Will the Data Handling Review improve government security practices?

When the final report, Data Handling Procedures in Government was released in June of this year, some security practitioners were disappointed that its recommendations didn't go further and, more specifically, mandate requirements for systems handling sensitive data. In this article, we'll briefly examine the Data Handling Review and what information security professionals can learn from it to improve security practices.

Data handling: A human problem
At face value, mandating more secure systems may seem like an obvious step to take. However, an examination of the various incidents of data loss that prompted this review suggests...

RELATED CONTENT Compliance and regulations Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits Tips to achieve PCI compliance How to choose an external compliance auditor Using a privacy impact assessment template for DPA compliance PCI DSS checklist: Mistakes and problem areas to avoid The elements of a compliance-oriented architecture Wireless network guidelines for PCI DSS compliance PCI DSS requirement: Implement strong access control procedures How to choose full disk encryption for laptop security, compliance Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) Code of Connection (CoCo)  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) IFRS (International Financial Reporting Standards)  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

the common stumbling block is actually human failure. Security is often about managing people and preventing their mistakes; the review concentrates on the human side of the security problem.

The Data Handling Review mandates several measures aimed at improving information security practices and promoting a culture of information security. For example, civil servants who deal with personal data are to undergo annual training, and data security roles within departments are being standardised and enhanced to ensure clear lines of responsibility. Crucially, these initiatives are also backed up by stronger accountability and scrutiny with privacy impact assessments and spot checks undertaken by the Information Commissioner's Office, which has finally been granted power to enforce the requirements of the U.K. Data Protection Act.

Data handling: A system problem
These actions will certainly make data security a high priority and security policies more effective, but what does the Data Handling Review say about system security?

Departments are now obliged to have their networks pen tested on a regular basis. This measure is possibly a more effective way of validating the security of a system rather than trying to enforce a one-size-fits-all approach to system specification and design. Regular tests will also help promote better security life cycle management. Crucially they will have a positive impact on system design, specification requirements and maintenance.

The government, through CESG, the National Technical Authority for Information Assurance, has for a long time provided a directory of "infosec assured products" as part of what has been called the National Information Assurance Strategy. The directory is a top-level guide listing all IT security products approved by CESG and the context in which they should be used.

The Claims Tested Mark (CCTM) scheme, which is part of the portfolio of information assurance services provided by CESG, provides a government quality mark designed to assure the private and public sectors that a security product or service does "what it says on the box." Based on accredited independent testing, the scheme is designed to prove the validity of security functionality claims made by vendors. Products and services with the CCTM mark satisfy the minimum assurance requirements at Government Impact Levels 1 and 2 as set out in HMG Infosec Standard No. 1 -- Assurance Requirements for IT Systems.

As a result of the Data Handling Review, I can see more organisations specifying in their procurement framework that systems must use accredited products and services, particularly for those systems supporting the transformational government agenda, in order to demonstrate they are following best practices. This is an important aspect of restoring trust and confidence in the way government information systems are run.

Data sharing is crucial to any modern technology strategy and brings great benefits. Data loss incidents will inevitably occur, but the measures introduced in the Data Handling Review do have a great chance of forcing a culture change across the civil service in the way its workers view and handle sensitive data. A culture that properly values, protects and uses data, both in the planning and delivery of public services, will undoubtedly reduce the likelihood of large scale data loss in the future.