Although the name is relatively new, information assurance has been a discipline within the public sector since the 1970s. It provides guidance on how government organizations can adhere to the three pillars of confidentiality, integrity and availability (C-I-A).
Public sector bodies are all too aware of the potential risks to their sensitive data, whether as stolen laptops, lost memory sticks, or CDs lost in the post. The consequences of misplaced data are well-known to the general public, too, thanks to incidents regularly reaching the headlines. Less visible is the fact that every month a public sector department experiences some form of data leak; according to the UK’s Information Commissioner’s Office (ICO) annual report for 2011, there were 32 notifications for central government, and 146 for local government. Monetary penalties were enforced against three councils.
Today, the risk of unwelcome outcomes from such data breaches continues to be a problem for public sector organizations. Indeed, lost data was in the spotlight once again in October following the admission by Surrey and Sussex Healthcare NHS trust that it lost an unencrypted memory stick including 800 patients’ confidential data in 2010, along with nine other ‘near misses’, according to the trust’s 2010/2011 annual report.
Now that reporting of such incidents is mandatory, and the ICO has statutory enforcement powers over public sector bodies, there is every incentive to ensure compliance. However, regulation continues to be tightened at all levels:
- EU level: European Commission will come forward with proposals to reform the 1995 Data Protection Directive by the end of January 2012 – and a corresponding revised Data Protection Act is expected
- UK Government sector: the requirement for memory sticks to be encrypted
- Commercial sector: further encryption requirements for payment card data under the PCI Data Security Standard – this affects public sector organizations that process credit and debit card data
But the change is two-sided – information assurance has changed too. Being risk-based, it allows organizations significant flexibility in deciding how security requirements are met. For example, with the right security measures in place, remote working becomes a practical and realistic option, whereas before it may have been regarded as too challenging from an IT perspective. If employees can work securely from home, satellite offices, or on the move, this means resources are freed up – and overheads can be reduced – while enabling a better work-life balance for staff.
Within a diverse workforce, different employees have various IT needs. This means enabling different classes – or risk levels – of data to be handled securely, but with a solution that won’t unduly restrict access or productivity. When budgets are constrained, this will be achieved through spending money on technology that is proportionate to the risk involved, and tiering access accordingly.
Similar choices are available when organizations need access to central government resources under the UK’s Code of Connection (CoCo). Here, information assurance also applies to product vendors – organizations may need to choose between products that have been certified under the Common Criteria scheme, or another UK Government product security certification scheme. These UK schemes are being reorganized at this time, so organizations should contact their security advisors and consult with current product vendors.
More than ever, information security is about understanding the business need, and making the right choices. The wrong kind of security isn’t just wasteful – it cramps flexibility and lowers productivity. Information assurance helps avoid this waste, by allocating enough time, effort, and money to the right security objectives – and just that.
Chris Mayers is chief security architect with Citrix Systems, Inc. He has worked in the software industry for 30 years, and has been with Citrix since 1998. Previously, Mayers was a consultant with Digitivity/APM, specializing in security in distributed systems. He is a member of the Institute of Information Security Professionals.