Government Information Security Review - Update

Microsoft CISO CouncilSeptember 2008

Disasters!

February 2007 – Nationwide fined £980k by FSA March 2007 – TJX discovers loss of 45m credit card details April 2007 – DoH Medical Training Applications Service (poss 34k) May 2007 – DVLA loses hard drive in Iowa processing (3m) May – November 2007 FCO visa website flaw (50k applicants) November 2007 – HMRC loses copy of UK Child Benefit System (7.5m

families) November 2007 – Facebook Beacon climbdown November 2007 – Land Registry removes copies of deeds etc from Land

Register Online (£12m) December 2007 - Norwich Union Life fined £1.2m by FSA January 2008 – MoD loses TAFMIS laptop (600k) etc., etc…

Reviews Published

Kieran Poynter – June 2008 http://www.hm-treasury.gov.uk/independent_reviews/poynter_review/poynter_review_index.cfm

Sir Edmund Burton – June 2008 http://www.mod.uk/nr/rdonlyres/3e756d20-e762-4fc1-bab0-08c68fdc2383/0/burton_review_rpt20080430.pdf

Sir Gus O’Donnell – June 2008 http://www.cabinetoffice.gov.uk/reports/data_handling.aspx

Richard Thomas & Dr Mark Walport – July 2008 http://www.justice.gov.uk/reviews/datasharing-intro.htm

Summary - HMRC - The Investigation

Specifics‒ Setting of precedent‒ Failure to adhere to ‘SPOC’ protocol‒ Prioritisation of other concerns above security risk‒ Failure to redact data‒ Absence of appropriate authorisation‒ Use of insecure methods of data storage and transfer

General‒ Weakness in specific security policies‒ Inadequate awareness, communication and training in IS‒ Lack of clarity around governance and accountability in data

guardianship

Summary - HMRC - The wider review

Information security was not a management priority

Even if it had been, governance and accountability would have made it difficult

Fragmentation and complexity in formation of HMRC made IS hard to control

Policies inadequate, complex, and not translated into guidance for junior staff

Summary – MoD

51 Recommendations

‒ Processes – 31

‒ People – 11

‒ Training and Education – 5

‒ Technology – 3

‒ Other - 1

CO Data Handling Review

Core measures to protect personal data and other information across Government;

A culture that properly values, protects and uses information;

Stronger accountability mechanisms within Departments; and

Stronger scrutiny of performance.

Departments & Agencies must

Use protective measures, such as encryption and penetration testing of systems;

Understand and manage their information risk, identifying the key individuals responsible for information assets and setting out their responsibilities;

Undertake quarterly risk assessment of the confidentiality, integrity and availability of information;

Train all staff involved in handling personal data, with training taking place on appointment and reinforced on an annual basis;

Carry out Privacy Impact Assessments when introducing new policy or processes that involve the use of personal data;

Include information risk in Statements on Internal Control, scrutinised by the National Audit Office;

Provide clarity to citizens about the use and handling of personal data through Information Charters

Report annually to Parliament

Thomas – Walport Data Sharing Review

There is a lack of transparency and accountability in the way organisations deal with personal information

There is confusion surrounding the Data Protection Act, particularly the way it interacts with other strands of law

Greater use could be made of the ability to share personal data safely, particularly in the field of research and statistical analysis

The Information Commissioner needs more effective powers, and the resources to allow him to use them properly.

Observations…

Bob TarzeyQuocircaSept 17th 2008For Microsoft CISO Forum

Analysts: how to capitalise on relationships

Business & IT Analysis

Copyright 2008 Quocirca Ltd

What is an industry analyst and where do they come from

• Analysts are:– Market watchers– Market influencers– Futurologists

• Analysts are not:– Journalists (some write for the media)– IT directors/workers– Vendor representatives

• But they may come from any of these backgrounds or be career analysts

Business & IT Analysis

Copyright 2008 Quocirca Ltd

Analyst companies

• Global brands – Gartner, Forrester, IDC• Regional analyst houses – e.g. Quocirca, MWD• Domain specialists – e.g. Cambashi, Canalys• Analyst relations organisations

• 380 high tech analyst companies worldwide with 3,000+ analysts (Tekrati, 2005)

Business & IT Analysis

Copyright 2008 Quocirca Ltd

How do analysts influence buyers of IT?

• Direct– Retainers/subscriptions– Projects– Direct discussions

• Indirect– Reports– Presentations, seminars, webinars– Media work– “Web2.0” – blogs, Twitter…

Business & IT Analysis

Copyright 2008 Quocirca Ltd

What analyst houses do

• Produce numbers– Market research

• X units of these products were sold in 2008

• The market for these products will be $n in 2009

– ROI and TCO studies– Product comparisons

• Elicit opinion– IT managers say budgets are being cut– CISOs say security could be improved– Business outsourcing more IT– Perceptions of this technology are…

• Report and present findings

Business & IT Analysis

Copyright 2008 Quocirca Ltd

Analyst sources of information

• Primary research– Telephone– Web based

• Secondary research• End-user discussions• Vendor briefings

• Industry events• Channel• Media• Industry bodies• Other sectors

• Legal• Insurance

• Other forums

Business & IT Analysis

Copyright 2008 Quocirca Ltd

How analysts make money

• User side– Subscriptions– Paid for reports– Consultancy– Projects

• Vendor side– White papers– Research– Presentations– PR work– Strategic advice

• VCs

Business & IT Analysis

Copyright 2008 Quocirca Ltd

Individual analysts

• Technology specialists– Storage, servers, mobility.....

• Application specialists– CRM, security, SaaS....

• Market specialists– Financial services, retail, SMB.....

• Generalists

• Business-focused analysts

Seek the right analyst for the right advice

Business & IT Analysis

Copyright 2008 Quocirca Ltd

Paid versus free advice

• The Google affect– Lots of analyst content is now free– The internet has change funding models– Content is open to businesses of all types

• Media reported content – most analysts don’t advertise

• There is still a lot of stuff that you can only see if you pay

If your organisation has a subscription to Gartner, etc. hours of advice are often included but may go unused

Business & IT Analysis

Copyright 2008 Quocirca Ltd

Bob TarzeyQuocircabob.tarzey@quocirca.comwww.quocirca.com

Thank you