contents

business
 
Data Security Seminar for Government and Public Sector Organisations

Over the last year, a series of high profile data losses have placed the need for effective data security in all organisations beyond question. Companies such as Callcredit, whose 'bread and butter' is data security, are well placed to kick-start debate about this issue and share their experiences and best practice. This is exactly what happened in Callcredit's latest industry seminar, which was held on 20th May in Whitehall to discuss how data security methods developed in commercial businesses can be implemented for the benefit of the government, public and third sectors.

John McAndrew, Managing Director of Callcredit, chaired the event to welcome the audience and panel of experts. Maitland Hyslop, COO, Onyx Group, a veteran of both public and private sector organisations, gave the first presentation with his opinion on the differences between the two. Whereas the private sector organisations encourage disruption of the status quo to drive progress, he said, the hierarchical, rules-based, bureaucratic structure of the public sector had a tendency to hinder the adoption of new, more efficient processes. With the public expecting ever-higher levels of service delivery in health, education, policing and so on, Hyslop said that the government must streamline its IT systems to allow information to be shared securely between various departments. This would enable those service levels to be both raised and maintained.

John Spence, Non-Executive Director of the Callcredit Information Group, then took the floor to discuss how preventing ID fraud can be linked to increased competitiveness.

"If we liken data security to a sea wall defence and the risk of data breaches to the sea", he said, "Whitehall runs the risk of setting itself so watertight that it can't see the sea because the walls are so high. Recognising the scale of the problem is the key to solving it."

In today's fast paced world Spence said, businesses, government and charities need to use information intelligently to perform for maximum competitive advantage. But information comes from data and data comes from the consumer, who ultimately is the owner of that data. In order to use the information intelligently, organisations need to share it but to share it securely to prevent, as far as possible, the risk of ID fraud 'flooding' the organisations' defences and hurting the owners of the data.

"Unfortunately lapses in security will always happen, but an organisation can only be deemed negligent if it knew about the weakness in its defences and did nothing about it", he continued.

The third panellist was Jonathan Holbrook, Head of Data Protection Practice at the Information Commissioner's Office (ICO) and his presentation outlined the strategies and priorities for the ICO as it moved forward in light of the high profile data breaches of the last year.

He highlighted results of a recent survey conducted by the ICO; 80pc of consumers are checking their bank statements more regularly since the HMRC breach and over 50pc of people no longer trust organisations with their data. The data protection strategy of the ICO will involve taking a risk based approach to data security: "It's not up to us to nanny the public at the end of the day, they must decide who they give their data to", he said.

He discussed how the current priorities for the ICO include cracking down on the unlawful trade in personal information and managing secure data sharing whilst addressing concerns over the UK becoming a surveillance society. He noted how there are now new civil penalties for those in serious breach of the Data Protection Act and that those illegally obtaining or disclosing personal information run the risk of custodial sentences.

He was very aware of the challenges these measures presented for the public sector and suggested there needed to be a greater emphasis on individual roles and responsibilities with regard to safeguarding data security.

Phil Gibson, Head of Transformational Government, Cable & Wireless, was keen to emphasise the benefits of sharing information across different government departments and public services. He illustrated his point with the tragic example of Victoria Climbie where 12 different agencies were found to be aware that she was a victim of child abuse but failed to support her adequately due to a lack of inter-agency communication. Enabling different departments to form 'trusted networks', across which members could securely share appropriate information, would not only increase productivity amongst public sector workers, but it would also make services more accessible to the public and help build safer communities.

Dave Barter, Director at Legatio, then took the audience through how in practical terms data security is best implemented in an organisation's IT systems. He demonstrated the need to integrate security measures into every stage of a system's development: "From the point a system is conceived, through its design, implementation, launch and beyond, security needs to be tested and verified."

John Eggleston, Information Technology Director, Callcredit, highlighted that as well as approaching data security from a technology perspective, other factors could be considered. "Organisations need to put people and education at the top of the infosecurity agenda", he said. He drew evidence from the BERR/PWC 2008 Information Security Breaches Survey which showed there was often a worrying gap between the technology solutions companies employed and how they educated their staff about data security: for example, 94pc of institutions surveyed encrypted their wireless network transmissions, but 60pc did not provide ongoing security awareness training to staff.

"There is no 'silver bullet' technology solution", Eggleston noted, reinforcing the points of both John Spence and Dave Barter. "The people and supporting processes are fundamental to reliable information security." He went on to note the success of Callcredit's in-house infosecurity initiative, Safe Hands, which concentrates on educating employees to integrate security measures in everything they do, This provides assurance not only for the company, but to its partners and customers as well.

"At Callcredit we have an absolute focus on people from raising general awareness through to giving specialist training. We combine this focus with a clear information risk management strategy built to the industry standard ISO 27001 and we only deploy the appropriate techtechnology once the need is fully understood", Eggleston said.

John Hughes, Senior Manager, IT Advisory, KPMG, was keen to point out that in the complex security environment of governmental departments, "penetration testing of IT systems is not enough to gain assurance." He took the audience through the range of external security standards with which an organisation can choose to comply: CTAS, CHECK and ISO 27001/27002. He drew attention to the overlap between different parts of the different certifications to enable the audience to see which standard would be most appropriate for their own organisation and noted the need for harmonisation of the standards to simplify the compliance process.

Some lively debate from the floor ensued, chaired once again by Callcredit's John McAndrew and the panellists and audience members engaged on a number of infosecurity subjects that had been touched on throughout the afternoon. They discussed how it is necessary to balance service improvements with protecting consumers and the strength of the penalties for getting this balance wrong. Ultimately though, out of the presentations and debate came a strong sense of the potential secure data sharing has to improve service levels and productivity in the commercial, public and charity sectors alike.



write your comments about the article :: 2008 Networking News :: home page