Will the Data Handling Review improve government security practices?

When the final report, Data Handling Procedures in Government was released in June of this year, some security practitioners were disappointed that its recommendations didn't go further and, more specifically, mandate requirements for systems handling sensitive data. In this article, we'll briefly examine the Data Handling Review and what information security professionals can learn from it to improve security practices.

Data handling: A human problem
At face value, mandating more secure systems may seem like an obvious step to take. However, an examination of the various incidents of data loss that prompted this review suggests the common stumbling block is actually human failure. Security is often about managing people and preventing their mistakes; the review concentrates on the human side of the security problem.

The Data Handling Review mandates several measures aimed at improving information security practices and promoting a culture of information security. For example, civil servants who deal with personal data are to undergo annual training, and data security roles within departments are being standardised and enhanced to ensure clear lines of responsibility. Crucially, these initiatives are also backed up by stronger accountability and scrutiny with privacy impact assessments and spot checks undertaken by the Information Commissioner's Office, which has finally been granted power to enforce the requirements of the U.K. Data Protection Act.

Data handling: A system problem
These actions will certainly make data security a high priority and security policies more effective, but what does the Data Handling Review say about system security?

Departments are now obliged to have their networks pen te

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and regulations Basel II risk management and implementation guide Meet Basel II operational risk, compliance requirements with BS 25777 How to achieve PCI DSS compliance in a midmarket business Preparing enterprise Wi-Fi networks for PCI compliance PCI compensating controls: Loopholes or lifesavers? A preview of PCI virtualization specifications Information security forecast: Security management in 2009 The power of the ICO: Liabilities for a data security breach Data breach notification: A legal requirement? Using ISO 27000 to comply with Data Protection Act principles Compliance Regulation and Standard Requirements USB drive security project protects endpoints, aids CoCo compliance Cybercrime attacks, IT outsourcing, mobile malware top ISF threat list The basics of enterprise GRC project management SearchSecurity.co.uk partners with PCI DSS User Group Council boosts compliance efforts with system log management app PCI DSS Q&A: Answering your questions Security budgets take hit in media, tech industry, survey finds Forrester advises cautious approach to cloud computing services NHS imposes USB stick security IAS 6 aims to lock down data from government departments, suppliers Data Protection Solutions and Strategy USB drive security project protects endpoints, aids CoCo compliance How to enforce an enterprise data leak prevention policy Companies underestimate Web 2.0, social networking threat, says survey RSA council addresses growing security risks in the cloud Attackers use ATM malware to steal track data, PINs CSA, Jericho Forum unite on cloud computing security message How to create a data classification policy Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert Organizations struggle with data leakage prevention, rights management Simple information security mistakes can cause data loss, says expert

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

sted on a regular basis. This measure is possibly a more effective way of validating the security of a system rather than trying to enforce a one-size-fits-all approach to system specification and design. Regular tests will also help promote better security life cycle management. Crucially they will have a positive impact on system design, specification requirements and maintenance.

The government, through CESG, the National Technical Authority for Information Assurance, has for a long time provided a directory of "infosec assured products" as part of what has been called the National Information Assurance Strategy. The directory is a top-level guide listing all IT security products approved by CESG and the context in which they should be used.

The Claims Tested Mark (CCTM) scheme, which is part of the portfolio of information assurance services provided by CESG, provides a government quality mark designed to assure the private and public sectors that a security product or service does "what it says on the box." Based on accredited independent testing, the scheme is designed to prove the validity of security functionality claims made by vendors. Products and services with the CCTM mark satisfy the minimum assurance requirements at Government Impact Levels 1 and 2 as set out in HMG Infosec Standard No. 1 -- Assurance Requirements for IT Systems.

As a result of the Data Handling Review, I can see more organisations specifying in their procurement framework that systems must use accredited products and services, particularly for those systems supporting the transformational government agenda, in order to demonstrate they are following best practices. This is an important aspect of restoring trust and confidence in the way government information systems are run.

Data sharing is crucial to any modern technology strategy and brings great benefits. Data loss incidents will inevitably occur, but the measures introduced in the Data Handling Review do have a great chance of forcing a culture change across the civil service in the way its workers view and handle sensitive data. A culture that properly values, protects and uses data, both in the planning and delivery of public services, will undoubtedly reduce the likelihood of large scale data loss in the future.