information security recent uk experiences
play

Information Security Recent UK experiences Paul J Jackson - PowerPoint PPT Presentation

Information Security Recent UK experiences Paul J Jackson Information Security and Legal Services Division ONS Timeline 18 October 2007 25m records sent to National Audit Office On 2 unencrypted CDs Sent in standard internal


  1. Information Security Recent UK experiences Paul J Jackson Information Security and Legal Services Division ONS

  2. Timeline 18 October 2007 • 25m records sent to National Audit Office • On 2 unencrypted CDs • Sent in standard internal mail

  3. Timeline 24 October 2007 (+6 days) • Audit Office reports the CDs have not arrived

  4. Timeline 8 November 2007 (+15 days) • HMRC senior management told about the missing CDs

  5. Timeline 10 November 2007 (+17 days) • Alistair Darling informed. • Immediate search and inquiry initiated. • Police called in.

  6. Timeline 14 November 2007 (+21 days) • Alistair Darling considers the search to have failed • Information Commissioner informed

  7. Timeline 20 November 2007 (+27 days) • Alistair Darling makes his statement to Parliament • Review of data handling in Government announced

  8. 20 November 2007 QuickTime™ and a decompressor are needed to see this picture.

  9. Timeline 20 November 2007 (+27 days) • Paul Gray resigns : “I am announcing today that I will be standing down as HMRC Chairman as a result of a substantial operational failure in the Department.“

  10. It could be you !

  11. Timeline – Office for National Statistics 20 November 2007 • Data Stewardship Group meeting in ONS • Internal review of data in transit commissioned

  12. Timeline ONS 26 November 2007 ONS figures for data in transit for 2007 to this date: • 706 transfers of confidential micro-data in Email or on CD • All transfers secure and accounted for through to recipient

  13. Timeline 17 December - HMRC review Interim review of HMRC requires: • Complete ban on bulk data transfers on CD • All PCs and laptops have all peripherals disabled (i.e. - shutdown)

  14. Timeline 27 February 2007 - Data Handling Review • Data Handling Review issues 22 mandatory requirements to all departments. • With an implementation timetable • Introduced into an already complex background of policy, law and scrutiny.

  15. UK background - policy • UK National Information Assurance Strategy • Vision: A UK environment where citizens, businesses and government use and enjoy the full benefits of information systems with confidence • To be revised and reissued 2010 • http://www.cabinetoffice.gov.uk/media/cabinetoffice/csi a/assets/nia_strategy.pdf

  16. UK background - policy Power of Information Report 2007 • “A three-year National Plan to improve Digital Participation” http://www.cabinetoffice.gov.uk/reports/power_of_information.aspx

  17. UK background - policy The Coleman Report 2008 “Government must do more to deliver confidence in its information infrastructure” QuickTime™ and a decompressor are needed to see this picture. http://www.computerweekly.com/blogs/stuart_king /Coleman%20Report.pdf

  18. UK background - policy • Digital Britain Report 2008 “a digital switchover for public services” http://www.culture.gov.uk/images/publications/di gitalbritain-finalreport-jun09

  19. UK background - policy Government Chief Information Officer • Cloud computing • Open Source only on the cloud Rationalisation to 6 data centres • • Shared services across government

  20. UK background - policy Government Security Policy Framework 70+ mandatory requirements : 1. Governance, Risk Management and Compliance 2. Protective Marking and Asset Control 3. Personnel Security 4. Information Security and Assurance 5. Physical Security 6. Counter-Terrorism 7. Business Continuity http://www.cabinetoffice.gov.uk/spf.aspx

  21. UK background Statistics and Registration Service Act 2007 • Building trust in UK Official Statistics • Information sharing powers • Approved researcher access to data • Crime of wrongful disclosure

  22. UK background - legislation and rights Freedom of Information Act Data Protection Act Human Rights Act Common law of confidentiality Computer Misuse Act

  23. UK background - scrutiny Judicial Review of public administration The Information Commissioner The Financial Services Authority The Information Tribunal Select Committees of Parliament UK Statistics Authority

  24. Background summary • Threats are increasing • Public are concerned about privacy • Digital services revolution expected • Power of information recognised • Quite a set of challenges !

