Comment – and does Poynter report say anything about HMRC’s £8bn ASPIRE contract?
The Poynter report is the best thing that has happened to HMRC for decades. It highlights the institutional weaknesses the department has always denied existed. It should lead to changes in IT and culture that HMRC’s board of directors could not have brought about otherwise. One hopes among other things that the board will be humbled by the Poynter report and not continue to be obsessed with its public image.
Meanwhile the institutional weaknesses identified in the Poynter report raise worrying questions about how well the department is able to manage an £8bn “ASPIRE” outsourcing contract with Capgemini, which was worth about £3bn at its start date in 2004. There have been many changes and additions, but it’s uncertain whether the extras are, or will, prove value for money.
The Poynter report – some highlights. [Comments are taken directly from the report apart from the sub-headings and my explanations in brackets. When “my” or “I” is used, this refers to Kieran Poynter, the chairman of PricewaterCoopers, who wrote the report.]
Institutional deficiencies at HMRC
The loss was entirely avoidable and the fact that it could happen points to serious institutional deficiencies at HMRC.
The two major institutional deficiencies from which many of the more detailed issues flow were:
– Information security simply wasn’t a management priority as it should have been, and
– HMRC had an organisational design which was unnecessarily complex and crucially, did not clearly focus on management accountability.
In my [Kieran Poynter’s] view, this represents a great opportunity. Modernising work practices and the systems which support them should lead to significant efficiency gains as well as the restoration of the reputation of HMRC.
Several HMRC staff expressed concerns about transferring large files to the NAO
During the course of events in both March and October 2007, several HMRC staff expressed concerns about the security implications of transferring large amounts of sensitive data to the NAO. Indeed, the NAO representatives also expressed a preference for receiving either a specific sample of the data or to have sensitive information removed from the records, albeit primarily to reduce the size of the data file. These concerns were not escalated to a suitably senior level within HMRC and the suggestion to remove sensitive information from the scan was thwarted by concerns over cost and resources.
Nobody owned the child benefit data
This also raises the question of who had “ownership” of the CBCS [Child Benefit Computer System] data and would therefore have been able to provide authority for its release. My review team has found that, though the issue of data ownership had been discussed previously by HMRC management, it had not been resolved at the time of the data loss incident and confusion among HMRC departments as to where this ownership lay was a contributory factor in that loss… One of the problems faced by the HMRC staff involved was that there was no clearly assigned data owner or guardian from which to seek this authorisation [to transfer data to the NAO].
Child benefit data was routinely downloaded onto CDs with limited security
The CBCS [Child Benefit Computer System] data in question was routinely downloaded by a third party mainframe operator on to two discs for the purposes of a compliance sampling exercise every six months.
HMRC had no policy on encrypting data on removable computer media
It was not stated HMRC policy or procedure to encrypt removable computer media, assign a higher protective marking to aggregates of sensitive records or to encourage the NAO to undertake its information review exercises on HMRC premises.
HMRC will have to publish reports on what it’s doing to comply with Data Protection Act
HMRC [will be required ] to publish progress reports after 12, 24 and 36 months documenting in detail how the Recommendations [in the Poynter report] have been, or are being, implemented to achieve that compliance [with the Data Protection Act].
Services supplier EDS provides the systems and processing of child benefits data
The Information Management Solutions (IMS) is responsible for the management of the CBCS. Data processing is outsourced to Electronic Data Systems, a third party supplier. In simple terms, the Child Benefit data is the property of HMRC while the computer equipment on which it is stored and processed is owned by EDS. Requests for data from the CBO [Child Benefit Office] are directed to IMS, who manage the retrieval of that data from EDS. [EDS runs the Child Benefit mainframe.]
