information security recent uk experiences
play

Information Security Recent UK experiences Paul J Jackson - PowerPoint PPT Presentation

Aug 20, 2023 •412 likes •893 views

Information Security Recent UK experiences Paul J Jackson Information Security and Legal Services Division ONS Timeline 18 October 2007 25m records sent to National Audit Office On 2 unencrypted CDs Sent in standard internal

  1. Information Security Recent UK experiences Paul J Jackson Information Security and Legal Services Division ONS

  3. Timeline 18 October 2007 • 25m records sent to National Audit Office • On 2 unencrypted CDs • Sent in standard internal mail

  4. Timeline 24 October 2007 (+6 days) • Audit Office reports the CDs have not arrived

  5. Timeline 8 November 2007 (+15 days) • HMRC senior management told about the missing CDs

  6. Timeline 10 November 2007 (+17 days) • Alistair Darling informed. • Immediate search and inquiry initiated. • Police called in.

  7. Timeline 14 November 2007 (+21 days) • Alistair Darling considers the search to have failed • Information Commissioner informed

  8. Timeline 20 November 2007 (+27 days) • Alistair Darling makes his statement to Parliament • Review of data handling in Government announced

  9. 20 November 2007 QuickTime™ and a decompressor are needed to see this picture.

  10. Timeline 20 November 2007 (+27 days) • Paul Gray resigns : “I am announcing today that I will be standing down as HMRC Chairman as a result of a substantial operational failure in the Department.“

  11. It could be you !

  12. Timeline – Office for National Statistics 20 November 2007 • Data Stewardship Group meeting in ONS • Internal review of data in transit commissioned

  13. Timeline ONS 26 November 2007 ONS figures for data in transit for 2007 to this date: • 706 transfers of confidential micro-data in Email or on CD • All transfers secure and accounted for through to recipient

  14. Timeline 17 December - HMRC review Interim review of HMRC requires: • Complete ban on bulk data transfers on CD • All PCs and laptops have all peripherals disabled (i.e. - shutdown)

  15. Timeline 27 February 2007 - Data Handling Review • Data Handling Review issues 22 mandatory requirements to all departments. • With an implementation timetable • Introduced into an already complex background of policy, law and scrutiny.

  16. UK background - policy • UK National Information Assurance Strategy • Vision: A UK environment where citizens, businesses and government use and enjoy the full benefits of information systems with confidence • To be revised and reissued 2010 • http://www.cabinetoffice.gov.uk/media/cabinetoffice/csi a/assets/nia_strategy.pdf

  17. UK background - policy Power of Information Report 2007 • “A three-year National Plan to improve Digital Participation” http://www.cabinetoffice.gov.uk/reports/power_of_information.aspx

  18. UK background - policy The Coleman Report 2008 “Government must do more to deliver confidence in its information infrastructure” QuickTime™ and a decompressor are needed to see this picture. http://www.computerweekly.com/blogs/stuart_king /Coleman%20Report.pdf

  19. UK background - policy • Digital Britain Report 2008 “a digital switchover for public services” http://www.culture.gov.uk/images/publications/di gitalbritain-finalreport-jun09

  20. UK background - policy Government Chief Information Officer • Cloud computing • Open Source only on the cloud Rationalisation to 6 data centres • • Shared services across government

  21. UK background - policy Government Security Policy Framework 70+ mandatory requirements : 1. Governance, Risk Management and Compliance 2. Protective Marking and Asset Control 3. Personnel Security 4. Information Security and Assurance 5. Physical Security 6. Counter-Terrorism 7. Business Continuity http://www.cabinetoffice.gov.uk/spf.aspx

  22. UK background Statistics and Registration Service Act 2007 • Building trust in UK Official Statistics • Information sharing powers • Approved researcher access to data • Crime of wrongful disclosure

  23. UK background - legislation and rights Freedom of Information Act Data Protection Act Human Rights Act Common law of confidentiality Computer Misuse Act

  24. UK background - scrutiny Judicial Review of public administration The Information Commissioner The Financial Services Authority The Information Tribunal Select Committees of Parliament UK Statistics Authority

  25. Background summary • Threats are increasing • Public are concerned about privacy • Digital services revolution expected • Power of information recognised • Quite a set of challenges !

