Information assurance and cybersecurity
How do we keep government data safe and public services running in adversity including deliberate attack from malevolent people, organisations and states?
Today, many govt systems are vulnerable - to both insider and external abuse. Penetration testers refer to examples of taking just 5 minutes from outside a firewall to gain full root permission to govt systems.<br />
Threats are not being assessed properly - for example, they may consider issues such as time to get a system back online, but completely overlook what might happen if all users of a system were phished. Common vulnerabilities are not being routinely assessed and addressed. There is some involvement here of the SI's who are often slow to roll out new security patches and fixes - although their defence is often the sheer number and complexity of systems in place in many departments, meaning that they need to check compatibility first to ensure the latest security fix does not break anything. Such complexity is the enemy of many things it seems, including good IA and security.<br />
Privacy engineering is rarely considered alonside security engineering when developing or commissioning new systems or updates. Look at the NHS system for example, where many NHS people are able to access private medical records. Systems routinely generate reports that are not anomymised.<br />
We need to define what CESG meeds to supply to the rest of government to be effective and to raise the standards of information assurance, security and privacy. There is a balance of trade-offs that needs to be clearly articulated to develop a reliable set of best practice. CESG needs much clearer guidance about what is useful and how to raise the standards in an effective way.<br />
Are CIO's the wrong people? The I in CIO is Information but currently many seem to think it means 'IT'. Normally a CIO would be focused on information assests - which, apart from its people, is all that the civil service has. So if the CIO is not worrying about information assets - who is?<br />
Jouer au bingo - loto bingo - Jouer au keno
There are no comments on this page. [Add comment]