The IA Trinity an Expanded View

The IA Trinity an Expanded View

©Mark Brett Honorary Visiting Fellow Cyber Security Centre De Montfort University

November 2014

Brett M(2014) DMU CSC The IA Trinity

1


2

Table of Contents Table of Contents .......................................................................................................... 3 The IA Trinity ................................................................................................................. 4 1.1. Introduction .................................................................................................... 4 1.2. Beyond the Dot Comm bubble........................................................................ 5 1.3. The rise of Cyber Crime ................................................................................... 5 Information Governance Roles & Responsibilities ....................................................... 6 1.4. Technical Controls ........................................................................................... 6 1.5. Data Sharing Protocols .................................................................................... 7 1.6. The IA Trinity ................................................................................................... 7 Glossary ......................................................................................................................... 8 References ..................................................................................................................... 9


3

The IA Trinity 1.1. Introduction Over the past ten years, Local and Central Government in the UK, has moved toward Electronic Transactions and processing of many Local Public Services [1] Some services requiring physical delivery, such as delivered meals and refuse collection, services that cannot be fully e-‐enabled. Everything else is moving in that direction as a way to cut cost and improve service efficiency. [2] The current UK Government policy of “Digital by Default” [3] also supports this approach. When originally looking at the conditions required, to successfully deliver Local Service Innovations, a conceptual framework [4] Miles & Huberman 1994) was developed [5] Brett M.1998 , which explored a number of variables that contributed to innovation and service improvement: Service Planning Educate e ng a h eC vic er S j or Ma Deliver Service Innovation Cycle Inform Co nt i no us sI mp rov em en t Consult Service Delivery This was fine looking at the actual delivery components, moving through an innovation cycle, [6] and as a recommended approach in [Ref[7]: Osbourne & Gaebelr (1993) Reinventing government)…. However as we moved into more complex shared services and the shear pace of change accelerated, other components have become necessary, especially around Information Assurance. (c) Mark Brett Aug 1999


4

1.2. Beyond the Dot Comm bubble The dot Comm bubble [8] brought a huge amount of change supported by the pervasive availability of Broadband [9] and the increase in available speed of mobile broadband [10]. Likewise, the cost of mobile devices has fallen significantly and the costs of laptops has dropped significantly over the past ten years. We have also seen the rise in use of tablet devices and the consumerisation of IT in general [11]. All of these factors have changed the way we think and use ICT in our daily lives, no longer luxury, but generally accepted as a utility technology, in terms of the devices and network access [12]. 1.3. The rise of Cyber Crime Cyber crime began to emerge as a real threat around five years ago [13] and is now a key part of the UK Cyber Security Strategy [14]. The UK Defence review [15], also recognises Cyber as a key defence objective for the UK, to support a safe and vibrant UK digital economy. Criminals generally follow the money. [16], one of the consequences of this is rise in e-‐commerce has made the cyber domain attractive to criminals [17] The cyber domain now provides easy pickings for criminality though the exploitation of digital systems, [18] especially through malicious emails (malware), attacks on webs sites and the interception of wireless signals, to steal credentials (user names and passwords). [19] To combat these attacks, requires an holistic approach to Information Security and Assurance [20] as such it is wise to consider these issues across three domains;

• • •

Information Governance roles & Responsibilities Technical Controls Data Sharing Agreements


© Mark Brett 2014

5

Information Governance Roles & Responsibilities The loss of the HMRC CD’s in late 2007 [21], sparked the HM Government Data Handling Review, which in turn lead to the Cabinet Office report on Data handling:[21] and the supporting guidance from CESG referred to as IAS6 [22]. The Cabinet Office at that point mandated the role of the Senior Information Risk Owner (SIRO) and the Information Asset Owner (IAO) roles [23]. The major adoption of this approach in the Wider Public Sector (WPS), has been adopted by Health as part of their Information Governance Toolkit (IGT) [24]. In Local Government, the drive towards the SIRO and IAO roles has been supported by the Data Handling Guidance (Brett 2012) and the move toward a single consolidated Government Network call the PSN (Public Services Network) [25] The PSN will in time cover HMG, Health, Police and other areas of the WPS. The PSN Code of Connection (CoCo) has a number of technical controls, explored in the next section, some of these cover the need for an organisational Risk Management Regime(RMR). The RMR requires both a SIRO and IAO’s to be appointed. The LPSDHG supports in addition the approach of having a Corporate Information Governance Group (CIGG). The CIGG meets quarterly and discussed Corporate Information Risk Issue and any Information Security Breaches. This in turn allows lessons learned to be applied and for Service process improvement to take place. 1.4. Technical Controls The concept of Technical Controls to support Information Security is nothing new, they go right back to BS7799 [26]. Subsequently this led to a whole series of ISO 27000 standards which support Information Security and Assurance. There is an excellent website with ISO27000 resources at: http://www.iso27001security.com. The PSN CoCo have a range of technical controls that need to be in place to support good security practice and PSN Compliance. ISO 27001 is the commercial standard and likewise it has a services of controls supporting and Information Security Management System (ISMS), which forms ISO27002. Recently, HMG and Industry have developed the Cyber Essentials Scheme [27] for SMEs as a light touch alternative to ISO27001. In October 2014, the Cyber Essentials standard, was mandated for all suppliers to HMG, supplying Information Assurance Services to Govt. [28]. Technical Controls do cover Personnel, and Procedural controls as well, these are all detailed in the LPSDHG and on the HMG CPNI website [28]. Brett M(2014) DMU CSC The IA Trinity

