Inland Revenue learns security lessons

The Inland Revenue has made major changes to the way it manages the security of its outsourced IT operations after learning...

The Inland Revenue has made major changes to the way it manages the security of its outsourced IT operations after learning valuable lessons from its £300m-a-year outsourcing deal with EDS.

Security managers at the department, which employs more than 70,000 staff, faced a steep learning curve and had to battle with a string of potentially serious problems after signing the 10-year deal with EDS in 1994.

Dave Evans, head of security at the Inland Revenue, revealed this in a frank presentation to Gartner's security summit last week.

Lessons learned from the pioneering outsourcing deal were applied when the Revenue re-tendered its IT operations, with Capgemini taking over this summer. The knowledge gained will also inform the rest of government IT procurement, said Evans.

The deal, which involved the transfer of IT staff to EDS, left the department with little internal IT expertise to manage security, Evans said.

"One of the lessons we learned was that we did not know how to do it. We muddled our way through and ended up with a working system," he said.

The department found it difficult to secure budgets to fix security issues identified by EDS.

Evans also discovered he had no way of taking an overview of the Inland Revenue businesses and identifying what security issues there were. "We had no way of measuring security performance," he said.

Shortly after the contract was signed, Evans discovered that EDS and the Inland Revenue had plans to shut down one of the Revenue's datacentres and to host the data at EDS to save costs.

But no one had considered the security or data privacy implications, he said.

"The lesson there was about governance: seeing the whole picture from above and controlling it all the way down."

Security managers also faced difficulties persuading time-pressed board members to deal with a complex list of security issues. The board repeatedly deferred decisions until security managers simplified their requests.

The Inland Revenue's contract with EDS only had one page devoted to security. It required EDS and its subcontractors to adhere to government security policies, to provide appropriate protection for staff, processes and assets, and to ensure business continuity.

Despite the lack of detail, the agreement worked because the Revenue and EDS worked closely to resolve the security issues when they arose, said Evans.

"The contract pretty much stayed in the drawer. The relationship was between managers of the Inland Revenue and EDS, working together as a team," he said.

Facing up to potential pitfalls   

  • Security managers created a register of 70 or 80 security issues for consideration by the Inland Revenue board. The board deferred discussion until presented with simplified choices. 
  • The Inland Revenue security team only discovered plans to close one of the Inland Revenue's datacentres and to shift the data to EDS when memos came around discussing the future of staff at the centre. The decision had to be quickly reversed when it emerged that the closure could put sensitive data at risk 
  • A printing company subcontracted by EDS to print tax returns did not have the security procedures in place demanded by the Inland Revenue. Security had to be retrospectively installed 
  • One supplier did not have proper back-up processes in place. Instead it took out insurance against penalty clauses from the Inland Revenue should service be disrupted.

New deal tightens Revenue security further >>

Read more on IT outsourcing