Social Networking
Riding the social media wave
Monday 14 April 2008, 10:59 PM
Data Security Standards Baffle Local Authorities
Earlier today - in between my Crunchy Nuts and smoked bacon sandwich - I read a few reports which indicate that personal data about members of the public has been lost or wrongly revealed by thirteen London councils in the last year. It was almost enough to make me lose my appetite ...
I don’t live in London anymore so I’m not really bothered, by what is worrying is that the same half-soaked approach to our personal data could be lost by other councils across the nation. And couldn’t the same errors be made by online businesses we give our personal details to?
Incidents involving a loss of sensitive personal data shows that UK local authorities are still struggling to build essential data security standards based on effective security frameworks, tools which remove the ‘human error’, and the continual education and motivation of their staff. This is disappointing because the foundations are clearly laid out in proven security frameworks such as ISO 27001 and ISO 27002, so it only takes one bright spark to read up in his/her lunch break and then pass the message on.
There’s no doubt that local authority personnel at all levels are clearly under growing pressure to improve efficiency and build services around the citizen, but they must nevertheless follow agreed security processes that first, categorise the critical data assets held, second, properly identify different categories - employees, partner organisations and citizens - and third, determine the appropriate level of data access needed for different groups to properly perform their daily job functions. This applies as much as to paper documents related to a specific case as it does to a large electronic database containing residents’ details.
Critically too, all local government staff have to be constantly educated and motivated about security risks surrounding sensitive data and policies, a goal which sadly, many departments are still falling short of. Those authorities that find new and rigorous ways to motivate their staff on security risks - and the procedures will avoid them - should successfully minimise incidents and reduce the ‘human element’ that surrounds so many of the security breaches that we are seeing.
Moreover, local authorities’ IT infrastructures must be better organised to give automated controls across the organisation that further minimise the scope for data loss. IT systems should provide strong, repeatable processes to manage all ID lifecycles and continual enforcement of user registration and de-registration, backed by audits of employees’ identity and access rights.
I don’t live in London anymore so I’m not really bothered, by what is worrying is that the same half-soaked approach to our personal data could be lost by other councils across the nation. And couldn’t the same errors be made by online businesses we give our personal details to?
Incidents involving a loss of sensitive personal data shows that UK local authorities are still struggling to build essential data security standards based on effective security frameworks, tools which remove the ‘human error’, and the continual education and motivation of their staff. This is disappointing because the foundations are clearly laid out in proven security frameworks such as ISO 27001 and ISO 27002, so it only takes one bright spark to read up in his/her lunch break and then pass the message on.
There’s no doubt that local authority personnel at all levels are clearly under growing pressure to improve efficiency and build services around the citizen, but they must nevertheless follow agreed security processes that first, categorise the critical data assets held, second, properly identify different categories - employees, partner organisations and citizens - and third, determine the appropriate level of data access needed for different groups to properly perform their daily job functions. This applies as much as to paper documents related to a specific case as it does to a large electronic database containing residents’ details.
Critically too, all local government staff have to be constantly educated and motivated about security risks surrounding sensitive data and policies, a goal which sadly, many departments are still falling short of. Those authorities that find new and rigorous ways to motivate their staff on security risks - and the procedures will avoid them - should successfully minimise incidents and reduce the ‘human element’ that surrounds so many of the security breaches that we are seeing.
Moreover, local authorities’ IT infrastructures must be better organised to give automated controls across the organisation that further minimise the scope for data loss. IT systems should provide strong, repeatable processes to manage all ID lifecycles and continual enforcement of user registration and de-registration, backed by audits of employees’ identity and access rights.
PreviousComments on this post
This comment has been deleted at the users request
