The announcements this week of further data losses result from a flurry of overdue reviews across Whitehall. But attention is still focussed on “data protection” rather than “information risk management”. It therefore risks doing more harm than good.
The Interim Progress Report of the Cabinet Secretary’s review of “Data Handling Procedures in Government” should be read in the context of the overall review of Public Sector Information Assurance, announced before the summer, but not taken seriously until the last few weeks. Indeed I dropped out of the BCS Elite Gala Dinner on November 14th in order to attend a private dinner at which the guests were asked to help secure political support for that review. A week later the climate had been transformed.
At the Worshipful Company of Information Technologists Cybersecurity breakfast last week the impact on HMG was compared to that of the loss of the Veterans Administration laptop (also with over 20 million detailed records) on the US Federal Government. The speaker then showed the timeline of what the Americans had done since. But yesterday, at the Royal Holloway Colloquium, I heard that all that US progress was in danger of being undermined by the inherant insecurity of their CALEA mandated surveillance systems (akin to RIPA in the UK). Many readers might approve of the plans described in the New York Times on 16th December – save for the refusal to install industry strength security on the lines carrying the intercept material from the telco to the surveillance operations centre. This is akin to the practice of sending unencrypted master files through the post to the auditors or having all staff share the same password.
We must learn from our cousins and cannot afford to copy their mistakes.
We need to ensure that the Cabinet Secretary’s review is not dominated by “the usual suspects selling high-overhead security add-ones that merely encourage work-arounds”. It needs inputs from those with operational experience of the running the information risk management (i.e. not just data protection) policies across large organisations and along supply chains, without which the financial services, pharmaceuticals, petrochemical and aerospace industries would have ground to a halt a decade ago.
If you can help with such inputs, please send your contact details to firstname.lastname@example.org.
In the mean time a few thoughts triggered by my meetings on 13th December:
1) Those at the top still think that information risk management is an add-on for techies and consultants to worry about. They have yet to see it as an inherent part of business strategy for any information dependent operation (e.g. most of 21st century public and private sectors).
2) In very large organisations, hardly anyone, at any level knows the policy, or what it means to them. Those who wrote the policy didn’t understand the business imperatives or the management, reporting and staff motivation structures. If they did, its been changed since.
3) Cost-cutting and outsourcing have undermined corporate loyalty, while lip-service to human rights and equal opportunities have precedence over hiring those who you think you can trust, monitoring their behaviour and firing those who you feel you can no longer trust.
A number of people have asked for the script and slides that I used at the ISSA UK Chapter Christmas on “The Politics of Information Governance”. I was followed by Tony Sale, who reminded the audience that it was only operator error that enabled Bletchley Park to break Enigma. And today we still have those who expect us to believe in the credibility of security policies which depend on hundreds of thousands of end-users following procedure rather better than the radio operators of the Wermacht and Lufwaffe.
P.S. Addiitonal to the IAAC material that I have mentioned in previous blogs I commend