June 15 is the deadline for all agencies to file a report to the cabinet office showing how they process and store personal information and data from government departments. One expert involved in the procedure said he expects serious vulnerabilities to be exposed.
"Security in the public sector has stagnated over the years, and complacency has become endemic. There is a long way to go before we can say departments are managing their data in an appropriate manner," said Michael Gillespie, a consultant with Advent Information Management Ltd.
All departments will be measured against the government's new Information Assurance Standard No. 6 (IAS 6), which controls the handling of personal data and the management of information risk, and which was only published in February.
Gillespie is one of a handful of trained auditors for the standard, and he said few departments are likely to be able to comply by June.
IAS 6 is part of the government's drive to raise the profile of information security across all departments following the notorious loss of 25 million records by HMRC back in 2007. It aims to tighten processes and increase accountability for records handling, not only to improve security but also to rebuild public confidence in government.
Although IAS 6 is initially aimed at data from central government departments, it will also have a direct impact on any private sector companies providing services to government or managing government systems.
IAS 6 and its supporting methodology, Good Practice Guide 15, have been jointly developed by the Cabinet Office and CESG, the U.K. government's national technical authority for information assurance. The standard forms part of the government's Security Policy Framework (SPF), which was published in December 2008, and follows the recent Data Handling Review, which the government initiated in the wake of the HMRC data loss.
The fact that many departments will fail compliance in June, said Gillespie, shows some serious weaknesses. He added that IAS 6 outlines minimum requirements of good practice only, and that well-run organisations would have little trouble in meeting them.
"The significance of the HMRC data loss sent shockwaves through government and made them realise how badly they had been looking after the security until then, and how many government departments have been paying lip-service to security and security accreditation," he said. "The minimum mandatory rules for protecting data [in IAS 6] cover things they should all be doing anyway."
Gillespie said that if organisations adopted information security standards like ISO 27001 and applied their principles, "they would not find any of these other standards onerous, because they would be doing everything properly in the first place."