The cost of obtaining the child benefit data required by the NAO was a factor in events
At interview, Employee D explained that she had received an estimate of £15,000 to undertake an extract of the CBCS [Child Benefit Computer System] from EDS from Employee G, a Senior Executive Officer within the [HMRC] Information Management Solutions [IMS] Business Unit. However Employee F, also from the IMS Business Unit, commented in his interview that the cost of such a scan is closer to £5,000. Clearly, concern over the cost of responding to the NAO’s information needs was a key factor in determining the course of subsequent events …
An HMRC employee warned of child data going missing in an internal email
“Please see the previous email… I think the third paragraph is giving me a kind of hand slapping even though I have never said NAO cannot have the data. All we wanted was for NAO to realise exactly what they are asking for, i.e. “the scan data is the live records of seven million ChB [Child Benefit] customers” when they only want to look at a dozen cases from the scan. More importantly we needed to get the assurance of how they would securely handle the disc’s [sic] containing the data and how they would dispose of them once they had completed their checking. Obviously NAO should automatically realise this confidential information has to be protected and no doubt they would do so. However, we needed something more than a verbal request to ensure we had paperwork to back up the request. Things do get mislaid and imagine the uproar if the disc’s [sic] containing the ChB customer data went astray and turned up where they shouldn’t – the long knives would be out. At least we would be covering ourselves by getting the right assurance.
NAO employee promises to guard the data with his life and bring it back safely
NAO Employee 2 will be back in WVP [Waterview Park, HMRC’s office in Washington, Tyne and Wear] next week and he has promised to guard the data with his life and bring them back safely with him next week.[This was in March 2007 when the CDs with Child Benefit data were given to the National Audit Office without going missing.]
EDS burned child benefit data onto two Memorex CD-R recordable 700MB 80 min discs
… in his witness statement EDS Employee 1 confirmed that the “100 files were available to be downloaded” on 2 October 2007, adding that he downloaded half of the files onto his D drive, in a process that “can take anything up to 24hrs”, and that the other 50 files were processed by EDS Employee 2. On 3 October 2007, EDS Employee 1 recalled he zipped the files and transferred them from the D drive to the network drive adding that “The reason for this process is so that the files are smaller and can be copied onto removable discs. They are also password protected”. The following day, on 4 October 2007, EDS Employee 1 reported that he burned the files that he and EDS Employee2 had zipped onto two Memorex CD-R recordable 700MB 80 min discs and labelled as “TCO” [Tax Credit Office] amongst other markings (“CBCS Discs Set A”), TCO standing for “Tax Credit Office”. I conclude from this analysis that CBCS Discs Set A did indeed contain the full records of all child benefit claimants at that time.
The 100 child benefit files were zipped with WinZip 8.1 offering very low protection
… HMRC specified that the files should be “zipped”, i.e. that WinZip software should be used to compress the files, and password protected. My team notes from its computer forensic analysis work that the version of this software used to package the data on CBCS Discs Set A, WinZip 8.1, provides only low grade encryption. In addition, according to the testimony of various witnesses, each file was password protected with the same seven digit alphanumeric password. This low level of encryption was unsuitable for the transfer of large amounts of sensitive data on a removable medium such as a compact disc.
After discs went missing, it took two weeks to raise the alarm
It is clear to me that the loss of the data in October and the method of its transfer prompted concern among a number of the parties involved. However, a security incident was not raised until 8 November, some 2 weeks later… One can only speculate about what might have happened if the failure of the discs to arrive as expected on 19 October had been raised immediately with senior officials. An immediate search may have had a greater prospect of success than a search started nearly three weeks later.
HMRC has struggled to make IT security changes in line with IT developments
HMC’s operational procedures are frequently updated, it has struggled to make IT security changes required to keep pace with IT developments. The speed with which IT has developed in recent years makes it imperative that security policies are regularly reviewed to ensure that they deal with all the types of IT processes undertaken within the organisation
HMRC’s polices are based on common sense and past practice, not detailed procedures
… departmental “policy” is often based upon common sense and past practice rather than a formal, detailed procedure. The result is uncertainty and a lack of uniformity between Business Units in terms of procedure.
