegating accountability. Organisations should create an environment where policy is followed not ignored, and creates an environment where people thrive rather than are hindered by it.
Of course, one of the main flaws involved around data leakage is the human element, whether it is the then housing minister Caroline Flint walking into Downing Street with policy papers in view of press cameras - or staff at the DVLA centre in Swansea walking out with data on external devices such as memory sticks.
The new information commissioner Christopher Graham said one of the main threats is human weakness or error - there is a huge demand from private investigators for data on individuals for all sorts of reasons and such informations is a valuable commodity, especially for relatively low-paid staff working in call centres or other sensitive areas.
Professor Sadie Creese, director of e-security at the University of Warwick, said proper training is crucial and detecting malicious staff is also important to protect data within an organisation.
Risk is tangible, she said, in the real world you close your front door, lock your car and so on, but in the virtual world most of us don't behave as responsible and data subjects are just as lax at protecting their own identity on social networking sites such as Facebook or Twitter.
O'Neill ended the day by putting the success of information security into a very simple ABC model, where all stakeholders are involved with data integrity. Administration (ie government) business (private partnerships) and the customer, consumer or citizen.