1 / 20

Government Information Security Review - Update

Government Information Security Review - Update. Microsoft CISO Council September 2008. Disasters!. February 2007 – Nationwide fined £980k by FSA March 2007 – TJX discovers loss of 45m credit card details April 2007 – DoH Medical Training Applications Service (poss 34k)

eytan
Download Presentation

Government Information Security Review - Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Government Information Security Review - Update Microsoft CISO Council September 2008

  2. Disasters! • February 2007 – Nationwide fined £980k by FSA • March 2007 – TJX discovers loss of 45m credit card details • April 2007 – DoH Medical Training Applications Service (poss 34k) • May 2007 – DVLA loses hard drive in Iowa processing (3m) • May – November 2007 FCO visa website flaw (50k applicants) • November 2007 – HMRC loses copy of UK Child Benefit System (7.5m families) • November 2007 – Facebook Beacon climbdown • November 2007 – Land Registry removes copies of deeds etc from Land Register Online (£12m) • December 2007 - Norwich Union Life fined £1.2m by FSA • January 2008 – MoD loses TAFMIS laptop (600k) • etc., etc…

  3. Reviews Published • Kieran Poynter – June 2008 • http://www.hm-treasury.gov.uk/independent_reviews/poynter_review/poynter_review_index.cfm • Sir Edmund Burton – June 2008 • http://www.mod.uk/nr/rdonlyres/3e756d20-e762-4fc1-bab0-08c68fdc2383/0/burton_review_rpt20080430.pdf • Sir Gus O’Donnell – June 2008 • http://www.cabinetoffice.gov.uk/reports/data_handling.aspx • Richard Thomas & Dr Mark Walport – July 2008 • http://www.justice.gov.uk/reviews/datasharing-intro.htm

  4. Summary - HMRC - The Investigation • Specifics • Setting of precedent • Failure to adhere to ‘SPOC’ protocol • Prioritisation of other concerns above security risk • Failure to redact data • Absence of appropriate authorisation • Use of insecure methods of data storage and transfer • General • Weakness in specific security policies • Inadequate awareness, communication and training in IS • Lack of clarity around governance and accountability in data guardianship

  5. Summary - HMRC - The wider review • Information security was not a management priority • Even if it had been, governance and accountability would have made it difficult • Fragmentation and complexity in formation of HMRC made IS hard to control • Policies inadequate, complex, and not translated into guidance for junior staff

  6. Summary – MoD • 51 Recommendations • Processes – 31 • People – 11 • Training and Education – 5 • Technology – 3 • Other - 1

  7. CO Data Handling Review • Core measures to protect personal data and other information across Government; • A culture that properly values, protects and uses information; • Stronger accountability mechanisms within Departments; and • Stronger scrutiny of performance.

  8. Departments & Agencies must • Use protective measures, such as encryption and penetration testing of systems; • Understand and manage their information risk, identifying the key individuals responsible for information assets and setting out their responsibilities; • Undertake quarterly risk assessment of the confidentiality, integrity and availability of information; • Train all staff involved in handling personal data, with training taking place on appointment and reinforced on an annual basis; • Carry out Privacy Impact Assessments when introducing new policy or processes that involve the use of personal data; • Include information risk in Statements on Internal Control, scrutinised by the National Audit Office; • Provide clarity to citizens about the use and handling of personal data through Information Charters • Report annually to Parliament

  9. Thomas – Walport Data Sharing Review • There is a lack of transparency and accountability in the way organisations deal with personal information • There is confusion surrounding the Data Protection Act, particularly the way it interacts with other strands of law • Greater use could be made of the ability to share personal data safely, particularly in the field of research and statistical analysis • The Information Commissioner needs more effective powers, and the resources to allow him to use them properly.

  10. Observations…

  11. Analysts: how to capitalise on relationships Bob Tarzey Quocirca Sept 17th 2008 For Microsoft CISO Forum

  12. What is an industry analyst and where do they come from • Analysts are: • Market watchers • Market influencers • Futurologists • Analysts are not: • Journalists (some write for the media) • IT directors/workers • Vendor representatives • But they may come from any of these backgrounds or be career analysts

  13. Analyst companies • Global brands – Gartner, Forrester, IDC • Regional analyst houses – e.g. Quocirca, MWD • Domain specialists – e.g. Cambashi, Canalys • Analyst relations organisations • 380 high tech analyst companies worldwide with 3,000+ analysts (Tekrati, 2005)

  14. How do analysts influence buyers of IT? • Direct • Retainers/subscriptions • Projects • Direct discussions • Indirect • Reports • Presentations, seminars, webinars • Media work • “Web2.0” – blogs, Twitter…

  15. What analyst houses do • Produce numbers • Market research • X units of these products were sold in 2008 • The market for these products will be $n in 2009 • ROI and TCO studies • Product comparisons • Elicit opinion • IT managers say budgets are being cut • CISOs say security could be improved • Business outsourcing more IT • Perceptions of this technology are… • Report and present findings

  16. Analyst sources of information • Primary research • Telephone • Web based • Secondary research • End-user discussions • Vendor briefings • Industry events • Channel • Media • Industry bodies • Other sectors • Legal • Insurance • Other forums

  17. How analysts make money • User side • Subscriptions • Paid for reports • Consultancy • Projects • Vendor side • White papers • Research • Presentations • PR work • Strategic advice • VCs

  18. Individual analysts • Technology specialists • Storage, servers, mobility..... • Application specialists • CRM, security, SaaS.... • Market specialists • Financial services, retail, SMB..... • Generalists • Business-focused analysts Seek the right analyst for the right advice

  19. Paid versus free advice • The Google affect • Lots of analyst content is now free • The internet has change funding models • Content is open to businesses of all types • Media reported content – most analysts don’t advertise • There is still a lot of stuff that you can only see if you pay If your organisation has a subscription to Gartner, etc. hours of advice are often included but may go unused

  20. Thank you Bob Tarzey Quocirca bob.tarzey@quocirca.com www.quocirca.com

More Related