Plans to introduce mandatory security improvements across government have become mired in contractual disputes with IT suppliers that do not want to carry the cost. Full story on ComputerWeekly.com homepage.
Government, understandably, wants improvements to IT security after the loss of two CDs at HM Revenue and Customs.
But IT suppliers, understandably, say it'll cost extra.
Several of the outsourcing suppliers have the government over a barrel: their contracts cannot, in practice, be terminated over a dispute related to extra costs of IT security; and third party companies cannot easily bolt on extra security to another supplier's systems.
Ross Cattell, head of enterprise risk at Deloitte, said
suppliers felt unfairly criticised by the government. "Suppliers
are saying, 'Gold standard is not what you asked for when you
outsourced. If you want that, you have to pay more.'
"It is difficult for government departments which are trying to raise the information assurance standards," he said.
Sureyya Cansoy, associate director of suppliers' body Intellect, said suppliers are doing all they can to assist the government."It should be done in such a way that it doesn't burden suppliers unnecessarily and that any changes to contracts are done under the commercial arrangements already agreed," she said.
"But we've not really tackled it yet."
Link:
Government data security hobbled by cost dispute - ComputerWeekly.com
Subscribe to blog feed
There is nothing in the Data Handling Review which from a security perspective when related to sensitive information is not 'common sense'. What is surprising is that when the contracts were intially agreed and the types of data were specified that would need to be processed, transported and stored no one realised that such 'common sense' security measures would be necessary.
To be honest, 'no one realised' is a bit of a misnomer. At fault here are both the customer and the supplier. The customer for not doing the appropriate amount of due diligence in terms of determining what security measures would need to be in place for the data they were responsible for and the supplier (who are all lets face it "supposed" to be IT Professionals and acting in an advisory capacity as supplier) for not suggesting that such security measures might be warranted for the data.
It boils down largely to a lack of security professionals from both sides being involved on such projects from day one. All too often, the security guys are not consulted until the testing stage or worse still, after 'go-live'. And even after all the data losses and other security mistakes that have occurred in the last couple of years across both Government and private sectors, this *still* happens.
The solution could be relatively simple. Send both sides to an organisation akin to ACAS and thrash out an agreeable way of paying for the security improvements between themselves. After all, both sides are at fault and this would seem to be the most fair and equitable way to resolve the situation.
It might also mean some sort of progress finally being made!