Answering back

By on
Answering back

How good are government departments at IT security? David Quainton tried to use the Freedom of Information Act to get the facts and figures

On 1 January, the UK woke up to a new act that changed the relationship between the public and the bodies that serve them. The Freedom of Information Act 2000 aims to ensure that any information relating to public bodies is accessible within 20 working days of a request. There are, of course, clauses relating to national safety and data protection that allow some details to be withheld, but it has nevertheless opened a window on public service information that has never been available before.

When quizzed about how much misuse occurred in the public sector, it became apparent that across the board there has been a steady rise in staff dismissals and reprimands due to computer misuse. The worst performer was the Inland Revenue, with 35 dismissals and 409 reprimands last year alone.

In 2003 HM Customs and Excise recorded 176 cases of misuse and undertook 76 disciplinary hearings. The two agencies have now amalgamated to form HM Revenue & Customs. But some observers have questioned whether such high figures were necessarily a bad thing. "Is it worse that the Inland Revenue dismissed 35 people, or that the NHS claimed it only dismissed one?" said Mike Davis, senior research analyst at IT analysts, the Butler Group.

In stark contrast, the DTI and the MoD, both sizeable bodies, only recorded incidences in single figures.

Does this mean that their staff are more trustworthy? Or just that their monitoring and disciplinary procedures are not as good?

A clue came when SC asked how public bodies are protecting themselves. On firewalls, spam and virus protection, most gave a full list of vendors and products (with exceptions – see panel), but the subject of intrusion detection systems (IDS) highlighted a worrying trend.

The Audit Commission, the Department of Health and the DTI do not yet possess basic IDS.

Indeed, the DTI lacks IDS even though its own best practice guidelines strongly advise it. The MoD possesses no central IDS, although it stressed that this response "does not include one-off sales before January 2005".

Davis describes the body's lack of intrusion detection as "naive" and "incompetent", but says it was hardly surprising given his experiences with the public sector. Emlyn Everitt, senior security consultant at systems management company Logicalis, agrees. He stresses that public bodies need to avoid the "it hasn't happened to me, so I don't need any protection" attitude that persists in some government departments.

The most similarity in responses came from asking for "details of time or money lost through computer viruses in the past 12 months." Not one public body said it had lost money, and only a couple gave any details of malware encountered on their systems. Most insisted that viruses did not infect them.

One of the bodies that did specify an incident (malware on a development server) was the Information Commissioner's Office, led by Richard Thomas.

He and his staff are charged with overseeing and enforcing the FoIA and the Data Protection Act. Its response, along with the MoD, was by far the most comprehensive, and highlights a further burden of the FoIA – compliance.

The discrepancy between the pages of notes delivered speedily by the Information Commissioner and the single-page response initially received from the NHS Information Authority shows that some public bodies have a much better handle on the FoIA than others.

Even though Richard Thomas hinted that he might give them an easy ride in the short term, public bodies will face consequences if enough complaints are filed. But judging by the openness of their networks, some might face far more serious consequences, far sooner.

Copyright © SC Magazine, US edition
In Partnership With

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?