Security Profession blog
Comment and discussion about the security industry of interest to the security professional. Blogs will be submitted by (ISC)2's management team and Advisory Board members.
Wednesday 4 February 2009, 11:47 AM
Government as Role Model?
I was reading the article about the Home Office breaching the data protection act and it got me thinking about the recent meeting I and a number of other information security professionals had with Eleanor Laing, MP discussing and advising on what the Tory party policy should be on Information Security. One of the things that we were all in agreement on was that the government should act as a role model for information security. This should, in turn, be achieved not only by the proper investments but also by advancing professionalism and demonstrating skills, knowledge and competencies in this field. The Home Office clearly is an example where this is not happening.
It is interesting to note that generally the government is more careful with its own information than it is with that entrusted to it by the public. When I was working at ICL (now Fujitsu Services), I was the government designated ITSO (IT Security Officer) responsible for ensuring that any classified information that ICL had access to as a “List-X” company was properly protected. Indeed I was required to go on a two day course at the rather bleak building on Millbank to be told the correct ways of dealing with the different levels of protectively marked information. At my office in Stevenage I had one document that was classified above the “Restricted” level which had to be stored in a government approved safe and had to be locked away whenever I left my desk.
It seems strange that one area of government can identify the correct controls required when dealing with their own information whereas another part of government has difficulties in adopting less arduous controls for protecting information that has been provided by the public.
Hopefully the new security measures that the Home Office will have to adopt as a result of the ICO’s intervention will prove adequate and effective. Personally I believe that the most important controls will be those surrounding how well the users of the information are made aware and educated about how they apply these controls.
John Colley is managing director, EMEA for (ISC)2. He has over fifteen years experience in information security and formerly held posts as Head of Risk Services at Barclays, Group Head of Information Security at the Royal Bank of Scotland Group, Director of Information Security at Atomic Tangerine and as Head of Information Security at ICL.
It is interesting to note that generally the government is more careful with its own information than it is with that entrusted to it by the public. When I was working at ICL (now Fujitsu Services), I was the government designated ITSO (IT Security Officer) responsible for ensuring that any classified information that ICL had access to as a “List-X” company was properly protected. Indeed I was required to go on a two day course at the rather bleak building on Millbank to be told the correct ways of dealing with the different levels of protectively marked information. At my office in Stevenage I had one document that was classified above the “Restricted” level which had to be stored in a government approved safe and had to be locked away whenever I left my desk.
It seems strange that one area of government can identify the correct controls required when dealing with their own information whereas another part of government has difficulties in adopting less arduous controls for protecting information that has been provided by the public.
Hopefully the new security measures that the Home Office will have to adopt as a result of the ICO’s intervention will prove adequate and effective. Personally I believe that the most important controls will be those surrounding how well the users of the information are made aware and educated about how they apply these controls.
John Colley is managing director, EMEA for (ISC)2. He has over fifteen years experience in information security and formerly held posts as Head of Risk Services at Barclays, Group Head of Information Security at the Royal Bank of Scotland Group, Director of Information Security at Atomic Tangerine and as Head of Information Security at ICL.