Large amounts of data were routinely transferred without enough regard for risks and security
Large amounts of data are transferred both within HMRC and to external government bodies with insufficient regard to risk and security. Interviewees have cited a number of such examples of data transfer:
(a) Transfer of data via unencrypted email and removable computer media. For instance, the results of analytical work performed by CC [Claimant Compliance, an HMRC department] are routinely saved onto USB flash drives or CDs, transferred onto team members’ computers and provided to the Benefits and Pensions team by unencrypted email. According to the interviewees, the amount of data transferred in this manner ranges from several records to several thousand records.
(b) Data scan creation similar to the CBCS [Child Benefit Computer System] scan. My team was informed that there is an exercise, similar to the creation of the CBCS scan, carried out for the Higher Education Funding Council for the purposes of statistical and trend analysis. EDS are reportedly requested to run the scan, zip the information and then return the information to HMRC. However the information is not as sensitive as the Child Benefit information and does not contain data such as bank details and addresses.
(c) Other instances of provision of large amounts of data on discs to HMRC. KAI [Knowledge and Intelligence, an HMRC department] is the main analytical service to HMRC but my team understands that it also provides this service, in some cases, to the Department for Work and Pensions (DWP). I have been made aware of at least one regular transfer of a large amount of DWP data on a CD to KAI for statistical analysis.
Loss of the data was symptomatic of wider HMRC problems.
My [Poynter’s] findings can be summarised as follows:
• Information security, at the time of the incident, simply wasn’t a management priority;
•Even had it been a priority, HMRC’s organisational design and the governance and accountabilities underpinning it would have made it extremely difficult for it to be felt as such;
• Even with a more suitable organisational structure, the fragmentation and complexity that has accompanied the changes that HMRC has had to absorb makes information security difficult to control;
• HMRC’s information security policies were inadequate and those that they had were unduly complex and not adequately translated into guidance or training for the junior officials who needed them;
• HMRC continues to operate processes that hark back to a paper-based, rather than a digital, world; and
• Morale is low in HMRC and management needs to continue to focus on engaging with staff as
the department embarks on a period of further change.
HMRC’s “hotch potch” IT
HMRC operates a hotch potch of systems some of which date back to the 1970s. These systems have been added incrementally with little attempt to integrate them and a host of workarounds, often involving data transfers, exist to keep them synchronised and to extract management information from them. This fragmentation is compounded by the highly distributed nature of HMRC. Work is also transferred, sometimes in hard copy, between these different locations, in order to manage workflow. Managing this legacy is a considerable challenge.
Some facts that bring this to life. HMRC
• Operates some 650 different systems;
• Has a further 4500 Business Developed Applications (mostly Microsoft Excel & Access), of which 550 have been classified as business critical by Business Units;
• Operates from some 900 sites/offices;
• Sends out some 300 million items of mail a year.
Senior managers don’t always know what’s going on
Small wonder then, that when the Director of Data Security imposed a ban on non-encrypted bulk data transfers following the data loss incident, several data transfers were uncovered that senior management in HMRC was not aware were happening, including at least three regular downloads of the entire child benefit database – the same information that was reported lost in November 2007. These were regularly downloaded onto non-encrypted media and put into internal mail.
Some of the recommendations:
HMRC should appoint a Chief Risk Officer and Chief Information Security Officer at senior level, reporting to the CRO.
Information security guidance should be simplified, shortened and made more accessible.
HMRC should adopt a structured approach to assuring and auditing performance in relation to information security, based on the unambiguous accountability of Directors for information security within their areas of management control; assurance and audit activity carried out on behalf of Line of Business Directors-General; and corporate assurance and audit activity undertaken …
HMRC should initiate a programme of Third Party Assurance in respect of information security requirements.
[HMRC] should review the ASPIRE contract [with Capgemini] to determine whether it reflects adequate information security.