The government's multi-billion poundplan to transform service deliverythrough joined-up computing is at risk, according to
anindependent assessmentof its
Information Assurance strategy.
Nick Coleman, former head of IBM's security services division in
Europe, Middle East and Africa, said, "Adequate mechanisms are not
yet in place to support (connecting to more environments and
sharing data in increasingly hostile environments), which puts at
risk the government's aspirations for service delivery enabled by
technology."
Coleman's report comes a month after the central sponsor of
Information Assurance launched a
revised national strategy.
The Cabinet
Office commissioned Coleman to report on whether government's
IA plans:
• Were adequate to instil stakeholder confidence in its
information infrastructure
• Whether information and service are protected in a timely and
cost-effective way
• The extent to which they support shared services and the
Transformational Government agenda
"Most departments are investing significant amounts of money and
effort in information security," Coleman said. "However, these
capabilities have developed in silos.
"IA is progressing within departments, but in a joined-up world,
where data and services need to be connected and layers of trust
need to be established, new thinking and mechanisms need to be put
into place. The current mechanisms and approaches need to be
sharpened," he said.
Coleman's key recommendations:
1. The government creates a vision for Information Assurance and
that this vision is incorporated into existing vision
statements.
2. Provide a central facility for sharing risk information and a
central information risk register based on risks experienced by
departments and their agencies. Have the centre invest in a core
capability to understand the information assurance risks facing
government.
3. Mandate board owners to report quarterly on information risks
and performance backed up by an annual audit of department's
capabilities. Within this, establish clear metrics for managing
performance of suppliers.
4. Provide the prime minister with a summary of information
assurance across government and associated spending required to
deliver cross government security associated with information
assurance.
5. Enable one central mechanism for developing coordinated joint
working for sharing best practice and establishing priorities
across government.
6. Create clear mandatory policy rules on security across
government. Define minimum standards that departments sign up to.
Enable independent monitoring for compliance.
7. Tackle identity management challenges through mandating the
use of privacy impact assessments. Specify standards of protection
for identity registration, management and use in government and the
wider public sector.
8. Mandate professional certification for those working in
information assurance in every government department across key
defined roles. Ensure stakeholders are educated on information
assurance and what is expected of them.
9. Measure security through audit and monitoring to a defined
standard. Mandate the reporting of incidents to a central
monitoring team responsible for capturing incidents and ensuring
investigations are conducted and lessons are learned.
10. Have an independent oversight capability retained by
government who can be called upon to give independent oversight and
advice on information assurance to give stakeholders confidence.
Provide this capability in addition to the formal regulatory roles
that exist outside government.
Comment on this article:
computer.weekly@rbi.co.uk