Plugging the gap

Recent high profile security breaches involving the loss of personal data have led to headlines most would wish to avoid. The serious impact of these breaches is putting pressure on departments and agencies to take immediate measures to demonstrate they are adequately protecting the public’s personal information.         

Widespread media coverage has helped raise the public’s awareness of information protection to an all-time high. The public now firmly believes that maintaining the privacy, confidentiality and integrity of their personal information is an important commitment that the government needs to make, in order to retain their trust. In addition there is the challenge of having to comply with the growing complexity of regulations and legislation such as the UK Data Protection Act (DPA) and the MPS (Cabinet Office Manual of Protective Security). The Information Commissioner in particular is calling on UK chief executives to take the security of employees’ and customers’ personal information more seriously.
    
Speaking at the launch of his annual report in London, Richard Thomas, Information Commissioner stated: “Over the last year we have seen far too many careless and inexcusable breaches of people’s personal information. The roll call of banks, retailers, government departments, public bodies and other organisations that have admitted serious security lapses is frankly horrifying.” The Information Commissioner added: “Business and public sector leaders must take their information protection obligations more seriously. The majority of organisations process personal information appropriately – but privacy must be given more priority in every UK boardroom.
    
Organisations that fail to process personal information in line with the principles of the Data Protection Act not only risk enforcement action by the ICO, they also risk losing the trust of their customers.”

The challenge
The effective storage and management of personal information is essential in order to provide a better service to the public. However, there are a number of challenges that need to be overcome in order to prevent information leakage:

  • Central and local government and agencies have stored information on citizens for many years. However ,the rate of growth in information has never been greater as national     programmes are introduced in health, education and transport and as the government increasingly transacts with the customer online. The result is the storage and use of huge amounts of sensitive customer information often across distributed and separately managed systems. This creates a huge challenge to know in any detail what customer information is being held, where it is being held, how it is being used, whether it is proportionate, and how to manage access.
  • Whilst the need for information security has long been a requirement for all central and local government and agencies, many are still struggling to embed information security processes within their organisations. This has left them exposed at a time when both the rate of technology change to service and support the customer, and the level of media and public scrutiny are at their greatest.
  • Government is increasingly looking to ‘join up’ and transform the services offered to citizens. Personal information is being shared between departments and agencies and is accessible by thousands of public sector employees. In addition, data is being shared with the private sector, whether this be with insurance companies and banks, private healthcare providers, or other services. This increased connectivity and availability of access makes it harder for organisations to know where data is stored and who is accessing it.
  • The challenge in consistently driving through an education and awareness programme in organisations that have large numbers of employees in very different roles.

Addressing the issue
There are a number of steps that can be taken to help define the nature and scale of the challenge as it applies to your organisation; steps that help raise the profile of personal information security and secure the senior management commitment that is vital to effect change.
    
Primary to understanding how well your organisation currently manages client information is to have a clear understanding of where within your organisation that information is stored, who is using it and for what purpose. Once the scope of the organisation’s customer information environment is understood a detailed review needs to be carried out. Typically these assessments include reviewing security controls in the following areas:

  • Physical security
  • Logical security
  • Personnel security
  • Third-party security 

It should be noted that this is not a pure “tick in the box” exercise. It is about getting a feel for the security culture and maturity of the organisation.
    
Deloitte’s Security & Privacy professionals have performed many information security reviews and assessments building up a wealth of knowledge in the information security and compliance space. In addition, we have recently been helping a number of clients in both the public and private sectors to assess their position in relation to information leakage and theft. Our professionals also possess UK government CLAS and CHECK creditation, National Security vetting, CISA or CISSP certifications and have extensive knowledge and experience in helping our clients meet regulatory requirements such as DPA, MPS,and Sarbanes-Oxley.

For more information
Contact Ross Cattell: rcattell@deloitte.co.uk or visit www.deloitte.co.uk/security

Please register to comment on this article