 
|
|
In partnership with:
|
Back to basicsMike Gillespie, Advent IMThe seemingly endless stream of data breach stories still splashed across the headlines makes you wonder just how seriously public authorities are taking government directives on information lifecycle management and security. Does anyone remember the Cabinet Office directive that stipulated all central government departments had to comply with the BS7799 (now ISO27001) risk management framework by the end of 2003? Or priority outcome G19 of the implementing electronic government (IEG) programme, which emanated from the department for communities and local government (formerly the office of the deputy Prime Minister) and came into force in March 2006? That directive required local government to implement BS7799 as well as the ISO15489 standard for records management and to fill in self-certification forms to say they’d done it – it being the undertaking of risk and gap analyses, the performing of information audits, the classification of data to ensure it could be managed properly, etc. It certainly didn’t mean just sticking in a records management system and transferring information from one database or file to another. And despite the additional funding that self-certification has generated over the last few years, it would seem fairly obvious to the casual observer that most organisations simply haven’t got round to doing the half of it, otherwise we wouldn’t be in this mess today. But that’s lack of auditing for you. My big concern with all of this though is that everyone seems to see this endless data breach situation as a technology issue when really what it boils down to is an attitude problem. The question that I have is how do organisations think they can go about protecting corporate information effectively if they don’t even know what they’ve got, where it is, how sensitive it is or even why it’s being held? But try talking to senior managers about the importance of data flows and getting their information strategy right and you’ll see how quickly you can make them yawn as their eyes glaze over and they start dreaming about their holidays. They may ultimately be accountable for what happens to their corporate data, but they certainly aren’t taking the matter seriously. Much easier to hand the whole mess over to the IT department and let them get on with it, even if they don’t happen to be the data owners and don’t have the authority to go round changing business processes and procedures. But this, in turn, raises the question of what’s the point of wasting money on protecting information that shouldn’t be there in the first place? You can’t automate away someone’s stupidity if they decide to leave sensitive documents on ministerial PCs that end up being stolen, particularly if they’re holding such information in knowing breach of data protection codes. So the issue, as far as I can see it, is that while spending tens of thousands of pounds putting encryption software on a laptop may seem like a quick and clever fix, it really isn’t going to solve the root cause of the problem - poor information management. To tackle that one effectively, there really has to be senior management buy-in, not least because it costs money. The poor beleaguered IT department may be doing its best, but resources are limited. What is needed is proper ring-fenced funding and a deep institutional understanding that responsibility lies firmly in the laps of stakeholders. This is a problem that simply can’t be addressed by technology alone. Technology will enable change, but it can’t generate it. So as one ill-fated Tory Prime Minister once said, what we really need to do now is just get back to basics. Related stories: Blears PC stolen in latest Government information breachUK government loses data on 25m BritonsTop Secret Iraq and al-Qaeda documents left on train
|
|