6

1.5. Data Sharing Protocols Many part of HMG and WPS in the UK are involved in shared services delivered as part of their efficiency agenda [29]. There are a number of key pieces of UK legislation which cover Shared Services , Information Assurance and Security; • • • • • •

Data Protection Act (DPA) Freedom of Information Act (FOI) Care Records Act (CRA) Official Secrets Act Computer Misuse Act Human Rights Act

The key piece of legislation which affects all ICT systems containing personal information, is the Data Protection Act 1998 (DPA). The DPA [30] requires that all information is collected within legal authority, is fit for purpose, only collected for the reason stated and is only kept fro as long as needed. The information collected must be accurate, of sufficient quality and must have sufficient technical measures in place to look after it. 1.6. The IA Trinity The contention is that without all three elements being in place, an organisation cannot have an effective Information Governance regime. Without the governance roles being in place, there will not be sufficient leadership and drive necessary to implement and maintain the conditions necessary for effective governance. Without the technical controls, the current risks and threats will compromise the information, leading to data breaches and exfiltration. Without Data Control Agreements being in place, there are no guarantees that the other party will safely and appropriately look after the information with the correct technical measures.


7

Glossary CRA Care Records Act CESG Information Security arm of GCHQ CIGG Corporate Information governance Group CoCo Code of Connection DHG Data Handling Guidance DPA Data Protection Act FOI Freedom of Information Act HMG Her Majesty’s Government ICT Information Communications Technology IGT Information governance Toolkit LPSDHG Local Public Services Data Handling toolkit RMR Risk Management Regime SIRO Senior Information Risk Owner WPS Wider Public Sector


8

References Brett M.(2014) Local Public Services Data Handling Guidelines (Version 3). www.nlawarp.gov.uk Brett M.(2012) Local Government Data Handling Guidelines(Version 2), PSN www.gov.uk Brett M.(2011) Information Management Assurance & Governance a Framework for Transformational Improvement, www.nlawarp.gov.uk Mile & Hubbernmann Qualitative Research …….. http://www.theculturelab.umd.edu/uploads/1/4/2/2/14225661/miles-‐huberman-‐ saldana-‐designing-‐matrix-‐and-‐network-‐displays.pdf Osbourne & Gaebler (1993) http://mtprof.msun.edu/Fall1993/Lock.html 1 Transforming Public Services http://www.local.gov.uk/documents/10180/11553/Transforming+public+services+u sing+technology+and+digital+approaches/ab9af2bd-‐9b68-‐4473-‐ac17-‐bbddf2adec05 2 https://www.gov.uk/government/publications/government-‐digital-‐ strategy/government-‐digital-‐strategy 3 Digital by default https://www.gov.uk/service-‐manual/digital-‐by-‐default 4 Conceptual Framework Miles & Hubermann http://www.sagepub.com/upm-‐ data/48274_ch_3.pdf 5 Brett M. (1998) User Led Innovation in Local government Service Delivery (MRES Dissertation), University of North London. 6 Innovation lifecycles http://www.innovation-‐point.com/Innovation_Lifecycles.pdf 7 David Osborne & Ted Gaebler 1992 REINVENTING GOVERNMENT Addison-‐Wesley Publ. Co.http://www.scottlondon.com/reviews/osborne.html 8 http://www.nethistory.info/History%20of%20the%20Internet/dotcom.html 9 http://firstmonday.org/ojs/index.php/fm/article/view/4066/3355 10 http://www.ericsson.com/res/docs/2012/the-‐state-‐of-‐broadband-‐2012.pdf 11https://www.redhat.com/enterprisers/Consumerization_of_IT_Executive_Summa Brett M(2014) DMU CSC The IA Trinity

9

ry_RedHat.pdf 12 McKinsey report on social economy 13https://www.europol.europa.eu/sites/default/files/publications/europol_iocta_w eb.pdf 14https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/ 60961/uk-‐cyber-‐security-‐strategy-‐final.pdf 15https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/ 62482/strategic-‐defence-‐security-‐review.pdf 16 http://www.dailymail.co.uk/home/moslive/article-‐2260221/Cyber-‐crime-‐Your-‐ currently-‐targeted-‐criminal-‐gangs-‐looking-‐steal-‐money.html 17 http://resources.infosecinstitute.com/2013-‐impact-‐cybercrime/ 18https://www.kpmg.com/Global/en/IssuesAndInsights/ArticlesPublications/Docum ents/cyber-‐crime.pdf 19 http://www.blackhat.com/us-‐13/briefings.html 20 http://www.boozallen.com/media/file/sp1_mcconnell.lo.pdf 21 http://news.bbc.co.uk/1/hi/7104368.stm 22 CESG documentation 23 http://www.nationalarchives.gov.uk/documents/information-‐management/role-‐ of-‐the-‐iao.pdf 24 https://www.igt.hscic.gov.uk/about.aspx 25 http://www.nlawarp.gov.uk/LPSDHG.pdf 26http://www.infosecwriters.com/text_resources/pdf/i_defence_BS7799_Whitepap er.pdf 27https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/ 317480/Cyber_Essentials_Summary.pdf 28https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/ 368247/Cyber_Essentials_Scheme_draft_PPN_28_10.pdf 29https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/ 83717/19284_Next_Generation_3rd_Online.pdf


10

30 http://ico.org.uk/for_organisations/data_protection/the_guide/the_principles


11