Nick Coleman, former head of IBM's security services division in Europe, Middle East and Africa, said, "Adequate mechanisms are not yet in place to support (connecting to more environments and sharing data in increasingly hostile environments), which puts at risk the government's aspirations for service delivery enabled by technology."
Coleman's report comes a month after the central sponsor of Information Assurance launched a revised national strategy.
The Cabinet Office commissioned Coleman to report on whether government's IA plans:
• Were adequate to instil stakeholder confidence in its information infrastructure
• Whether information and service are protected in a timely and cost-effective way
• The extent to which they support shared services and the Transformational Government agenda
"Most departments are investing significant amounts of money and effort in information security," Coleman said. "However, these capabilities have developed in silos.
"IA is progressing within departments, but in a joined-up world, where data and services need to be connected and layers of trust need to be established, new thinking and mechanisms need to be put into place. The current mechanisms and approaches need to be sharpened," he said.
Coleman's key recommendations:
1. The government creates a vision for Information Assurance and that this vision is incorporated into existing vision statements.
2. Provide a central facility for sharing risk information and a central information risk register based on risks experienced by departments and their agencies. Have the centre invest in a core capability to understand the information assurance risks facing government.
3. Mandate board owners to report quarterly on information risks and performance backed up by an annual audit of department's capabilities. Within this, establish clear metrics for managing performance of suppliers.
4. Provide the prime minister with a summary of information assurance across government and associated spending required to deliver cross government security associated with information assurance.
5. Enable one central mechanism for developing coordinated joint working for sharing best practice and establishing priorities across government.
6. Create clear mandatory policy rules on security across government. Define minimum standards that departments sign up to. Enable independent monitoring for compliance.
7. Tackle identity management challenges through mandating the use of privacy impact assessments. Specify standards of protection for identity registration, management and use in government and the wider public sector.
8. Mandate professional certification for those working in information assurance in every government department across key defined roles. Ensure stakeholders are educated on information assurance and what is expected of them.
9. Measure security through audit and monitoring to a defined standard. Mandate the reporting of incidents to a central monitoring team responsible for capturing incidents and ensuring investigations are conducted and lessons are learned.
10. Have an independent oversight capability retained by government who can be called upon to give independent oversight and advice on information assurance to give stakeholders confidence. Provide this capability in addition to the formal regulatory roles that exist outside government.
Comment on this article: firstname.lastname@example.org