18. ISO 27001 in the Public Sector – The Case for ISO 27001

Chapter 18. ISO 27001 in the Public Sector

Executive summary

Many public sector organizations usually face more significant threat levels than the private sector. All the threats identified earlier in this book apply, but in spades. In addition, many public sector organizations are subject to very specific requirements in terms of information security structures.

UK Public sector organizations

The CSIA (Central Sponsor for Information Assurance) is the UK Government’s Cabinet Office unit that is charged with working with the public and private sectors, and its international counterparts, to safeguard the UK’s IT and telecommunications services. Specifically, the CSIA role is to provide a central, national focus for information security and its mission includes encouraging the private sector to develop a ‘culture of security’.

Its specific aims are to:

‘Provide a strategic direction for Information Assurance (IA) across the whole of the UK

Co-ordinate and complement the activities of parties contributing to IA

Sponsor activities that benefit the development of IA

Accredit pan-government systems and in some cases such as the Government Secure Intranet, own the risk to shared information Identify and address vulnerabilities of national telecommunications systems and progress their resolution through a work programme, in conjunction with government departments or other involved organizations.’[21]

Government departments and other organizations involved in the protection of the UK’s critical information infrastructure (finance, telecommunications, utilities and emergency services, etc) include:

National Infrastructure Security Co-ordination Centre (NISCC)

National Hi-Tech Crime Unit (NHTCU)

Home Office

Department of Trade and Industry

Communications-Electronics Security Group (CESG)

The Cabinet Office

All UK central government departments are required to meet internationally recognized information security management standards (e.g. ISO 27001) for their systems. The Cabinet Office’s e-Government Interoperability Framework (e-GIF) defines the technical policies and specifications governing information flows across government and the public sector. The CSIA has also produced and maintains security framework documents which provide key guidance for both central and local government on providing secure online services, and these are available online from the publications section of the CSIA Website.

The CSIA works with other government departments to maintain emergency telecommunications planning and business continuity plans. The CSIA works with business to addresses the vulnerabilities of public sector and commercial telecommunications systems as well as those of the financial and banking sector.

The public sector collects and holds substantial quantities of data on a daily basis. Some of it is an extremely sensitive and personal, and the government is required to protect its confidentiality. Patient health records, social service details, tax returns - all are held on information systems. Private sector organizations also handle personal data and are required to comply with legislation governing the protection of that information.

Government departments are also subject to the Data Protection Act, the Human Rights Act and the Freedom of Information Act. This means that government information systems must protect the information they handle and make the correct information available when required, and only for use by those people who are authorized to have access to it. The Department for Constitutional Affairs has published guidance on Data Sharing in the Public Sector. (See www.dca.gov.uk).

The UK central government has rolled out a secure intranet, the Government Secure Intranet (GSI), for its telecommunications and e-mail services and Internet access. The GSI has been running since 1997. It imposes specific obligations on those organizations that wish to join it. It includes scope for local government and other government agencies to join, with the objective of ‘creating a wider reaching, more secure and joined-up government service’.

The Cabinet Office requires central government departments to appoint a board level Senior Information Risk Owner to be responsible for ensuring that departmental information security procedures are managed appropriately. This means that these procedures need to be based on (but not necessarily the same as-because there are specific central government versions of them) the controls of ISO 27001.

The Office of the Deputy Prime Minister (ODPM) is encouraging local government to meet the same standards. Local authorities are obliged to comply with what is now ISO 27001 by 2005 as part of their Implementing Electronic Government (IEG) requirements. There is more information on electronic government on the ODPM Website at www.localegov.gov.uk

Freedom of Information legislation

Nearly sixty countries around the world have passed some form of freedom of information legislation, which curtails government secrecy and requires specific categories of information to be made public in response to specific requests. Another forty countries are reportedly working toward freedom of information legislation. Most countries have an information commissioner who is responsible for monitoring and enforcing the legislation. Usually, only public bodies are covered by such legislation and they can mostly be expected to be compliant with it. Certainly, public sector organizations that defy freedom of information legislation can expect to be publicly pilloried and relentlessly pursued under the terms of the enabling legislation. Private companies, however, should note that one of the clear consequences of this type of legislation (the UK’s Freedom of Information Act 2000 is a case in point) is that details of their previously confidential public sector tenders and contracts could now be made public, irrespective of any previous confidentiality clauses.

Board issues in the public sector

A key issue for public sector organizations is to find a balance between the bureaucracy of central government initiative implementation, the likelihood that the organizational board will not have on it any individuals with current or meaningful information security experience, and the fact that central government is an even more enticing target for the world’s wrong doers.