Stuart King makes a good point about ISO 27001 providing the basis of public sector information security. The public sector oil tanker knows where it is heading but it is still very much in the process of making its turn. Being the public sector there may be deviations and hazards on route.

There is, in my opinion, very much a disconnect at present between talk at the policy maker level in government and actions at the local authority or county court house level. Platform speakers at the CIPCOG conference in York in February essentially confirmed a new age of information security focus had arrived. However, our data destruction sales team regularly finds that knowledge and demand at the purchasing coalface within the public sector is poor and way behind where the policy makers would have you believe it is.

This is partly caused by the fact that information security is not seen as an enabler by civil servants. New rules mean they can no longer put files onto their memory stick so they can work from home for example. Take-up of information security measures will be enforced rather than spontaneous or voluntary.

Likewise, take up in the private sector will be driven by government requirements placed on larger Tier 1 providers and there will be a trickle down effect in the private sector. Suppliers further down the food chain will eventually have to comply and implement information security themselves. If they do that presently, they will find it a real challenge due to the lack of straightforward and concise guidance available on ISO 27001.

I hope that this blog will play a part in filling that gap by making ISO 27001 more accessible and understandable.

You don’t need to work in the secure data destruction industry to know that councils and other bodies have been losing sensitive data.  Here’s what is meant to be happening to local authority information security.

The National Information Assurance Strategy (NIAS) was published in 27th June 2007 to chart a way to expanding e-government across departments. This was published before the HMRC leak which took place on 22nd November 2007.

In light of both of these, the Data Handling Procedures in Government Final Report Review –SPF70 Security Policy Framework  – was produced by the Cabinet Office in November 2008.

Presently, the Information Assurance Maturity Model must be complied with by local authorities before they are given access to csgx (a big secure network essentially managed by the Department of Work and Pensions).  In order to be connected, local authorities must comply with a COCO – Code of Connection.

There are five stages in local authority compliance with the Code of Connection.  The first are a basic set of information assurance measures called the Minimum Mandatory Measures.  Only two thirds of these met this first information security goal.   More on this in the next post.