Ministry of Defence security: IT information assurance in the MoD

The MoD should update its information assurance policy, argues Paul Shanes and Chez Ciechanowicz in this Royal Hollo2way MSc thesis article.

Information assurance is a top priority across the public sector these days. Well-publicised Ministry of Defence security breaches of recent years have forced a root-and–branch review of the way government departments handle information and have spawned new security frameworks and protocols to support a more disciplined approach in the future.

Departments have adopted various approaches to the problem according to their own needs, but as they begin to share and exchange more digitally stored information, could there be an argument for a common information assurance method across the public sector?

This is the question that MSc student Paul Shanes set out to answer in his recent thesis at Royal Holloway University of London.

Working in the Ministry of Defence, Shanes considered how well the risk management approach and accreditation process adopted by MoD could be applied in other departments.

In an article based on the thesis, co-authored with his course supervisor Chez Ciechanowicz, Shanes said that, although accreditation is widely accepted and has proven to be an effective method of managing information risk, public-sector organisations should agree upon a consistent framework of methodologies by which to quantify and manage information risk.

“With each department traditionally being held responsible for its own information assurance, it is no surprise that conflicting policies and standards have emerged throughout the sector,” Shanes said.

Although government-wide policy and standards exist, Shanes said they are often out of date and too complex. For instance, the government’s Manual of Protective Security, which specifies the impact of release and protection levels required for each level of classified information, was originally designed for the Cold War era and was last updated in 1994. Amendments that have been made to incorporate technical security measures have resulted in the document, growing to nearly 2,000 pages.

He argues that, in an increasingly inter-connected world, UK departments and governments around the globe need to co-operate more on developing standardised policies and processes, supporting joined-up shared services across governments.

But, this can only happen, Shanes said, by building on strong processes of accreditation within individual departments, such as the MoD, and enhancing the overall maturity of IT information assurance across the wider public sector.

The feature is one of five is publishing this year in collaboration with RHUL.

Read more on Security policy and user awareness