Caerphilly County Borough Council has been selected as
one of the pilot sites for a secure network to link government
departments, after a three-month programme to step up its internal
security.
The Government
Connect Secure Extranet (GCSX) requires local authorites to
meet stringent security standards concerning storing data on
portable media, creating full audit trail of their use and ensuring
that the storage media is tamper proof.
But Caerphilly was able to meet the stringent security standards
needed to join the network in just over three months, after signing
up to the interational security code of practice.
ISO 27001
"Some local authorities struggle with GCSX compliance because it
requires input from many different areas of IT," said Vernon Coles,
IT security officer for Caerphilly CBC. "But compliance with ISO
27001 meant that we already had the answers to many of the
questions for GCSX compliance," he said.
The council's IT department realised it needed to improve
security around portable storage months ahead of the introduction
of the GCSX standard.
"Compliance with ISO 27001 requires regular risk assessments,
which led us to begin considering endpoint security about two years
ago," said Coles.
After searching for suitable technologies, Caerphilly rolled out
data leakage prevention technology from Safend system across its
desktop and laptop computers.
"This gave us a complete picture of all the removable devices in
use and the files written to them since the computers were
commissioned," said Turner.
The council followed the project with a programme to raise
awareness of staff on the safe use of removable storage
devices.
It ran a USB amnesty, offering to replacing unauthorised devices
with Caerphilly CBC-branded, Safend-encrypted USB sticks. And it
explained the importance of encryption on these devices to protect
users if the devices were lost or stolen.
"Users appreciate the importance of taking pre-emptive steps to
protect the authority and its employees from any damaging loss of
data," said Turner.
"With this system in place, no-one has to worry about being
named and shamed in the press for data breaches," he said
Coles.
Local authorities that failed to meet the
GCSX deadline of 31 March 2009 are expected to be ready for
connection to the network by the end of September.
| Securing Caerphilly CBC |
|---|
| Vernon Coles, IT security officer for Caerphilly CBC, shelved
a plan to beef-up the security of its portable storage devices for
a year, after being unable to find a solution which complied with
the government's criteria. |
| He was only able to find five suppliers that met the criteria
for the government's secure GCSX network. |
| Caerphilly chose an endpoint data leakage prevention system
from software supplier Safend following an independent penetration
testing report. |
| Wayne Turner, network development officer for Caerphilly CBC
said: "Both products met the criteria, but the testing report said
Safend had the edge." |
| "Penetration testing is routine part of our technology
procurement process," said Coles. |