  26. The challenge “Effective, proportionate and secure data sharing must be based on a comprehensive and pragmatic understanding of the risks involved” “to Get it Right, first Understand the Risks. ” Owen Pengelly Head, Information Security & Assurance Cabinet Office

  27. What are the key features? Information is an asset and a liability • Information exploitation • Information assurance • Requires a risk management not risk avoidance approach

  28. Risk categories UK Knowledge and Information Management Profession: 1. Governance and culture risks 2. Information integrity risks 3. Human dimension risks 4. Information availability and use risks

  29. DHR Mandatory role - SIRO Senior Information Risk Officer • Lead and foster a culture that values and protects information • Owns the overall information risk policy and risk assessment process • Advises the Accounting Officer on information risks in the statement of internal control.

  30. DHR Mandatory role - IAO Information Asset Owner • Knows what information is held, what enters, what leaves - and why • Knows who has access and why; monitors use • Understands and addresses risks to the asset, and provides assurance to SIRO • Ensures the asset is used for the public good

  31. DHR Mandatory role - DSO Departmental Security Officer • Carries out the day to day responsibilities of the SIRO • Sets business impact level markings • Conducts the annual maturity assessment • Coordinates accreditation to security policy framework

  32. DHR Mandatory role - ITSO Information Technology Security Officer • Responsible for digital data in information technology systems • Leads on technical vulnerabilities and threats • Provides access controls, encryptions standards etc. • Annual review of ICT Accreditation status

  33. DHR Mandatory requirements • Annual Security Policy Framework compliance report • 1/4ly risk reviews • Training for all staff and a test to pass • Incident reporting policy • Forensic readiness policy • Maturity Assessment • Privacy Impact Assessments • Accreditation of all new or changed, systems …plus 65 others…

  34. DHR Mandatory procedures • Annual Security Policy Framework compliance report • 1/4ly risk reviews • Training for all staff and a test to pass • Incident reporting policy • Forensic readiness policy • Maturity Assessment • Privacy Impact Assessments • Accreditation of all new or changed, systems …plus many others…

  35. Mandatory - Maturity Assessment QuickTime™ and a decompressor are needed to see this picture.

  36. ONS implementation Began on 20th November 2007… …and by definition will never end

  37. ONS structures SIRO DG ONS Information Exploitation and Assurance Committee Chair - SIRO Members - IAOs and DSO Meets 1/4ly Data Stewardship Group Security Committee Chair - HoP Statistics Chair - DSO Members - Senior business managers Members - corporate IS officers Meets 1/4ly Meets 1/4ly Data Sharing Committee Micro-data Release Panel Chair - Head of Sources Chair - HoP Statistics Members - selected experts Members - selected experts Meets 1/4ly Meets virtually

  38. The questions ONS IAOs are asking: QuickTime™ and a decompressor are needed to see this picture.

  39. The 22 questions … QuickTime™ and a decompressor QuickTime™ and a are needed to see this picture. decompressor are needed to see this picture.

  40. 10 top tips - (thanks to SOCITM*) QuickTime™ and a decompressor are needed to see this picture. *Society of Information Technology Management

  41. Upside A timely wake-up call It should be easier to do the right thing than the wrong thing. Innovation is essential Web 2.0, data cubes, visualisations, API, creative commons licences Internet data collection

  42. Downside 365 data losses formally reported so far in 2009 (At least we know) So far only costs - benefits down the line, we hope.

  43. More challenges… Do we as statisticians make demands on our information security providers? Or Does information security determine what we do as statisticians?

  44. More challenges… Do your data flows look like this :

  45. …or more like this : etc. etc.

