When the final report, Data Handling Procedures in Government was released in June of this year, some security practitioners were disappointed that its recommendations didn't go further and, more specifically, mandate requirements for systems handling sensitive data. In this article, we'll briefly examine the Data Handling Review and what information security professionals can learn from it to improve security practices.
Data handling: A human problem
At face value, mandating more secure systems may seem like an obvious step to take. However, an examination of the various incidents of data loss that prompted this review suggests the common stumbling block is actually human failure. Security is often about managing people and preventing their mistakes; the review concentrates on the human side of the security problem.
The Data Handling Review mandates several measures aimed at improving information security practices and promoting a culture of information security. For example, civil servants who deal with personal data are to undergo annual training, and data security roles within departments are being standardised and enhanced to ensure clear lines of responsibility. Crucially, these initiatives are also backed up by stronger accountability and scrutiny with privacy impact assessments and spot checks undertaken by the Information Commissioner's Office, which has finally been granted power to enforce the requirements of the U.K. Data Protection Act.
Data handling: A system problem
These actions will certainly make data security a high priority and security policies more effective, but what does the Data Handling Review say about system security?
Departments are now obliged to have their networks pen tested on a regular basis. This measure is possibly a more effective way of validating the security of a system rather than trying to enforce a one-size-fits-all approach to system specification and design. Regular tests will also help promote better security life cycle management. Crucially they will have a positive impact on system design, specification requirements and maintenance.
The government, through CESG, the National Technical Authority for Information Assurance, has for a long time provided a directory of "infosec assured products" as part of what has been called the National Information Assurance Strategy. The directory is a top-level guide listing all IT security products approved by CESG and the context in which they should be used.
The Claims Tested Mark (CCTM) scheme, which is part of the portfolio of information assurance services provided by CESG, provides a government quality mark designed to assure the private and public sectors that a security product or service does "what it says on the box." Based on accredited independent testing, the scheme is designed to prove the validity of security functionality claims made by vendors. Products and services with the CCTM mark satisfy the minimum assurance requirements at Government Impact Levels 1 and 2 as set out in HMG Infosec Standard No. 1 -- Assurance Requirements for IT Systems.
As a result of the Data Handling Review, I can see more organisations specifying in their procurement framework that systems must use accredited products and services, particularly for those systems supporting the transformational government agenda, in order to demonstrate they are following best practices. This is an important aspect of restoring trust and confidence in the way government information systems are run.
Data sharing is crucial to any modern technology strategy and brings great benefits. Data loss incidents will inevitably occur, but the measures introduced in the Data Handling Review do have a great chance of forcing a culture change across the civil service in the way its workers view and handle sensitive data. A culture that properly values, protects and uses data, both in the planning and delivery of public services, will undoubtedly reduce the likelihood of large scale data loss in the future.