  25. The challenge “Effective, proportionate and secure data sharing must be based on a comprehensive and pragmatic understanding of the risks involved” “to Get it Right, first Understand the Risks. ” Owen Pengelly Head, Information Security & Assurance Cabinet Office

  26. What are the key features? Information is an asset and a liability • Information exploitation • Information assurance • Requires a risk management not risk avoidance approach

  27. Risk categories UK Knowledge and Information Management Profession: 1. Governance and culture risks 2. Information integrity risks 3. Human dimension risks 4. Information availability and use risks

  28. DHR Mandatory role - SIRO Senior Information Risk Officer • Lead and foster a culture that values and protects information • Owns the overall information risk policy and risk assessment process • Advises the Accounting Officer on information risks in the statement of internal control.

  29. DHR Mandatory role - IAO Information Asset Owner • Knows what information is held, what enters, what leaves - and why • Knows who has access and why; monitors use • Understands and addresses risks to the asset, and provides assurance to SIRO • Ensures the asset is used for the public good

  30. DHR Mandatory role - DSO Departmental Security Officer • Carries out the day to day responsibilities of the SIRO • Sets business impact level markings • Conducts the annual maturity assessment • Coordinates accreditation to security policy framework

  31. DHR Mandatory role - ITSO Information Technology Security Officer • Responsible for digital data in information technology systems • Leads on technical vulnerabilities and threats • Provides access controls, encryptions standards etc. • Annual review of ICT Accreditation status

  32. DHR Mandatory requirements • Annual Security Policy Framework compliance report • 1/4ly risk reviews • Training for all staff and a test to pass • Incident reporting policy • Forensic readiness policy • Maturity Assessment • Privacy Impact Assessments • Accreditation of all new or changed, systems …plus 65 others…

  33. DHR Mandatory procedures • Annual Security Policy Framework compliance report • 1/4ly risk reviews • Training for all staff and a test to pass • Incident reporting policy • Forensic readiness policy • Maturity Assessment • Privacy Impact Assessments • Accreditation of all new or changed, systems …plus many others…

  34. Mandatory - Maturity Assessment QuickTime™ and a decompressor are needed to see this picture.

  35. ONS implementation Began on 20th November 2007… …and by definition will never end

  36. ONS structures SIRO DG ONS Information Exploitation and Assurance Committee Chair - SIRO Members - IAOs and DSO Meets 1/4ly Data Stewardship Group Security Committee Chair - HoP Statistics Chair - DSO Members - Senior business managers Members - corporate IS officers Meets 1/4ly Meets 1/4ly Data Sharing Committee Micro-data Release Panel Chair - Head of Sources Chair - HoP Statistics Members - selected experts Members - selected experts Meets 1/4ly Meets virtually

  37. The questions ONS IAOs are asking: QuickTime™ and a decompressor are needed to see this picture.

  38. The 22 questions … QuickTime™ and a decompressor QuickTime™ and a are needed to see this picture. decompressor are needed to see this picture.

  39. 10 top tips - (thanks to SOCITM*) QuickTime™ and a decompressor are needed to see this picture. *Society of Information Technology Management

  40. Upside A timely wake-up call It should be easier to do the right thing than the wrong thing. Innovation is essential Web 2.0, data cubes, visualisations, API, creative commons licences Internet data collection

  41. Downside 365 data losses formally reported so far in 2009 (At least we know) So far only costs - benefits down the line, we hope.

  42. More challenges… Do we as statisticians make demands on our information security providers? Or Does information security determine what we do as statisticians?

  43. More challenges… Do your data flows look like this :

  44. …or more like this : etc. etc.

  45. …where are those disks?

Recommend


More recommend