  46. …where are those disks?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO security standards at campuses) p ) Brian OHora, BSc (Hons) & MBA Technology Management Information Systems Services, TCD TERENA E2E

325 views • 15 slides
Congressional Budget Office November 19, 2018 Labor Force Experiences of Recent Veterans

Congressional Budget Office November 19, 2018 Labor Force Experiences of Recent Veterans

Congressional Budget Office November 19, 2018 Labor Force Experiences of Recent Veterans Southern Economic Association Annual Meeting Washington, D.C. Elizabeth Bass and Heidi Golding National Security Division CBO For decades, large

734 views • 28 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
The Security-Privacy tension: recent developments in the U.K. and elsewhere James Davenport

The Security-Privacy tension: recent developments in the U.K. and elsewhere James Davenport

The Security-Privacy tension: recent developments in the U.K. and elsewhere James Davenport Hebron & Medlock Professor of Information Technology University of Bath (U.K.) 16 January 2014 Overall Thesis When it comes to security/privacy,

419 views • 18 slides
Brazil Recent Experiences and Lessons Learned about SIT application Application of the

Brazil Recent Experiences and Lessons Learned about SIT application Application of the

Brazil Recent Experiences and Lessons Learned about SIT application Application of the Sterile Insect Technique as a tool for the Integrated Management Vector ( Aedes aegypti) Jair Virginio, PhD Moscamed Brazil Social Organization

409 views • 29 slides
Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271 Announcements intermission Introduction to Computer Security Usability and Voting combined slides Usable security example areas Stephen McCamant Elections

305 views • 8 slides
Shorting, reporting and profiting in the era of cyber security Recent short seller collaborations

Shorting, reporting and profiting in the era of cyber security Recent short seller collaborations

SHORT SELLING Shorting, reporting and profiting in the era of cyber security Recent short seller collaborations with security researchers demonstrate a new trend in the evolving short seller strategy of publishing harmful information about a

154 views • 3 slides
Patents on Genes: Recent Practical Experiences and Case Studies International Seminar on

Patents on Genes: Recent Practical Experiences and Case Studies International Seminar on

Patents on Genes: Recent Practical Experiences and Case Studies International Seminar on Current Challenges in Intellectual Property Rights and Biotechnology Bansk Bystrica, Slovak Republic 2 nd -3 rd May, 2007 Maria Petz-Stifter

744 views • 45 slides
How citizen science could contribute to building resilient communities - Recent experiences from

How citizen science could contribute to building resilient communities - Recent experiences from

How citizen science could contribute to building resilient communities - Recent experiences from Japan - Setsuko Saya Director, International Cooperation, Disaster Management Bureau Cabinet Office 15 January 2019 CSTD 2018-2019 Inter

195 views • 7 slides
I T Security @ EC Challenges & Experiences Francisco Garca Morn Director General DG I

I T Security @ EC Challenges & Experiences Francisco Garca Morn Director General DG I

I T Security @ EC Challenges & Experiences Francisco Garca Morn Director General DG I nform atics European Com m ission Context What we do Experiences Policies 1. Context Economical recovery The 2020 Challenges Jobs,

714 views • 44 slides
Performance Optimization at Scale Recent Experiences Patrick H. Worley Oak Ridge National

Performance Optimization at Scale Recent Experiences Patrick H. Worley Oak Ridge National

Performance Optimization at Scale Recent Experiences Patrick H. Worley Oak Ridge National Laboratory Workshop on Performance Analysis of Extreme-Scale Systems and Applications Los Alamos Computer Science Symposium October 15, 2008 La Fonda

789 views • 23 slides
Nominal Anchors in EU-Accession Countries Recent Experiences Michael Frmmel, Universitt

Nominal Anchors in EU-Accession Countries Recent Experiences Michael Frmmel, Universitt

Nominal Anchors in EU-Accession Countries Recent Experiences Michael Frmmel, Universitt Hannover a Franziska Schobert, Deutsche Bundesbank b Abstract: We investigate official and implicit nominal anchors for five Central and Eastern

501 views • 35 slides
Outline Tor basics CSci 5271 Tor experiences and challenges Introduction to Computer Security

Outline Tor basics CSci 5271 Tor experiences and challenges Introduction to Computer Security

Outline Tor basics CSci 5271 Tor experiences and challenges Introduction to Computer Security Announcements intermission Day 23: Usability and security Stephen McCamant Usability and security University of Minnesota, Computer Science &

391 views • 8 slides
So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security

So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security

So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security Officer Background Personal Starion Bank Arts Goals Highlight the typical responsibilities of an Information Security Officer from

778 views • 22 slides
Information and its sources What should we believe? v Traditions v Authorities v Experiences v

