printer friendly version

Security in the public sector - a cognitive dissonance

There are a number of key areas that can cause security projects in the public sector to fail. These fall into a number of areas, including: management, acceptance of responsibility, education, business continuity issues.

Management

Too often, senior management do not rate security as important. This tends to be because there are few senior managers who have come up through security-associated roles. Experience has demonstrated that although senior managers want security, they do not understand the full requirements, in that they will not allocate the resources (human, financial or infrastructure) necessary to effectively manage the security required for a particular project. The only way to ensure that senior management accepts the requirements for appropriate resource is to clearly brief them on the requirements and clearly associate it with business benefits.

This is an area where security managers regularly fail. Security managers have to have a clear understanding of the business strategy because if they do not, they will not be able to identify the business benefits that will be accrued by investing resources in a security project. Accordingly, they will not be able to 'sell' the concept and get the investment and support of senior managers. This is best done by identifying a senior management 'sponsor', who can champion your cause at board level. However, a word of warning - be careful when identifying your 'sponsor'.

One other area that is regularly missed, or 'glossed over', is the management infrastructure necessary to support a security project. You need to ensure that your security management infrastructure involves representation from all areas involved in a project. Those representatives need to be at senior level in order to make decisions on behalf of their business area. It needs to include some form of Security Working Group (Management Information Security Forum, in ISO/IEC 17799:2000 (BS 7799)), some form of Change Control Board and usually a Business Continuity Group. The Terms of References (TORs) of such groups need to be clearly laid down and it is vital that their reporting chain to senior managers be defined. Beware of clashes at board level by differing sponsors, not a good idea.

However, be careful not to swamp senior managers (sponsors) with unnecessary reports from your security management groups. You need to feed them with issues they need to be aware of and those that will require agreement at board level. When presenting issues you have, you need to clearly explain the issue, identify a number of solutions, your preferred option (supported by arguments and financial data) and clearly state what you expect of the individual/board. Such issues need to be defined in less than an A4 page, supported where necessary by other documents.

Time and again presentations fail because the security manager has missed one of these basic requirements.

Acceptance of responsibility

The individual acceptance of responsibility for an asset is an area that is historically anathema to the public sector. It is perceived that it is not in the interests of employees (lots of additional work) and could damage their careers. As one of the corner posts of asset protection under ISO/IEC 17799:2000 (BS 7799) is acceptance of responsibilities for assets within an individual's area of responsibility, this can pose a significant hurdle.

For individual managers to willingly accept the responsibility to look after key assets, a major change in culture is sometimes necessary. Having done some work for a Government Agency, I found that they have adopted a simple no-blame culture, encompassed into a few words, the purpose of this requirement [Acceptance of Responsibility] is not to attach blame to an individual should something go awry. Rather it is for key staff (asset owners) who will manage any changes necessary to attain or maintain the confidentiality, integrity or availability (CIA) of assets under their control.

Quite often, the management change process necessary to maintain or achieve the necessary CIA levels required, involves resources outside of the control of the asset owner. This may include a Change Control Board, Business Continuity Planners or an organisation-wide security forum.

Overall, this is a relatively simple concept, but if it is not clearly explained to staff, they will not accept the need and you will not succeed.

Education

Education is such a key area and is so often paid lip service by many public service organisations. We have all suffered the death by viewfoil or Powerpoint slide presentation by staff who are either badly briefed, poor presenters (not everyone is good at talking to colleagues) or worst of all, so poor they miss out whole sections of material or give inaccurate information. Such poor presentations make security a joke to users. This is something we cannot afford to happen, particularly nowadays with the increasing number of threats that the public sector is facing.

As part of ISO/IEC 17799:2000 (BS 7799) compliance requirements it is necessary to record which staff have received what security briefings and training. Do you get everyone to sign a bit of paper or go round with a checklist noting those present? Not a lot of fun, particularly if your organisation is spread over a wide geographic area and you do not know the staff.

We have conducted training for various organisations using a number of differing formats. The most successful has been those computer-based training (CBT) packages that:

* Identify individual users.

* Offer short, relevant modules.

* Include Q and A test questions and record the results of users.

Such modules can be combined for both induction training (all modules) and for refresher training (individual modules). Of course one of the most attractive elements to such training is that it can be made available to the user at their desktop, thereby avoiding travel costs and time lost away from the workplace. Also, by using such a package you can be sure that staff are educated to a common standard and by checking the results from the Q and A tests you get feedback on the effectiveness of your modules in getting the security view across to your staff.

By adopting such a package, you get a lot of pluses and very few minuses. The main minuses being the initial capital outlay and annual maintenance costs (updates for modules). Purchasing an update package can negate even the annual maintenance costs for some CBT packages thereby allowing the client to update the modules themselves.

Business continuity

Too often the public sector decides upon a business continuity (BC) solution without examining the real requirements of their organisations. They have not conducted an impartial impact analysis of their services and their BC strategy, where they actually exist, are flawed. As such, BC plans derived from this information is flawed. Additionally, due to the not inconsiderable costs in running full BC tests, most of the public sector rely on either very limited practical tests or desk bound paper-based exercises, that do not identify failings in the actual plans because they do not practice the plan for real.

If BC is not cost effective, why do many of our major financial institutions practice it on a regular basis? If it were not necessary, they would not do it. You could say the public service is not in the market to make money. However, it is there to support, in one way or another, UK plc and the general public.

You do not need to incur huge additional costs in running BC tests. To give you one example; you are planning to replace a file and print server for capacity planning reasons. Before taking it into use you build it as a database server. Once built and the necessary applications and data have been loaded, you simply connect it to a switch and onto one or two user workstations. You prove that business analysts can access the data and the IT staff has practised a system rebuild. You have carried out two BC tests, one is an IT system rebuild and by using business analysts to check the business rules of the database are still in place you have conducted a business process test. You have not incurred the cost of the server, it was bought under another vote, and as for staff, unless you are employing specific contractors your staff would have been at work anyway.

In summary, for security to be effectively employed it all needs to be joined up, you need to adopt a holistic view of security, which is why ISO/IEC 17799:2000 (BS 7799), when implemented correctly, can be so effective.

Share this article:

Further reading: