Being ready for the unexpected

Socitm’s IT Trends 2007 revealed that efficiency and security were the top two issues on local authority IT chiefs agendas in 2007, based on a survey carried out earlier that year. It is unlikely, given the economic climate and regular reports of public sector data security breaches, that the ranking of these priorities has changed much since.
    
Indeed, public awareness of information security threats has never been higher, and the potential disruption to service delivery from climate change and natural disasters is constantly in the news. At the same time, the efficiency agenda is requiring public sector organisations to make greater and greater use of electronic data, and to share that data with other organisations - thereby introducing further threats to the integrity and security of their data.
    
For local government, the resolution of the potentially conflicting requirements of, on the one hand efficiency, and on the other security, lies in information assurance (IA).

What is IA?
The CESG is the UK Government's National Technical Authority for Information Assurance responsible for enabling secure and trusted knowledge sharing. Its website defines IA in the following way: “Information must be readily available when needed and trusted to be accurate. Sometimes there are confidentiality concerns. Ensuring the confidentiality, availability and integrity of all electronically held information is the goal. ‘Information Assurance’ is the term we use to describe this goal.”
    
According to Socitm President Richard Steel, the challenge for local authorities is clear: “We need a strategic approach to information assurance as key element in organisational resilience, with responsibility taken at board level but information culture permeating the entire organisation. We need to set high standards, manage risk and react quickly and effectively to incidents and threats.”
    
In the foreword to a new briefing on this issue from Socitm Consulting, he says that IT managers have a leading role to play by promoting the agenda, in leading by example, and by developing best practice with colleagues in other authorities. A key priority is to ensure that information is only shared via systems that are purpose built for secure data handling.
    
Ultimately, however, he says, information assurance is too important to be left to the information professionals. Information assurance is of strategic importance to the business of local government as a whole, and leadership needs to come from the very top.
    
For local authorities, as opposed to central government, IA is a relatively new concept, and in part this is due to the traditional local authority habit of working in silos. Data Protection and Freedom of Information Act compliance may be handled by the legal department and computer security by the ICT service; Disaster Recovery and Business Continuity might be the province of Emergency Planning, while home, mobile and flexible working is the responsibility of HR.
    
For the modern information-based local authority, however, all these functions centre on the same fundamental requirement – to manage information properly. Information Management and Governance, Data Security, Legislative Compliance, Business Continuity and Disaster Recovery are complementary disciplines that need to be handled coherently. A local authority must ensure the confidentiality, availability and integrity of all electronically held information, and be able to continue to do so in virtually any circumstances.
    
In view of the ever-increasing dependence on information processing for service delivery, and the increasing threats posed by criminal action, natural disasters and human error, there is no room for complacency. A coherent, organisation-wide approach is required now.

Responsibility at the top
Most of the elements that fall under the umbrella of IA have traditionally been regarded as operational considerations, rather than strategic. For example, Data Protection – where arguably the legislation was well ahead of the real world threat – has often been considered a specialist area. Taken together, however, and in view of the threat posed by technology failure, human error, criminal action, terrorism and natural disasters, IA must now be seen as a corporate responsibility that has to be managed at the strategic level.
    
Even if the Civil Contingencies Act had not come into effect, it would be incumbent on local authority senior management and directors to implement best practice in defence of the organisation’s key assets (as information must now be regarded) and its customers’ best interests.
    
It is a sign of the times that the recent Criminal Justice and Immigration Act includes swingeing penalties for organisations that fail to protect data. And regardless of the law, the point is that if a local authority ceases to function effectively or its information assets are significantly compromised because of failures in information assurance, neither the media nor the public (let alone the Audit Commission) will be forgiving.
    
Your customers, your suppliers, partner agencies and other regional and national organisations you deal with – all have an interest in how you manage, make available and protect information. Often the information you hold is about them or belongs to them but you may be obliged to share it with others.
    
Suppliers, for example, need to be aware that contract confidentiality can be trumped by Freedom of Information legislation, and customers should arguably be made aware of your duties under the Money Laundering Regulations.
    
Of course, the scope of IA is very much not limited to legitimate contacts. Threats to the security of your information (both manmade and natural) can arise 24/365 and on a worldwide basis – the international hacker or pandemic should be as much part of your planning as the neighbouring council’s Children’s Services department.

Situational awareness
IA is clearly important in day to day working – ensuring staff follow data handling guidelines, keeping information and its processing tools available to those who need it when they need it, and out of the hands of those who don’t – but its truest test is when things go wrong.
    
However good your response plans are to potential threats, it is vital to have early warning systems in place and tried and tested response mechanisms that can be brought to bear rapidly and effectively. The early warning may come from external agencies (banks, the Met Office, a Warning, Advice and Reporting Point - WARP - or software supplier) but it is vital that internal staff at all levels, including temporary staff, are empowered to pull a metaphorical communication cord.
    
It is equally vital that all staff and external advisors know whom to contact and how to contact them, and that there is a direct link to people who can take immediate and appropriate decisions. This is not about forming committees and checking rule books (though these have their place) – in many cases (as recent natural disasters have shown) speed of response is almost all that counts.

Aim high
Most formal security policies are based on attaining or emulating one of a plethora of competing and evolving standards – BS17799 and ISO27002 are two of the best known, and there is an Information Assurance Framework for e-Government services – currently under review. The danger with selecting any particular one is that – even with regular reviews built in - achieving it may breed complacency, and it is arguable that no current standard is rigorous enough.
    
Rather, you and your colleagues should base your IA policies and practice on the very best current practice and prevailing standards, both national and international. And even then, it is unlikely that you will be ahead of the game. Security is one of many areas where the criminal is always one step ahead. The international hacker will not feel bound to restrict him or herself to techniques known to or approved by the British Standards Institute.

Organisational culture
Information Assurance can only succeed in an organisation with an information culture. It depends on people at all levels understanding the importance of information to the organisation, its customers, partners and other legitimate contacts, the potential value of that information to individuals or groups who should not have access to it, and the potential risks to the organisation and others should it become not available or available to the wrong people.
    
Cultural change is not achievable by diktat or overnight (or even just by bringing in consultants). Changing people’s behaviour and attitudes is a long- term process which can be started immediately but never completed. The starting point may be to educate your people to see information as an organisational resource like bricks and mortar, or cash in the bank. This is not such a difficult task – the bad guys get to understand it very quickly.
    
Training needs analysis is vital – as is ensuring that training is actually carried out (and that temps are included) and refreshed regularly. And of course, it is important to use technology to reinforce the security message – the more forward-thinking local authorities are using advanced ID management and authentication techniques, plus web-based security training and automated reminders.
    
Probably the biggest challenge is making people throughout the organisation always ready for the unexpected. Helping staff to anticipate how information might be misused, and how to react to new circumstances, could be a vital aid in securing the confidentiality, integrity and availability of your organisation’s information.
    
An effective Information Assurance policy is obligatory for local authorities. However, as with any cross-cutting initiative, it can be difficult to generate the necessary organisational momentum to make it happen. The Socitm Consulting briefing also contains recommendations for your IA policy, Information Assurance and the resilience agenda – an approach for local authorities is available free of charge from www.socitm.gov.uk/consulting.
    
Socitm Consulting is owned by the not-for-profit association, the Society of IT Management (Socitm) and provides business consultancy in the areas of information strategy and integration, effective change management and performance and efficiency improvement.

Please register to comment on this article