Information and its sources What should we believe? v Traditions v Authorities v Experiences v

Information and its sources What should we believe? v Traditions v Authorities v Experiences v Supernatural Things Ways to access information How should we think? v Rationalism v Empiricism v Scientific Method Fantastic Pseudosciences and

679 views • 30 slides
Recent Results on AE in WPA Kenny Paterson , Bertram

Recent Results on AE in WPA Kenny Paterson , Bertram

Recent Results on AE in WPA Kenny Paterson , Bertram Poettering, Jacob Schuldt Information Security Group Overview Introduction to WPA/TKIP Biases in

804 views • 49 slides
The Effects of Relocation on Blaise Support in ONS Lucy Fletcher, Office for National Statistics,

The Effects of Relocation on Blaise Support in ONS Lucy Fletcher, Office for National Statistics,

The Effects of Relocation on Blaise Support in ONS Lucy Fletcher, Office for National Statistics, UK Blaise support team (BDSS) ONS and BDSS Office for National Statistics Employs around 4000 people Collects and publishes a wide

401 views • 15 slides
Annual Survey of Hours and Earnings (ASHE) Key Findings Median Weekly Median weekly earnings in

Annual Survey of Hours and Earnings (ASHE) Key Findings Median Weekly Median weekly earnings in

Annual Survey of Hours and Earnings (ASHE) Key Findings Median Weekly Median weekly earnings in Scotland increased by 2.4 Full-time Earnings per cent from 563.1 in 2018 to 576.7 in 2019. Gender Pay Gap for full-time employees in Scotland

137 views • 3 slides
PCEP extensions for the computation of route offers with price

PCEP extensions for the computation of route offers with price

PCEP extensions for the computation of route offers with price draft-carrozzo-pce-pcep-route-price-00 G. Carrozzo, G. Bernini, G. Landi {g.carrozzo, g.bernini, g.landi}@nextworks.it Nextworks Network Service & Business Plane NSBP

269 views • 8 slides
Employers Need to Know By Larry Grudzien Attorney at Law Areas of Discussion Benefits Subject

Employers Need to Know By Larry Grudzien Attorney at Law Areas of Discussion Benefits Subject

COBRA: What Employers Need to Know By Larry Grudzien Attorney at Law Areas of Discussion Benefits Subject to COBRA Eligibility Coverage Premium Amounts Mergers & Acquisitions Medicare Health FSAs HRAs Dropping COBRA Coverage

267 views • 15 slides
Measuring Economic Well-being in the UK: Past Experiences & Future Challenges Richard

Measuring Economic Well-being in the UK: Past Experiences & Future Challenges Richard

Measuring Economic Well-being in the UK: Past Experiences & Future Challenges Richard Tonkin, Vasileios Antonopoulos & Dominic Webber richard.tonkin@ons.gov.uk @richt2 IARIW-BOK Conference, 26-28 April 2017 Overview UK economic

652 views • 16 slides
Exit Checks data so far? Nicky Rogers, Office for National Statistics 19 October 2018 1

Exit Checks data so far? Nicky Rogers, Office for National Statistics 19 October 2018 1

How have we used Home Office Exit Checks data so far? Nicky Rogers, Office for National Statistics 19 October 2018 1 Presentation outline Non-EU international students what do they do at the end of their studies? Non-EU migration

178 views • 14 slides
Virtual Microdata Laboratory Access to Confidential Data Richard Welpton

Virtual Microdata Laboratory Access to Confidential Data Richard Welpton

Virtual Microdata Laboratory Access to Confidential Data Richard Welpton richard.welpton@ons.gsi.gov.uk Summary Background Our place in the UK How it works Governance Managing researchers Background VML established 2004

266 views • 10 slides
Introduction to the Public Affairs Directorate Suzi Ardley Wednesday 25 January 2017 Our

Introduction to the Public Affairs Directorate Suzi Ardley Wednesday 25 January 2017 Our

Introduction to the Public Affairs Directorate Suzi Ardley Wednesday 25 January 2017 Our objectives To increase public understanding of the aims and activities of the collegiate University. To protect and enhance the Universitys

678 views • 32 slides

More recommend