Information Security Recent UK experiences Paul J Jackson - - PowerPoint PPT Presentation

Information Security Recent UK experiences

Paul J Jackson Information Security and Legal Services Division ONS

Timeline

18 October 2007

• 25m records sent to National Audit Office
• On 2 unencrypted CDs
• Sent in standard internal mail

Timeline

24 October 2007 (+6 days)

• Audit Office reports the CDs have not arrived

Timeline

8 November 2007 (+15 days)

• HMRC senior management told about the

missing CDs

Timeline

10 November 2007 (+17 days)

• Alistair Darling informed.
• Immediate search and inquiry initiated.
• Police called in.

Timeline

14 November 2007 (+21 days)

• Alistair Darling considers the search to

have failed

• Information Commissioner informed

Timeline

20 November 2007 (+27 days)

• Alistair Darling makes his statement to Parliament
• Review of data handling in Government announced

20 November 2007

QuickTime™ and a decompressor are needed to see this picture.

Timeline

20 November 2007 (+27 days)

• Paul Gray resigns :

“I am announcing today that I will be standing down as HMRC Chairman as a result of a substantial operational failure in the Department.“

It could be you !

Timeline – Office for National Statistics

20 November 2007

• Data Stewardship Group meeting in ONS
• Internal review of data in transit

commissioned

Timeline ONS

26 November 2007

ONS figures for data in transit for 2007 to this date:

• 706 transfers of confidential micro-data in Email or on

CD

• All transfers secure and accounted for through to

recipient

Timeline

17 December - HMRC review

Interim review of HMRC requires:

• Complete ban on bulk data transfers on CD
• All PCs and laptops have all peripherals disabled

(i.e. - shutdown)

Timeline

27 February 2007 - Data Handling Review

• Data Handling Review issues 22 mandatory

requirements to all departments.

• With an implementation timetable
• Introduced into an already complex

background of policy, law and scrutiny.

UK background - policy

• UK National Information

Assurance Strategy

• Vision: A UK environment where

citizens, businesses and government use and enjoy the full benefits of information systems with confidence

• To be revised and reissued 2010
• http://www.cabinetoffice.gov.uk/media/cabinetoffice/csi

a/assets/nia_strategy.pdf

UK background - policy

Power of Information Report 2007

• “A three-year National Plan

to improve Digital Participation”

http://www.cabinetoffice.gov.uk/reports/power_of_information.aspx

UK background - policy

The Coleman Report 2008

“Government must do more to deliver confidence in its information infrastructure”

http://www.computerweekly.com/blogs/stuart_king /Coleman%20Report.pdf

QuickTime™ and a decompressor are needed to see this picture.

UK background - policy

• Digital Britain Report

2008

“a digital switchover for public services”

http://www.culture.gov.uk/images/publications/di gitalbritain-finalreport-jun09

UK background - policy

Government Chief Information Officer

• Cloud computing
• Open Source only on the cloud
• Rationalisation to 6 data centres
• Shared services across government

UK background - policy

Government Security Policy Framework 70+ mandatory requirements :

1. Governance, Risk Management and Compliance 2. Protective Marking and Asset Control 3. Personnel Security 4. Information Security and Assurance 5. Physical Security 6. Counter-Terrorism 7. Business Continuity http://www.cabinetoffice.gov.uk/spf.aspx

UK background

Statistics and Registration Service Act 2007

• Building trust in UK Official

Statistics

• Information sharing powers
• Approved researcher access to

data

• Crime of wrongful disclosure

UK background - legislation and rights

Freedom of Information Act Data Protection Act Human Rights Act Common law of confidentiality Computer Misuse Act

UK background - scrutiny

Judicial Review of public administration The Information Commissioner The Financial Services Authority The Information Tribunal Select Committees of Parliament UK Statistics Authority

Background summary

• Threats are increasing
• Public are concerned about privacy
• Digital services revolution expected
• Power of information recognised
• Quite a set of challenges !

The challenge

“Effective, proportionate and secure data sharing must be based on a comprehensive and pragmatic understanding of the risks involved” “to Get it Right, first Understand the Risks.”

Owen Pengelly Head, Information Security & Assurance Cabinet Office

What are the key features?

Information is an asset and a liability

• Information exploitation
• Information assurance
• Requires a risk management not risk avoidance

approach

Risk categories

UK Knowledge and Information Management Profession:

• 1. Governance and culture risks
• 2. Information integrity risks
• 3. Human dimension risks
• 4. Information availability and use risks

DHR Mandatory role - SIRO

Senior Information Risk Officer

• Lead and foster a culture that values and protects

information

• Owns the overall information risk policy and risk

assessment process

• Advises the Accounting Officer on information risks in

the statement of internal control.

DHR Mandatory role - IAO

Information Asset Owner

• Knows what information is held, what enters, what

leaves - and why

• Knows who has access and why; monitors use
• Understands and addresses risks to the asset, and

provides assurance to SIRO

• Ensures the asset is used for the public good

DHR Mandatory role - DSO

Departmental Security Officer

• Carries out the day to day responsibilities of the

SIRO

• Sets business impact level markings
• Conducts the annual maturity assessment
• Coordinates accreditation to security policy

framework

DHR Mandatory role - ITSO

Information Technology Security Officer

• Responsible for digital data in information technology

systems

• Leads on technical vulnerabilities and threats
• Provides access controls, encryptions standards etc.
• Annual review of ICT Accreditation status

DHR Mandatory requirements

• Annual Security Policy Framework compliance report
• 1/4ly risk reviews
• Training for all staff and a test to pass
• Incident reporting policy
• Forensic readiness policy
• Maturity Assessment
• Privacy Impact Assessments
• Accreditation of all new or changed, systems

…plus 65 others…

DHR Mandatory procedures

• Annual Security Policy Framework compliance report
• 1/4ly risk reviews
• Training for all staff and a test to pass
• Incident reporting policy
• Forensic readiness policy
• Maturity Assessment
• Privacy Impact Assessments
• Accreditation of all new or changed, systems

…plus many others…

Mandatory - Maturity Assessment

QuickTime™ and a decompressor are needed to see this picture.

ONS implementation

Began on 20th November 2007… …and by definition will never end

ONS structures

Data Sharing Committee Chair - Head of Sources Members - selected experts Meets 1/4ly Micro-data Release Panel Chair - HoP Statistics Members - selected experts Meets virtually Data Stewardship Group Chair - HoP Statistics Members - Senior business managers Meets 1/4ly Security Committee Chair - DSO Members - corporate IS officers Meets 1/4ly Information Exploitation and Assurance Committee Chair - SIRO Members - IAOs and DSO Meets 1/4ly SIRO DG ONS

The questions ONS IAOs are asking:

QuickTime™ and a decompressor are needed to see this picture.

The 22 questions …

QuickTime™ and a decompressor are needed to see this picture.

QuickTime™ and a decompressor are needed to see this picture.

10 top tips - (thanks to SOCITM*)

QuickTime™ and a decompressor are needed to see this picture.

*Society of Information Technology Management

Upside

A timely wake-up call It should be easier to do the right thing than the wrong thing. Innovation is essential Web 2.0, data cubes, visualisations, API, creative commons licences Internet data collection

Downside

365 data losses formally reported so far in 2009 (At least we know) So far only costs - benefits down the line, we hope.

More challenges…

Do we as statisticians make demands on our information security providers? Or Does information security determine what we do as statisticians?

More challenges…

Do your data flows look like this :

…or more like this :

etc. etc.

…where are those disks?