The government's latest plan for aNational Information Assurance Strategyhas come under fire from businesses and
academics.
The government's revised National Information Assurance
Strategy, launched in June, has three main goals:
• To make central and local government better able to deliver
public services through the appropriate use of IT
• To strengthen the UK's national security by protecting
information and information systems at risk of compromise
• To enhance the UK's economic and social well-being as
government, businesses and citizens realise the full benefits of
IT.
It updates the government's
original National Information Assurance Strategy in 2003. The
aim now is to create "a UK environment where citizens, businesses
and government use and enjoy the full benefits of information
systems with confidence" by 2011.
But Andrea Simmons, manager of the
British
Computer Society's Security Forum, said that issues identified
in the updated strategy, such as senior level engagement,
partnerships, and integration of information assurance with the
business were old hat. "These have all been discussed ad nauseam
over the last five to 10 years," she said.
Nevertheless, she welcomed publication of the revised National
Information Assurance Strategy. "It is about time, but it is almost
too little too late," she said. "Sadly, it doesn't take us very far
forward because it appears to be rooted in about 2003."
Simmons said, "The government could have earned a lot more
brownie points if it had taken on board all the advice and
expertise previously offer by many experts.
"The Information Assurance Advisory Council [a public/private
sector think tank] wrote a more than passable IS strategy several
years ago - all the government had to do was accept it and adopt
it, rather than posture for the last three to five years, and then
determinedly build their own slightly second-rate wheel."
Ross Anderson, professor of security engineering at Cambridge
University's Computer Laboratory, said the National Information
Assurance Strategy harked back to the mid-1980s. "It is full of
consultant-speak, recycling tired old ideas. It is mind-candy."
Anderson said attempts to make individuals responsible for
information assurance and security recalled similar provisions for
patient health information. "All that did was make everyone run for
cover," Anderson said.
Grasp the nettle of implementation
Phillip Virgo, general secretary of Eurim, the
cross-parliamentary body on IT issues, welcomed the revised
strategy. But it was up to department heads to grasp the nettle of
implementation, he said.
David Porter, a consultant with Detica, a managed security
systems provider with close links to government, echoed Virgo. "A
neglected area [in the strategy] is how you get people to actually
take ownership of the data or the information they hold or
generate. This is a soft cultural change and nothing to do with
technology," he said.
Porter said, "Information assurance is a formal doctrine that
all organisations, public and private, must adopt if increased data
sharing is to work. No half measures."
Porter said most organisations collect information that is
irrelevant to their actual business decisions. This was likely to
worsen as departments start to share data, as the government hopes.
"We do not even categorise our e-mails, so what chance has data of
being properly filed, as things currently stand?" he said.
Asked how she expects the National Information Assurance
Strategy initiative to play out, Simmons said, "Slowly, and with
great difficulty for as long as there are too many groups operating
politically in the space."
She was referring to the wide range of groups from government,
the private sector and wider society, all of which have vested
interests in related policies, intelligence for criminal and
national security, privacy and business opportunities.
However, she said there are "more than enough" people with the
skills to make it happen. She noted that organisations such as the
Central Sponsor for Information Assurance (CSIA), the BCS itself
and the Information Assurance Advisory Council have ample
expertise.
The need for an information assurance
strategy
The need for a government information assurance strategy was
highlighted when the Cabinet Office commissioned an
independent assessment of government departments' information
assurance practices from Nick Coleman, former head of IBM's
security services division in Europe, Middle East and Africa.
Coleman found them spending lots of money on information security,
but it was all taking place "in silos".
Coleman told the Cabinet Office, "Information assurance is
progressing within departments, but in a joined-up world, where
data and services need to be connected and layers of trust need to
be established, new thinking and mechanisms need to be put into
place. The current mechanisms and approaches need to be
sharpened."
Responding to the criticisms of the strategy, the Cabinet Office
said, "It has been four years since we produced the first National
Information Assurance Strategy - it is the right time to
re-evaluate how we approach this fast-changing environment."
The revised National Information Assurance Strategy stresses the
importance of making information assurance a normal part of
government business. " Information assurance is not a luxury or an
add-on," a Cabinet Office spokesman said. "[It is] rather an
indispensable part of everyday business management."
The spokesman added, "The strategy will be revised on a regular
basis (one to two years), taking into account policy and
technological changes as necessary.
"It is obvious that it is harder and harder to keep up with
public expectations of how public services should be delivered.
Meeting those complex needs involved complex information sharing
and strong information protections. Robust information assurance is
crucial.
"The Cabinet Office's information assurance project and
programme board will promote and establish metrics for determining
the success of and compliance with the strategy in consultation
with key stakeholders in government and more widely."
The Cabinet Office spokesman added, "There are many information
assurance forums and bodies, such as the government Central
Information Officers' Council and IT profession, which will allow
detailed discussions of the implications of the strategy."
Implications of the strategy for business
The government's revised National Information Assurance strategy
has important implications for the way that organisations,
particularly within government, do business.
The government's first objective is to have clear and effective
information risk management by organisations. This entails clear
board-level ownership and accountability for information risks.
Where information is shared, there will be a single point of risk
ownership.
The second objective is to agree and comply with "approved and
appropriate information assurance standards". Organisations,
particularly those in, or linking to, government, will operate
within a national framework of information assurance common
standards. Trust and confidence in the use of information will be
maintained through an effective model of compliance with these
standards, the government said.
The third objective is to develop and make available appropriate
information assurance capabilities. These include availability of
the right products and services co-ordinated and appropriate
efforts on innovation and research improved professionalism, and
awareness and outreach.
The government plans to work with other sectors to train people
who will enable organisations to manage information risks.