Information Assurance Implications for UK Government
Let’s try and walk through this together.
It would appear that UK Government, taken as a whole, relies on specific bodies, such as CPNI and CSIA, to develop, promulgate, monitor and remediate information assurance efforts. Agree? Disagree? I would assert that this, if true, would make information assurance impossible, as an internal commitment to the core principles of information assurance is the whole point. Agree? Disagree?
It would appear that the IA issues that we have covered, in terms of lost data, etc., are the result of structural and not transient defects in government approaches to IA. I say this because the same egregious errors keep occurring, and any lessons learnt aren’t being published across government. Agree? Disagree?
It would also appear that information assurance is not being built into tender specifications as a core definition of solutions that are fit for purpose. Agree? Disagree?
It then would appear that, despite (or because of) the recent examples of IA failure in what could be regarded as an annus horribilus for all concerned with information assurance in UK government, that as a practice, information assurance is no further along than it was at this time last year. Agree? Disagree?
If you agree with the agressive (purposely so) statements above, please join me in creating a set of specific recommendations so that we have a chance of not saying the same thing next year.
1. Please suggest wording for a declaration of principles regarding information assurance that UK government departments can sign on to. For extra credit, suggest wording for a declaration of principles for suppliers to UK government. Or should they be the same?
2. Please suggest wording for all tender documents stating that ‘unless information assurance is designed into your technical solution, it will not be considered fit for purpose.’ Or something similar….
3. Please suggest appropriate incentives (carrots and sticks) that will motivate public sector workers to think of information assurance first.
4. Please cover all the gaps not listed in items 1-3 above. Show your work. Papers will not be marked.
October 19th, 2007 at 12:12 pm
You first need to define information assurance, for example:
1) To maximise the opportunity and benefit from use of information to deliver joined up public sector services whilst ensureing:
a) Information Assets owned by public sector are protected where needed.
b) The information owner and/or data subject is protected from harm.
c) Information is accurate, maintained and when not needed, disposed of.
d) Future procurements drive out duplication of information and effort.
2) Suppliers must ensure compliance and provide evidence that it complies with the following standards:
a) ISO27001
b) BS25999
c) etc, etc
3) I don’t think you can. Primary motivation for nurses for example is to get patients better. I think it would be hard to get them to think of information assurance first. Where i’ve seen it work well, is where they have integrated information assurance with oprtational delivery. Going back to the nurses example, a few information assurance type checks on the patients and medication before administering drugs does a good job preventing prescribing deaths. If you can explicitly identify and integrate the benefit of information assurance into working practices, there is hope.
4) There are too many government players doing the same or different things in terms of information assurance world. CPNI, CSIA, CESG, Cabinet Office e-Government, NPFIT, GCHQ and I can go on and on and on… for example regulators NAO, Audit Commission, Wales Audit Office, Audit Scotland, Healthcare Commission..and on and on… This creates a scatter gun effect, lots of gaps, lots of duplication, no single authority, bucket loads of waste. This is a problem that must be fixed.
Andrew Doughton
http://www.threepillars.co.uk