In the last three months, a number of reports have been published on the management of information security in government. They focus, directly or more generally, on the recent publicised losses of personal data from government departments.
The principal reports include Poynter (Review of information security at HM Revenue and Customs - on the loss of two CDs containing child benefit data), the Burton review (Report into the Loss of MOD Personal Data - on the theft of a Royal Navy laptop), and the Cabinet Office report (Data Handling In Government which took into account these two others). The Cabinet Office report was followed closely by a paper on Cross Government Actions: Mandatory Minimum Measures published by the CSIA, part of the Cabinet Office.
Among their many findings, these reports commonly state that a contributing factor of these breaches was the lack of effective security training and awareness. Their recommendations include mandatory and accountable security training to be given when staff are appointed to key roles in the organisation and annually thereafter - including testing of the learning. And security awareness for all staff who manage personal data.
The Burton report concluded: 'There is an urgent need to review training and education needs and to embed appropriate themes in curricula and training programmes from basic training, through generalist and specialist courses, as "business as usual".'
The Poynter report similarly found that: 'HMRC people lacked sufficient awareness and training on information security matters,' adding that: 'There was a general lack of awareness across HMRC business units, at least prior to the incident, of the importance of information security.'
The response to these and other findings is refreshingly focused. The Cabinet Office report declares that: 'Government will roll out at least a minimum level of information management training to all information asset owners, on appointment and annually, and strategic information management training to accounting officers, senior information risk owners, and members of audit committees. [It will also] roll out at least a minimum level of information risk awareness training to all those with access to protected personal data... Such training will, where possible, take the form of short, e-learning products including tests for understanding, and will be applied on appointment and annually.'
Further underlining this, the CSIA's Cross Government Actions: Mandatory Minimum Measures paper specifies that: 'All departments must ensure that all data users must successfully undergo information risk awareness training on appointment and at least annually. In addition, all information asset owners must pass information management training on appointment and at least annually, and accounting officers, SIROs, and members of the audit committee must pass strategic information risk management training at least annually.'
So there's no question about it: there is work to be done.
Does any of this apply to me?
The Cabinet Office report's recommendations apply across government and its contractors, as do most of the CSIA's mandatory minimum measures. Even if you don't train in either of those sectors, but your organisation handles personal data, you could consider the recommendations as guidance; the Cabinet Office Report states a 'commitment by government to provide the information commissioner with new powers to conduct 'spot checks', and to introduce new sanctions under the Data Protection Act for the most serious breaches of its principles.'
So, what are the training challenges?
The standards that government is setting itself and its contractors are far-reaching. Training is only one of them, and this activity alone will require the organisation's IT training, security, HR and legal functions to work together. As well as delivering the training, there will need to be mechanisms linking training and HR to ensure that staff receive the relevant security awareness when they change roles. And staff will need clear legal guidance on the Data Protection Act as it affects directly the way they do their jobs.
Data protection is often seen as an IT security issue - 'It's about protecting data, right?' - and so it may fall to IT trainers to deliver the message. It may be necessary to explain technical measures such as full-disk encryption, encryption for transmission, protective monitoring and the secure destruction of hardcopy and media. The concepts of remanence and aggregation will need to be covered.
But data protection is actually a business and an information security issue; it extends beyond IT. The legal issues are central, as are the HR issues of acceptable use policies and disciplinary procedures. At a time when more and more organisations are moving towards home working, technical security measures can only help so far: staff who work remotely will have to be trusted to maintain physical and procedural security.
And it is key that 'data protection' is understood to mean not only the security of the information, but also its proper usage.
So an effective training strategy will need to involve not just IT trainers, but other subject experts in your organisation.
Finally, the Cabinet Office has stated that it will: 'Provide a minimum specification for this training and seek views from departments as to whether they would wish to use a standardised training product. The aim should be to develop training material that can be externally accredited and transferred between organisations, and integrate material into relevant courses run by external bodies.'
When government publishes its specification, organisations may develop training to address that. Well and good, but government can do no more than this, and encourage departments and their contractors to ensure their training effort is effective. Informational or instructional training may demonstrate compliance and due diligence; it can enable staff who currently simply do not understand their responsibilities when handling personal data.
But the awareness aspect of security training is also about challenging the attitudes which produce non-secure behaviours.
The various reports into the personal data security incidents reveal that most of these arose from failures of procedural security. In some cases, it was indeed down to staff who didn't know what the rules were. Or - like all of us, at one time or another - they simply made a big mistake. But in other cases, it involved a choice to not observe the rules.
The 'senior civil servant' who presumably read, and then left, highly classified documents on the train was subject to security briefings and, in their position, would have known how to handle such sensitive information. What was it that persuaded them it was OK to open those documents on public transport? As we seemingly become more and more pressured to deliver our work targets, there are plenty of temptations to break the rules - take the work home to finish it off; email that document; stick it on a CD or a USB...
To really crack the security awareness issue, trainers will need to understand and challenge not just how incidents occur, but why.
Read all about it: the sources
Paul Hansford Dip.Infosec CISSP CISMP FBCS is a member of BCS's Security Forum Strategic Panel.