Government Technology

It is excellent news that UK government departments and agencies have raised the requirement for information security awareness to the top of the agenda.
    
This move is welcomed by the Information Security Awareness Forum (ISAF) and will, I have no doubt, also be greeted in a positive manner by other information and IT security bodies across the UK. It is also appropriate in the light of the conclusions of a number of recent reports on data security. As the public sector is one of the primary custodians of people’s information, there is an expectation by the public, of appropriate care and attention.
    
The ISAF membership, comprising nearly two dozen professional bodies, such as ISSA-UK, (ISC)2, the British Computer Society, EURIM, ISACA, Infosecurity Europe and Get Safe Online, is working together to coordinate and influence change for greater level of security awareness. The new security ethos permeating through the various strata of the UK's government and its agencies will, we hope, encourage all managers in the public sector to take a responsible attitude towards looking after their computer data.

A new requirement
There is now a greater need for education and guidance on information security matters for existing and new employees of the government and its agencies. All have a part to play in protecting information, and it is essential that the responsibilities are clearly communicated, understood and acted upon. The dependence on the individual to do the right thing is now greater than ever.
    
As the government and its agencies prepare to take on a fresh influx of graduates this month the need to educate new employees becomes even more pressing. Those coming into the public sector for the first time may well have very different assumptions about the risks of sharing information publicly, the need to protect information, and their own role in maintaining effective security. So many of these new employees will have grown up with computers, both at home and at school, but many will lack a basic understanding of data security issues.
    
It is common to share personal information on the Internet, and often with people who are not known to us other than through the Internet. Moreover, it is easy for us to share information with others, without realising that the information is accessible to anyone. This has consequences that can be far-reaching, particularly when the Internet ‘remembers’ things that we assume have long been forgotten. Put simply, it is easy to trust the Internet, but this trust can be misplaced.
    
In government, as in industry, the sharing of information is required, but the inadvertent or accidental sharing of information can have very serious consequences, as we have seen recently. The knowledge, skills and discipline required to properly handle information is not encouraged by the social culture of the Internet, and this is therefore a challenge for employers, and calls for a proper focus in order to instil the behaviours required.

Cultural change
In fact cultural change, which is now on the agenda, is something that perhaps needs to happen in our attitude to handling data outside of the workplace as well as within it. This is one of the aims of ISAF – to come at the issues of security awareness from all angles, at home, at work, in our social interactions and on the move. It is by tackling the issue from many sides that we have the best chance of the changes required that can protect us all.
    
There are some good sources of advice, such as Get Safe Online, which are available to all and can help in the safe and secure use of IT and the Internet, but such sources can only go so far. The responsibility for training and educating new staff, and indeed all staff in the public sector, lies with the employers. Security awareness programmes need to focus both on new hires as well as existing staff – the messages need to be consistent, credible and the changes must be sustainable if the culture is to change accordingly.

A co-ordinated approach
As individuals as well as employees, ISAF members and anyone involved in business management, need to be more aware of the issues that affect us all in our day-to-day handling of personal data. The awareness will come from a variety of sources. We are all bombarded with information whether we are using our computer at home, travelling or at our place of work. A co-ordinated approach is required in which the messages that we need to be aware of and apply are consistent and clear.
    
This is especially true when it comes to developing the resources required to provide information security guidance to all members of staff, covering issues such as handling data, reporting incidents, and taking a holistic approach to the topic. The lead needs to come from employers and managers though the dissemination of practical security policies that people can understand and follow. All have a role to play and a responsibility to implement their part of the security jigsaw.

Directors’ guides
The ISAF had already seen the need to do this at a director level with the production of its ‘Directors’ Guides to Managing Information Security Risk’. The guides were launched in April 2008 at Infosecurity Europe and are sponsored jointly by IAAC, BT and ISAF. The Information Commissioner’s Office has warmly received and reviewed these, and believes that they should be on the desk of every single director of every single company/organisation in the land. When asked by the ISAF as we seek to use the Directors’ Guide to spread the message that information risks must be understood and effectively managed, the Information Commissioner Richard Thomas replied: “Every director should have one.” The directors’ guides are available to download at the ISAF’s website, http://theisaf.org.
    
The objective of the ISAF is to create a co-ordinated cross-industry/cross-institution approach for delivering security awareness messages to large corporations, small businesses, individuals and government. This is a challenging and ambitious objective, but it is a focus that is shared by the forum’s members comprising representation from institutions that wish to have a voice in security awareness.
    
The news that government departments are raising security awareness as a top priority is a signal to all that we need to properly protect our data. So the ISAF welcomes the news and hopes that it will instil the changes required, that these changes will be sustained and that they will be a catalyst for changing attitudes to protecting information beyond the walls of government.