Government departments must use independent security experts to
test the resiliance of their IT systems under a government
framework designed to prevent a repeat of HMRC's high profile data
breach.
The framework, published today by Cabinet Secretary Sir Gus
O'Donnell, follows the
loss of child benefit records by HMRC in November last
year.
O'Donnell admitted the government's data-loss problems were
caused not only by staff mistakes but the lack of technical
safeguards.
He said, "It should not have been possible to download the
entire database onto removable, unencrypted discs".
From now on departments must have their systems tested by
independent IT experts, to expose any security risks. Departments
holding personal data on more than 100,000 individuals must hire IT
experts to conduct penetration testing on their systems.
The framework requires civil servants who need to access to
sensitive data outside the office to dial in on a home system or
through a remote secure channel, rather than transfer data on a
mobile device. All devices must be encrypted and the use of discs
will be phased out.
The government plans to minimise access rights to information
and will keep logs of electronically held information.
O'Donnell said, "There are technical systems answers to these
issues and where possible these are the ones we need to use".
Departments must also address the
culture surrounding data handling in government, he said.
They will be required to carry out Privacy Impact Assessments on
projects and systems to ensure privacy issues are factored in from
the start.
Information risk management will be incorporated into the
government's Gateway reviews that monitor the progress of the most
important projects. And staff will be given annual training on the
management of data.