The Coleman Report - An Independant Review of Government Information Assurance

The Cabinet Office recently commissioned Nick Coleman, an Independent reviewer of Information Assurance for the UK government , to report back on how well the Government is doing when it comes to protecting and handling information.

The result of that review, The Coleman Report, can be downloaded here:

Coleman Report.pdf.

It’s a succinct document, first describing the transformation to electronic-based services (for example, in one week the NHS sends 1.4 million prescriptions electronically) across the public sector, and secondly highlighting the main features of the changing environment. The two stand-out items being the rapid pace of technological change, and information sharing on an unprecedented scale.

The section on “Findings from the review: how well is government doing” does not make for particularly positive reading. For example, when talking about accountability Nick states that

“no role exists to provide Independent Oversight that the appropriate Governance;
Information Risk Management; Policy and Operations; and Monitoring and Controls around Information Assurance are in place across departments and agencies.”

On risk management, we get also get a far from positive report;

“Risk assessment is patchy leaving many without a clear understanding of the risks they are facing or exposing their stakeholders to.”

The list of recommendations makes for equally gloomy reading. And here’s why. We’ve been talking for years, even decades, about the need for strong information security governance, accountability, and setting minimum standards. It’s nothing new. But here we are heading towards the end of the first decade of the 21st century and a report about and for the Government – the highest authority in the land – is highlighting a need to  “Define minimum standards that (public sector) departments sign up to

Good grief. What on earth have they been up to all these years? If there were a book entitled “Information Security for dummies” then that would be on page 1. It shows just how far behind the public sector is and makes for good explanation as to why it is subjected to so many data breach incidents.  

There is a follow-up ministerial statement here. The range of measures being described is sensible enough but even in a modest size commercial organisation such measures don’t get implemented overnight. It’s going to be a mammoth task in my opinion.

“The Government is determined to take the necessary steps to improve data security.”

I don’t doubt it.