The Inland Revenue has made major changes to the way it
manages the security of its outsourced IT operations after learning
valuable lessons from its £300m-a-year outsourcing deal with
EDS.
Security managers at the department, which employs more than 70,000
staff, faced a steep learning curve and had to battle with a string
of potentially serious problems after signing the 10-year deal with
EDS in 1994.
Dave Evans, head of security at the Inland Revenue, revealed this
in a frank presentation to Gartner's security summit last
week.
Lessons learned from the pioneering outsourcing deal were applied
when the Revenue re-tendered its IT operations, with Capgemini
taking over this summer. The knowledge gained will also inform the
rest of government IT procurement, said Evans.
The deal, which involved the transfer of IT staff to EDS, left the
department with little internal IT expertise to manage security,
Evans said.
"One of the lessons we learned was that we did not know how to do
it. We muddled our way through and ended up with a working system,"
he said.
The department found it difficult to secure budgets to fix security
issues identified by EDS.
Evans also discovered he had no way of taking an overview of the
Inland Revenue businesses and identifying what security issues
there were. "We had no way of measuring security performance," he
said.
Shortly after the contract was signed, Evans discovered that EDS
and the Inland Revenue had plans to shut down one of the Revenue's
datacentres and to host the data at EDS to save costs.
But no one had considered the security or data privacy
implications, he said.
"The lesson there was about governance: seeing the whole picture
from above and controlling it all the way down."
Security managers also faced difficulties persuading time-pressed
board members to deal with a complex list of security issues. The
board repeatedly deferred decisions until security managers
simplified their requests.
The Inland Revenue's contract with EDS only had one page devoted to
security. It required EDS and its subcontractors to adhere to
government security policies, to provide appropriate protection for
staff, processes and assets, and to ensure business
continuity.
Despite the lack of detail, the agreement worked because the
Revenue and EDS worked closely to resolve the security issues when
they arose, said Evans.
"The contract pretty much stayed in the drawer. The relationship
was between managers of the Inland Revenue and EDS, working
together as a team," he said.
Facing up to potential pitfalls
- Security managers created a register of 70 or 80 security
issues for consideration by the Inland Revenue board. The board
deferred discussion until presented with simplified choices.
- The Inland Revenue security team only discovered plans to close
one of the Inland Revenue's datacentres and to shift the data to
EDS when memos came around discussing the future of staff at the
centre. The decision had to be quickly reversed when it emerged
that the closure could put sensitive data at risk
- A printing company subcontracted by EDS to print tax returns
did not have the security procedures in place demanded by the
Inland Revenue. Security had to be retrospectively installed
- One supplier did not have proper back-up processes in place.
Instead it took out insurance against penalty clauses from the
Inland Revenue should service be disrupted.
New deal tightens Revenue security further >>