National Information Assurance Strategy is too little, too late, says industry

The government's latest plan for a National Information Assurance Strategy comes under fire from businesses and academics.

The government's latest plan for a National Information Assurance Strategy has come under fire from businesses and academics.

The government's revised National Information Assurance Strategy, launched in June, has three main goals:

• To make central and local government better able to deliver public services through the appropriate use of IT

• To strengthen the UK's national security by protecting information and information systems at risk of compromise

• To enhance the UK's economic and social well-being as government, businesses and citizens realise the full benefits of IT.

It updates the government's original National Information Assurance Strategy in 2003. The aim now is to create "a UK environment where citizens, businesses and government use and enjoy the full benefits of information systems with confidence" by 2011.

But Andrea Simmons, manager of the British Computer Society's Security Forum, said that issues identified in the updated strategy, such as senior level engagement, partnerships, and integration of information assurance with the business were old hat. "These have all been discussed ad nauseam over the last five to 10 years," she said.

Nevertheless, she welcomed publication of the revised National Information Assurance Strategy. "It is about time, but it is almost too little too late," she said. "Sadly, it doesn't take us very far forward because it appears to be rooted in about 2003."

Simmons said, "The government could have earned a lot more brownie points if it had taken on board all the advice and expertise previously offer by many experts.

"The Information Assurance Advisory Council [a public/private sector think tank] wrote a more than passable IS strategy several years ago - all the government had to do was accept it and adopt it, rather than posture for the last three to five years, and then determinedly build their own slightly second-rate wheel."

Ross Anderson, professor of security engineering at Cambridge University's Computer Laboratory, said the National Information Assurance Strategy harked back to the mid-1980s. "It is full of consultant-speak, recycling tired old ideas. It is mind-candy."

Anderson said attempts to make individuals responsible for information assurance and security recalled similar provisions for patient health information. "All that did was make everyone run for cover," Anderson said.


Grasp the nettle of implementation

Phillip Virgo, general secretary of Eurim, the cross-parliamentary body on IT issues, welcomed the revised strategy. But it was up to department heads to grasp the nettle of implementation, he said.

David Porter, a consultant with Detica, a managed security systems provider with close links to government, echoed Virgo. "A neglected area [in the strategy] is how you get people to actually take ownership of the data or the information they hold or generate. This is a soft cultural change and nothing to do with technology," he said.

Porter said, "Information assurance is a formal doctrine that all organisations, public and private, must adopt if increased data sharing is to work. No half measures."

Porter said most organisations collect information that is irrelevant to their actual business decisions. This was likely to worsen as departments start to share data, as the government hopes. "We do not even categorise our e-mails, so what chance has data of being properly filed, as things currently stand?" he said.

Asked how she expects the National Information Assurance Strategy initiative to play out, Simmons said, "Slowly, and with great difficulty for as long as there are too many groups operating politically in the space."

She was referring to the wide range of groups from government, the private sector and wider society, all of which have vested interests in related policies, intelligence for criminal and national security, privacy and business opportunities.

However, she said there are "more than enough" people with the skills to make it happen. She noted that organisations such as the Central Sponsor for Information Assurance (CSIA), the BCS itself and the Information Assurance Advisory Council have ample expertise.


The need for an information assurance strategy

The need for a government information assurance strategy was highlighted when the Cabinet Office commissioned an independent assessment of government departments' information assurance practices from Nick Coleman, former head of IBM's security services division in Europe, Middle East and Africa. Coleman found them spending lots of money on information security, but it was all taking place "in silos".

Coleman told the Cabinet Office, "Information assurance is progressing within departments, but in a joined-up world, where data and services need to be connected and layers of trust need to be established, new thinking and mechanisms need to be put into place. The current mechanisms and approaches need to be sharpened."

Responding to the criticisms of the strategy, the Cabinet Office said, "It has been four years since we produced the first National Information Assurance Strategy - it is the right time to re-evaluate how we approach this fast-changing environment."

The revised National Information Assurance Strategy stresses the importance of making information assurance a normal part of government business. " Information assurance is not a luxury or an add-on," a Cabinet Office spokesman said. "[It is] rather an indispensable part of everyday business management."

The spokesman added, "The strategy will be revised on a regular basis (one to two years), taking into account policy and technological changes as necessary.

"It is obvious that it is harder and harder to keep up with public expectations of how public services should be delivered. Meeting those complex needs involved complex information sharing and strong information protections. Robust information assurance is crucial.

"The Cabinet Office's information assurance project and programme board will promote and establish metrics for determining the success of and compliance with the strategy in consultation with key stakeholders in government and more widely."

The Cabinet Office spokesman added, "There are many information assurance forums and bodies, such as the government Central Information Officers' Council and IT profession, which will allow detailed discussions of the implications of the strategy."


Implications of the strategy for business

The government's revised National Information Assurance strategy has important implications for the way that organisations, particularly within government, do business.

The government's first objective is to have clear and effective information risk management by organisations. This entails clear board-level ownership and accountability for information risks. Where information is shared, there will be a single point of risk ownership.

The second objective is to agree and comply with "approved and appropriate information assurance standards". Organisations, particularly those in, or linking to, government, will operate within a national framework of information assurance common standards. Trust and confidence in the use of information will be maintained through an effective model of compliance with these standards, the government said.

The third objective is to develop and make available appropriate information assurance capabilities. These include availability of the right products and services co-ordinated and appropriate efforts on innovation and research improved professionalism, and awareness and outreach.

The government plans to work with other sectors to train people who will enable organisations to manage information risks.

Read more on IT risk management