Download
government information security review update n.
Skip this Video
Loading SlideShow in 5 Seconds..
Government Information Security Review - Update PowerPoint Presentation
Download Presentation
Government Information Security Review - Update

Government Information Security Review - Update

115 Vues Download Presentation
Télécharger la présentation

Government Information Security Review - Update

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Government Information Security Review - Update Microsoft CISO Council September 2008

  2. Disasters! • February 2007 – Nationwide fined £980k by FSA • March 2007 – TJX discovers loss of 45m credit card details • April 2007 – DoH Medical Training Applications Service (poss 34k) • May 2007 – DVLA loses hard drive in Iowa processing (3m) • May – November 2007 FCO visa website flaw (50k applicants) • November 2007 – HMRC loses copy of UK Child Benefit System (7.5m families) • November 2007 – Facebook Beacon climbdown • November 2007 – Land Registry removes copies of deeds etc from Land Register Online (£12m) • December 2007 - Norwich Union Life fined £1.2m by FSA • January 2008 – MoD loses TAFMIS laptop (600k) • etc., etc…

  3. Reviews Published • Kieran Poynter – June 2008 • http://www.hm-treasury.gov.uk/independent_reviews/poynter_review/poynter_review_index.cfm • Sir Edmund Burton – June 2008 • http://www.mod.uk/nr/rdonlyres/3e756d20-e762-4fc1-bab0-08c68fdc2383/0/burton_review_rpt20080430.pdf • Sir Gus O’Donnell – June 2008 • http://www.cabinetoffice.gov.uk/reports/data_handling.aspx • Richard Thomas & Dr Mark Walport – July 2008 • http://www.justice.gov.uk/reviews/datasharing-intro.htm

  4. Summary - HMRC - The Investigation • Specifics • Setting of precedent • Failure to adhere to ‘SPOC’ protocol • Prioritisation of other concerns above security risk • Failure to redact data • Absence of appropriate authorisation • Use of insecure methods of data storage and transfer • General • Weakness in specific security policies • Inadequate awareness, communication and training in IS • Lack of clarity around governance and accountability in data guardianship

  5. Summary - HMRC - The wider review • Information security was not a management priority • Even if it had been, governance and accountability would have made it difficult • Fragmentation and complexity in formation of HMRC made IS hard to control • Policies inadequate, complex, and not translated into guidance for junior staff

  6. Summary – MoD • 51 Recommendations • Processes – 31 • People – 11 • Training and Education – 5 • Technology – 3 • Other - 1

  7. CO Data Handling Review • Core measures to protect personal data and other information across Government; • A culture that properly values, protects and uses information; • Stronger accountability mechanisms within Departments; and • Stronger scrutiny of performance.

  8. Departments & Agencies must • Use protective measures, such as encryption and penetration testing of systems; • Understand and manage their information risk, identifying the key individuals responsible for information assets and setting out their responsibilities; • Undertake quarterly risk assessment of the confidentiality, integrity and availability of information; • Train all staff involved in handling personal data, with training taking place on appointment and reinforced on an annual basis; • Carry out Privacy Impact Assessments when introducing new policy or processes that involve the use of personal data; • Include information risk in Statements on Internal Control, scrutinised by the National Audit Office; • Provide clarity to citizens about the use and handling of personal data through Information Charters • Report annually to Parliament

  9. Thomas – Walport Data Sharing Review • There is a lack of transparency and accountability in the way organisations deal with personal information • There is confusion surrounding the Data Protection Act, particularly the way it interacts with other strands of law • Greater use could be made of the ability to share personal data safely, particularly in the field of research and statistical analysis • The Information Commissioner needs more effective powers, and the resources to allow him to use them properly.

  10. Observations…

  11. Analysts: how to capitalise on relationships Bob Tarzey Quocirca Sept 17th 2008 For Microsoft CISO Forum

  12. What is an industry analyst and where do they come from • Analysts are: • Market watchers • Market influencers • Futurologists • Analysts are not: • Journalists (some write for the media) • IT directors/workers • Vendor representatives • But they may come from any of these backgrounds or be career analysts

  13. Analyst companies • Global brands – Gartner, Forrester, IDC • Regional analyst houses – e.g. Quocirca, MWD • Domain specialists – e.g. Cambashi, Canalys • Analyst relations organisations • 380 high tech analyst companies worldwide with 3,000+ analysts (Tekrati, 2005)

  14. How do analysts influence buyers of IT? • Direct • Retainers/subscriptions • Projects • Direct discussions • Indirect • Reports • Presentations, seminars, webinars • Media work • “Web2.0” – blogs, Twitter…

  15. What analyst houses do • Produce numbers • Market research • X units of these products were sold in 2008 • The market for these products will be $n in 2009 • ROI and TCO studies • Product comparisons • Elicit opinion • IT managers say budgets are being cut • CISOs say security could be improved • Business outsourcing more IT • Perceptions of this technology are… • Report and present findings

  16. Analyst sources of information • Primary research • Telephone • Web based • Secondary research • End-user discussions • Vendor briefings • Industry events • Channel • Media • Industry bodies • Other sectors • Legal • Insurance • Other forums

  17. How analysts make money • User side • Subscriptions • Paid for reports • Consultancy • Projects • Vendor side • White papers • Research • Presentations • PR work • Strategic advice • VCs

  18. Individual analysts • Technology specialists • Storage, servers, mobility..... • Application specialists • CRM, security, SaaS.... • Market specialists • Financial services, retail, SMB..... • Generalists • Business-focused analysts Seek the right analyst for the right advice

  19. Paid versus free advice • The Google affect • Lots of analyst content is now free • The internet has change funding models • Content is open to businesses of all types • Media reported content – most analysts don’t advertise • There is still a lot of stuff that you can only see if you pay If your organisation has a subscription to Gartner, etc. hours of advice are often included but may go unused

  20. Thank you Bob Tarzey Quocirca bob.tarzey@quocirca.com www.quocirca.com