IAS 6 aims to lock down data from government departments, suppliers

By Ron Condon, U.K. Bureau Chief 12 May 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

June 15 is the deadline for all agencies to file a report to the cabinet office showing how they process and store personal information and data from government departments. One expert involved in the procedure said he expects serious vulnerabilities to be exposed.

"Security in the public sector has stagnated over the years, and complacency has become endemic. There is a long way to go before we can say departments are managing their data in an appropriate manner," said Michael Gillespie, a consultant with Advent Information Management Ltd.

All departments will be measured against the government's new Information Assurance Standard No. 6 (IAS 6), which controls the handling of personal data and the management of information risk, and which was only published in February.

Gillespie is one of a handful of trained auditors for the standard, and he said few departments are likely to be able to comply by June.

IAS 6 is part of the government's drive to raise the profile of information security across all departments following the notorious loss of 25 million records by HMRC back in 2007. It aims to tighten processes and increase accountability for records handling, not only to improve security but also to rebuild public confidence in government.

For more on the Security Policy Framework (SPF) Michael Cobb explains how the Security Policy Framework can help your organization classify its data properly.

That kind of assurance is needed, according to a poll carried out in London last week by storage company Guardium Inc. The survey revealed that only 2% of respondents said they had 'complete trust' in the U.K. government's ability to safeguard their personal information, compared with 18% saying they had total faith in their banks.

Although IAS 6 is initially aimed at data from central government departments, it will also have a direct impact on any private sector companies providing services to government or managing government systems.

IAS 6 and its supporting methodology, Good Practice Guide 15, have been jointly developed by the Cabinet Office and CESG, the U.K. government's national technical authority for information assurance. The standard forms part of the government's Security Policy Framework (SPF), which was published in December 2008, and follows the recent Data Handling Review, which the government initiated in the wake of the HMRC data loss.

The fact that many departments will fail compliance in June, said Gillespie, shows some serious weaknesses. He added that IAS 6 outlines minimum requirements of good practice only, and that well-run organisations would have little trouble in meeting them.

"The significance of the HMRC data loss sent shockwaves through government and made them realise how badly they had been looking after the security until then, and how many government departments have been paying lip-service to security and security accreditation," he said. "The minimum mandatory rules for protecting data [in IAS 6] cover things they should all be doing anyway."

Gillespie said that if organisations adopted information security standards like ISO 27001 and applied their principles, "they would not find any of these other standards onerous, because they would be doing everything properly in the first place."

Tags: Data Protection Solutions and Strategy,  Compliance Regulation and Standard Requirements,  Enterprise Data Storage,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds Enterprise Data Storage Safend expands data leakage prevention product to plug more gaps TrueCrypt: How to get started with open source disk encryption Report: Firms avoid encrypting backup tapes, databases Encryption tips: How to secure a laptop The real reason behind backup recovery disk failures Infosec pros wake up to Excel spreadsheet security risks How to enforce an enterprise data leak prevention policy 3ami allows employers to track use of USB storage devices How to create a data classification policy EMC adds configuration management with Configuresoft acquisition

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary