Protecting information across government

Similar documents
Cyber Security Strategy

The Defence Nuclear Enterprise: a landscape review

Security and Privacy Governance Program Guidelines

THE CYBER SECURITY ENVIRONMENT IN LITHUANIA

Information Security Controls Policy

NIS Directive : Call for Proposals

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

POSITION DESCRIPTION

Progress of the National Cyber Security Programme

SCHEME OF DELEGATION (Based on the model produced to the National Governors Association)

The UK s National Cyber Security Strategy

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

CYBER RESILIENCE & INCIDENT RESPONSE

ENISA EU Threat Landscape

Public Safety Canada. Audit of the Business Continuity Planning Program

Data Sheet The PCI DSS

Digital Health Cyber Security Centre

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

Purpose. Executive summary

Role Type Pay Band Location Duration Reports to: To manage, enhance and embed the British Council Nigeria Security Risk Management function.

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

NATIONAL INFRASTRUCTURE COMMISSION CORPORATE PLAN TO

REPORT 2015/149 INTERNAL AUDIT DIVISION

Proactively released by the Minister of Internal Affairs

Automatic Number Plate Recognition (ANPR) ANPR Strategy Infrastructure Development

Reducing Risk and Building Capacity

Director, Major Projects and Resilience. To: Planning and Performance Committee 6 November 2014

Audit of Information Technology Security: Roadmap Implementation

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

New Zealand National Cyber Security Centre Incident Summary

Single Academy Trust Structure

Heads of Internal Audit Webinar. Integrated Assurance. 24 July In partnership with

Implementation Strategy for Cybersecurity Workshop ITU 2016

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

FIRE REDUCTION STRATEGY. Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017

ICB Industry Consultation Body

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Information Security Strategy

Stopsley Community Primary School. Data Breach Policy

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

Regulating Cyber: the UK s plans for the NIS Directive

Office of the Minister of Broadcasting, Communications and Digital Media Chair, Cabinet Appointments and Honours Committee

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

LEADERSHIP GROUP LG (2017) Paper October 2017 RESILIENCE BOARD

National Policing Community Security Policy

OFFICIAL COMMISSIONING OF SECURITY SYSTEMS AND INFRASTRUCTURE

SOC for cybersecurity

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Thailand Digital Government Development Plan Digital Government Development Agency (Public Organization) (DGA)

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

TURNING STRATEGIES INTO ACTION DISASTER MANAGEMENT BUREAU STRATEGIC PLAN

Cyber security. Strategic delivery: Setting standards Increasing and. Details: Output:

ICT FUNCTIONAL LEADERSHIP: PROGRESS REPORT OCTOBER 2016 TO MARCH 2017

CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

The impact of government s ICT savings initiatives. The Cabinet Office

Up in the Air: The state of cloud adoption in local government in 2016

Public Sector Cyber Security Series

Remit Issue April 2016

how to manage risks in those rare cases where existing mitigation mechanisms are insufficient or impractical.

T-SURE VIGILANCE CYBER SECURITY OPERATIONS CENTRE

Turning Risk into Advantage

The Government IT Profession: Embedding IT Professionalism in Your Organisation

An Introduction To Security Planning

Why you should adopt the NIST Cybersecurity Framework

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

Data Security Standards

Commercial transformation, procurement and R&D

WA Govt Changing Cyber Security Landscape

Call for expression of interest in leadership roles for the Supergen Energy Networks Hub

Cyber Security: Threat and Prevention

Implementing ITIL v3 Service Lifecycle

Service Improvement Review of Guarding:

Commonwealth Cyber Declaration

Version: V2.0. Integrated Building. Architecture. 19 April dimension data advanced infrastructure

NEN The Education Network

A new approach to Cyber Security

Cyber risk Getting the boardroom focus right

POSITION DESCRIPTION

The Role of the Data Protection Officer

REPORT 2015/010 INTERNAL AUDIT DIVISION

DIT DSO Defence & Security Symposium 2017

Strategic Security Analyst

Principles for a National Space Industry Policy

Position Description. Engagement Manager UNCLASSIFIED. Outreach & Engagement Information Assurance and Cyber Security Directorate.

Securing strategic advantage

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Cloud Security Standards Supplier Survey. Version 1

JSC THE JUSTICE & SAFETY CENTER. Snapshot 2014

THE STRATEGIC POLICING REQUIREMENT. July 2012

Paul Shillcock Transport for London, UK

POSITION DESCRIPTION

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

National Policy and Guiding Principles

CESG:10 Steps to Cyber Security WORKING WITH GOVERNMENT, INDUSTRY AND ACADEMIA TO MANAGE INFORMATION RISK

Security in India: Enabling a New Connected Era

M&A Cyber Security Due Diligence

Transcription:

Report by the Comptroller and Auditor General Cabinet Office Protecting information across government HC 625 SESSION 2016-17 14 SEPTEMBER 2016

4 Key facts Protecting information across government Key facts 200 number of cyber national security incidents dealt with by GCHQ per month in 2015, up from 100 per month in 2014 8,995 number of data breaches recorded by 17 largest departments in 2014-15 300m limited government estimate of annual spend on security in 34 departments. Actual costs are thought to be several times this figure 12 number of separate organisations in the centre of government with responsibility for aspects of protecting information 28 million estimated annual government expenditure on external IT security support 200 million to 400 million savings estimated per year, by 2014, from adopting the Public Services Network (PSN), as outlined in the 2011-12 business case. Actual PSN savings in 2014 were 103.4 million. No further savings are expected 73 the number of teams covering security in central government departments 1,600 number of protective security staff (information, physical and personnel) in central government departments

Protecting information across government Summary 5 Summary 1 Protecting the information government holds from unauthorised access or loss is a critical responsibility for departmental accounting officers. But departments are increasingly required to balance this responsibility with the need to make this information available to other public bodies, delivery partners, service users and citizens via new digital services. 2 The Prime Minister is ultimately responsible for the security of the UK government. She is supported in this by the Cabinet Secretary, who chairs a permanent secretary committee which sets the overall direction and strategy for government security. Across departments, responsibility for information security lies with the respective ministers, permanent secretaries and their management boards. 3 In recent years, cuts to departmental budgets and staff numbers, and increasing demands from citizens for online public services, have changed the way government collects, stores and manages information. Major drivers for this change include successive IT and digital strategies since 2010, as well as the 2012 Civil Service Reform Plan, which placed greater responsibility on departments to protect their own data holdings. 4 Concurrently, the threat of electronic data loss from cyber crime, espionage and accidental disclosure has risen considerably. Alongside this new challenge, reporting to the Information Commissioner s Office (ICO) by public bodies shows that the loss of paper records remains significant. Study scope 5 This report considers the effectiveness of the centre of government (the centre) in defining government s strategic approach to protecting information across central government departments (the departments) (Part One); the centre s performance in protecting information, including managing specific projects (Part Two); and departments performance in protecting their information (Part Three). 6 The centre consists of various teams within the Cabinet Office as well as other organisations such as CESG (see Glossary on page 42) and the National Cyber Security Centre. The central government departments consist of the 17 largest departments of state, although we have included other bodies where the evidence allows, as many of these issues are not unique to central government. 1 1 In alphabetical order, these are: Cabinet Office; Department for Business, Innovation & Skills (now part of the Department for Business, Energy & Industrial Strategy); Department for Communities and Local Government; Department for Culture, Media & Sport; Department for Education; Department for Environment, Food & Rural Affairs; Department for International Development; Department for Transport; Department for Work & Pensions; Department of Energy & Climate Change (now part of the Department for Business, Energy & Industrial Strategy); Department of Health; Foreign & Commonwealth Office; HM Revenue & Customs; HM Treasury; Home Office; Ministry of Defence and the Ministry of Justice. Although correct at the time of writing, recent Machinery of Government changes mean that this list may have now changed.

6 Summary Protecting information across government 7 Specifically, we sought to answer the question: Is the Cabinet Office effectively coordinating the protection of government s information? The criteria and principles we used to explain and assess government s performance were as follows: On the centre s evolving approach to managing the protection of information (Part One): we describe how well the centre has coordinated its approach to protecting information across government (paragraphs 1.10 1.26). On the performance of the centre (Part Two), we examined: the government s performance in protecting information: We were looking to see whether government had a clear approach which married departmental responsibilities with a plan at the centre of government that identified the benefits, opportunities and risks of operating in this rapidly evolving area (paragraphs 2.2 2.5); security breach reporting: We assumed government activity in this area would be guided by a collated assessment across government on the number of breaches, their effect and mitigating actions, and a comprehensive long term action plan to reduce their impact (paragraphs 2.6 2.19); managing strategic information risks: We would expect government to have a clear understanding of the strategic risks to protecting information, based on accurate returns from departments covering a number of disciplines, including the sharing of best practice and identifying any gaps in capability (paragraphs 2.20 and 2.21); and the performance of centrally managed projects: We would expect the centre to deliver cost-effective performance from the projects for which it is responsible, using clear cost, timescale and performance data to outline the benefits delivered (paragraphs 2.22 2.44). On departmental performance in protecting information (Part Three), we examined: governance in departments and delivery chains: We reviewed a sample of governance arrangements to see if there were comprehensive and robust arrangements in departments for managing the protection of information, including through delivery chains (paragraphs 3.2 3.13); the financial impacts of the revised approach to protecting information: We assessed whether government understood how much its previous approach to protecting information used to cost, against how much it now costs and how many staff are involved (paragraphs 3.14 3.20); and deploying people with the right skills: Building on our previous work in this area, we assessed whether government had a clear understanding of its skills requirements for protecting information, and a comprehensive plan for addressing any capacity or capability gaps (paragraphs 3.21 3.35).

Protecting information across government Summary 7 8 We did not examine the physical or personnel security aspects of protecting data, such as guarding or vetting. Nor did we directly examine the protection of information within local government or local health, education or emergency service organisations. Key findings 9 The main body of this report contains our evidence of government s performance against the above criteria. Paragraphs 10 to 17 below set out our most important findings. In essence, they show that the Cabinet Office has not yet established a clear role for itself in coordinating and leading departments efforts to protect their information. Furthermore, its evolving ambition to undertake such a role is weakened by the limited information it has on departmental costs, performance and risks. On protecting information in government 10 Too many bodies with overlapping responsibilities operate in the centre of government, confusing departments about where to go for advice. As at April 2016, at least 12 separate teams or organisations in the centre of government had a role in protecting information, many of whom produce guidance. And the governance arrangements above them are unclear and fragmented, with no formal links between the three most important information security decision-making bodies in the Cabinet Office (paragraphs 1.21 1.26, Figures 4 and 5). 11 Increasing dependencies between central government and the wider public sector mean that traditional security boundaries have become blurred. At present, the Cabinet Office remit for security only extends to central government departments. However, there is a clear dependency between central government and the wider public sector, driven by increasing information flows, the demands of public service provision and shared technical infrastructure (paragraphs 1.3, 1.13, 1.15 and 2.7). 12 The new National Cyber Security Centre (NCSC) will bring together much of government s cyber expertise, but wider reforms will be necessary to further enhance the protection of information. The NCSC should streamline central government processes for dealing with information incidents in cyberspace. However, the scale and pace of the challenges of protecting information are such that these structural changes are unlikely to be sufficient on their own unless Cabinet Office also supports departments in addressing the wider problems set out in this report. The NCSC is designed to work with government and the private sector: whether it has the capacity to do so effectively remains to be seen (paragraph 1.30).

8 Summary Protecting information across government On the performance of the centre 13 The Cabinet Office does not collect or analyse government s performance in protecting information on a routine basis. This means it has little visibility of information risks in departments and has limited oversight of the progress departments are making to better protect their information. Reporting personal data breaches is chaotic, with different mechanisms making departmental comparisons meaningless (paragraphs 2.2 2.21). 14 The Cabinet Office needs to improve delivery of its centrally managed projects. The Government Security Classifications (GSC) system, the Public Services Network (PSN) and Foxhound pose considerable business change, cultural and technical challenges but have been slow to deliver planned benefits. Alongside their primary objectives, all three projects were intended to achieve significant financial savings, but none have fully delivered those financial benefits yet (paragraphs 2.22 2.44). On departmental performance in protecting information 15 Some departments have made significant improvements in information governance, but most have not given it the same attention as other forms of governance. The Cabinet Office does not provide a single set of governance standards for departments to follow, and does not collate or act upon identified weaknesses. Only a few departments set security standards through their supply chain (paragraphs 3.2 3.13). 16 The Cabinet Office does not have access to robust expenditure and benefits data from departments to take informed strategic decisions on protecting information. This is in part because departments do not always collect or share robust expenditure or benefits data. The Cabinet Office has recently collected some data on security costs, although it believes that actual costs are several times the reported 300 million figure. Departments often do not share advice and knowledge effectively, either resulting in them repeating work at additional cost or missing the opportunities presented by adopting new technologies (paragraphs 3.14 3.20). 17 In the context of a challenging national picture it has been difficult for government to attract people with the right skills. The government established a security profession in 2013, and has undertaken some initial work to establish professional learning and development. Demand for skills and learning across government is growing and is likely to continue to grow. Plans to cluster security teams may initially share scarce skills but will not solve the long-term challenge, and will pose questions for departmental accountability (paragraphs 3.21 3.35).

Protecting information across government Summary 9 Conclusion 18 Protecting information while re-designing public services and introducing new technology to support them is a complex challenge for government. To achieve this, the centre of government requires departments to risk manage their information, but few departments have the skills and expertise to achieve this by themselves. How successful government is in dealing with this challenge will therefore continue to depend on effective support from the Cabinet Office and other bodies at the centre of government. 19 The Cabinet Office is taking action to improve its support for departments, but needs to set out how this will be delivered in practice. To reach a point where it is clearly and effectively coordinating activity across government, the Cabinet Office must further streamline the roles and responsibilities of the organisations involved, deliver its own centrally managed projects cost-effectively and clearly communicate how its various policy, principles and guidance documents can be of most use to departments.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback