A few years ago, the public sector couldn’t buy a positive PR story about IT. Over-spending and over-running were familiar criticisms, with enterprise suppliers being rewarded handsomely for failure and government departments being regularly hauled over the coals by the National Audit Office. Fast forward to 2015 and it’s a much changed landscape. Driven in part by the recent austerity era’s focus on real value-for-money and substantive savings; in part by the growing appreciation of Cloud computing; and in part by the overhaul of government IT procurement as evidenced by the evolving Cloudstore/G-cloud/Digital Marketplace buying frameworks. The result? A leveling of the playing field that has encouraged SMEs to engage with the public sector on an unprecedented level; a new spirit of innovation and ‘can do’ thinking permeating across the sector; a huge range of quality turnkey options from IaaS platforms and virtual desktops to hosted telephony and ‘Database as a Service’ (DBaaS); and more and more projects going live, but largely unheralded, that are delivering new services and greater value to UK citizens.
Service providers looking to be successful in this space should be under no illusion that while it is rich in opportunity, it is uniquely demanding in its diligence. The sensitivities around data security in particular mean that providers need to make an on-going commitment to implement, manage and be audited against a number of recognised security standards and frameworks. This in in addition to demonstrating a robust, repeatable methodology for delivering services to a higher security level when required and increasingly to have the intimate knowledge of government criteria that translates into fit-for-purpose solution design. The reality is that a new generation of providers is being asked to host critical national infrastructure assets, such as NHS patient identifiable data; and in-house teams are having to get up to speed with their complexities of their own criteria. So you may have to excuse procurement teams’ obsessing over data security – they have every reason.
The thing is, if you are understanding about their sensitivities, then you are already on the road to meeting those concerns. Achieving and maintaining recognised security standards is an obvious first base, but there are other things you can do to build trust, although actually, it probably comes down to one thing: making security your core ethos. In a world where strong units are brought down by weak links, you need to make data security your world, so it runs top-to-bottom, front to back, permeating every part of, and every person within, your business.
For data centres, that means facility provision predicated on ensuring that Confidentiality, Integrity and Availability (CIA) of services, data and associated assets are maintained at all times. CIA starts with:
- Physical security of all buildings, construction techniques, materials, generators, conditioning, cabling etc
- Monitoring controls including building management systems, and access controls, such as multi-factor authentication, so that access cards can be monitored throughout the facility and automatically disabled on departure
- Extensive CCTV coverage with retention policies to match – 90 days + as a minimum – plus real-time interaction with card readers and motion sensors for automatic alerts of potential issues
- Appropriate horizon planning, where environmental risks such as flooding or sensitive buildings in proximity are reviewed and factored in
It must continue with a rigorous and verifiable approach to access control across both the physical and the logical. Multi-level security protocols for data centre visits and industry-standard mechanisms for system access, authentication and segregation are just the start because you need to be bulletproof. You must examine every aspect of your ‘inner workings’. At a minimum:
- keep access rights aligned with job role. When granting rights always follow a formal and auditable authorisation procedure
- ensure adequate detection, prevention and recovery controls to protect against malicious code
- arrange for equipment to be securely disposed of by a specialist - company, with certificates obtained as proof
- separate out development, test and operational facilities to reduce the risk of unauthorised access or changes to operational systems
- keep tight restrictions on utility programs that could potentially override system and application controls
- put policies in place to protect information associated with the interconnection of business systems
- maintain audit logs recording user activities, exceptions and information security events for not less than three years
CIA demands that an organisation remains on the front foot at all times. It has to be active, not passive, constantly evaluating its own controls, its mandated standards and its performance against them. A public sector procurement team will not look at your certificates on the wall; it will look instead at the organisational make-up, culture and behaviour to see if your day-to day-operations are truly defined by them.
So there will be points for a qualified security manager designating security roles and responsibilities. Indeed the momentum will drive its own meeting and review timetable, monthly security forum meetings, quarterly senior management review meetings, monthly internal security audits and 6-monthly surveillance audits by BSI. Annual security training should be mandatory for all employees, as should exhaustive security risk assessments for all departments, whether these are internally or externally run.
What about personnel? How do you know who you are bringing into your data-sensitive organisation? Best practice would demand recent references, proof of identity and address and evidence of eligibility to work in the UK; and the granting of SC level clearance to any employee coming into contact with customer data. Contracts should have strict confidentiality agreements with zero tolerance for a breach; and once through the door, employees should only ever be given access to what they need in order to do their job.
Logical and physical access rights should undergo an authorisation process, reviewed regularly for validity; if a staff member changes role, those rights are revised as necessary, and if employment is terminated the rights are removed immediately.
What about business continuity? You need a documented plan – tested annually. It must cover all likely scenarios, whether resulting from a physical catalyst (weather), social (civil disorder, pandemic) or technical (cyber attack, vandalism). And you need to prove beyond doubt that disruption brings no risk of security compromise.
Last but not least, and undoubtedly the focal point of effort, there’s the on-going management, evaluation and refinement around specific accreditations. These typically revolve around:
- Business Impact Level (BIL) for the secure transit and storage of HMG information and services
- Department of Health IGK for the storage and processing of patient information
- ISO 27001, which should drive a holistic approach to information security management and touch everything from incident management to data handling policies
- ISO 9001, guaranteeing quality through consistency of operation and service delivery
- ISO 31000, the international standard for risk management, which public sector suppliers might choose to enhance with supplementary controls from the Government’s own Management of Risk (MoR) framework
- PCI-DSS accreditation for hosting services for credit card and payment storage
Providers looking to increase their market presence in the public sector must get used to holding a mirror up to their business. They need to identify whether the processes are working and take any necessary remedial action where necessary. While much of the project risk now sits with suppliers, it doesn’t mean that the public sector procurement team is no longer invested. They want a successful outcome, for the UK citizenry, their department, their reputation. The move to more cost-effective, more nimble but often smaller providers will, for a time to come, leave a question mark – are they good enough? Can they be trusted? Is our hugely sensitive data safe in their hands?
Providers need to make that question mark redundant – but they should not underestimate the size, scale or specifics of the CIA challenge.