Socitm London

1
Socitm London Information Security Implications
of Joined-Up Government Alan Hunt Technical
Director Alan.hunt_at_hytec.co.uk 01865
887428 www.hytec.co.uk 26th February 2004
2
Agenda

• Definition of infosec
• Typical infosec environment
• Third party requirements
• Compliance
• Data Sharing Protocol / Code of Connection

3
Definition of Information Security

• Information security is characterised as the
  preservation of
• a) confidentiality ensuring that information is
  accessible only to those authorized to have
  access
• b) integrity safeguarding the accuracy and
  completeness of information and processing
  methods
• c) availability ensuring that authorized users
  have access to information and associated assets
  when required.

4
Definition of Information Security

• Information security is achieved by implementing
  a suitable set of controls, which could be
  policies, practices, procedures, organizational
  structures and software functions. These controls
  need to be established to ensure that the
  specific security objectives of the organization
  are met.
• Extract from BS ISO/IEC 17799

5
Risk

• Risk
• Threat exploiting vulnerability causes harm to
  asset
• Inputs
• Data classification
• Clearance
• Potential attacker base
• Facilities available
• Level of publicity
• Window of opportunity

6
Information security - today

• Acknowledged risks
• Internet
• Remote access
• Investment in
• Policy
• Procedure
• Technology
• Risk will never be zero

7
(No Transcript)
8
Information security - today

• Vulnerability assessments
• Hytec have yet to conduct an assessment where no
  exploitable vulnerabilities have been found
• Example of vulnerabilities
• Buffer overflow vulnerability, server in DMZ
• Web management interface active
• Default configuration
• Non- malicious mistakes

9
Joined up working will happen

• IRT
• Every Child Matters Green Paper
• DVLA abandoned vehicles
• CJIT Youth Offending Teams
• Bed blocking
• Bichard enquiry
• .

10
Joining up with health

• NHS IA NHSnet Connection
• Social Services are now health entities
• LA is not
• LA is untrusted
• Code of Connection is to NHSnet
• NHS IA will require
• Evidence of implemented ISMS
• EAL4 segregation between LA and NHSnet
• Strong authentication of users requiring NHSnet
  access
• Adoption of NHSnet AUP, Change control and
  Network security procedures (under control of
  Director of Social Services, not Corporate ICT).

11
(No Transcript)
12
Joining up with the DVLA

• Abandoned Vehicles
• Single stand alone PC connection
• Users must sign AUP
• CoC requires compliance with standards defined in
  HMG protected documents

13
Joining up with CJIT

• Criminal Justice Information Technology
• Secure email project
• To the desktop?
• Code of Connection
• Organisational
• Personal
• Requirement for Basic Check clearance of
  participating staff
• Requirement for encryption of sensitive data,
  password policy

14
(No Transcript)
15
(No Transcript)
16
(No Transcript)
17
Compliance
18
Data Protection Act 1998

• Secondary disclosure
• Disclosing party is still data controller
• Third parties are also data controllers when data
  is processed
• Example
• GP to school, school to social services.
• Subject access request to social services,
  consent of GP required.

19
Data Protection Act 1998

• The Seventh Principle Security
• Data must be protected against unauthorised or
  unlawful processing or loss, destruction or
  damage. The level of security must be
  appropriate to the nature of the data and the
  harm which would result from misuse.
• Where data are processed on behalf of a data
  controller by a data processor, further
  safeguards are imposed including the requirement
  for written contractual terms.
• Source - PRO

20
BS 7799-22002

• Compliance or Certification
• Does provide evidence of an ISMS
• Does not certify compatibility with joined up
  requirements
• Particularly relevant sections
• 4.2 Security of third-party access
• 4.2.1 Identification of risk from third party
  access
• 4.2.2 Security requirements in third-party
  contracts
• 4.6.7 Exchanges of information and software
• 4.6.7.1 Information and software exchange
  agreements

21
Code of Connection

• Should be mutual
• Currently mainly one way, imposed on LA
• Uses
• Joined up partner (e-gov)
• Commercial partner (data processor)

22
Code of Connection contents

• Include, but not limited to
• Availability
• Change management
• Business continuity
• Incident reporting
• Integrity and confidentiality
• Logical security
• Physical security
• Right to audit
• Data protection
• Termination
• ..

23
Data Sharing Protocols

• Terms and conditions for
• Provision of access to data
• Sharing of data
• Few currently incorporate specific Information
  Security Management System requirements
• Data Sharing Protocol incorporating Code of
  Connection
• NPfIT Access Agreements
• The answer?

24
Questions

25
(No Transcript)