Public sector information security breaches are failures of management: Socitm

The fact that local public service organisations are doing well at closing the technical vulnerabilities but rather less well at changing behaviours and preventing physical lapses is reported in ‘Information governance: not up to scratch?’, the latest briefing from Socitm Insight.

The briefing says that security breaches reported on the ICO website include cases of incorrect disclosure, physical loss or theft of storage devices, misuse of old documents as templates, errors in handling fax and e-mail, sending documents to the wrong address, and even papers being stolen from a pub. There is not a single example of a technical failure among them.

The briefing reports that many local public service organisations are now addressing information security risks by putting the basics of information governance in place, and in the last three years, there has been an significant increase numbers appointing a senior information risk officer (SIRO).

However, only just over a half of the respondents to Socitm’s IT Trends survey say they have an information governance function in place, and only in the area of disposal of information assets do more than half of them have a policy in place.

Tough security requirements set out by the Cabinet Office as a condition of connection to the public services network has focused minds in most public sector organisations on ensuring that their technical infrastructure and policies are watertight. This may have led to the more obvious risks around physically handling information assets receiving less attention than they deserve, says the briefing.

In order to illustrate how a local public service organisation might approach information security in a comprehensive way, the briefing publishes a detailed case study from Chelmsford BC, an organisation that has taken a strongly pro-active approach.

The case study reveals a number of security breaches uncovered by the council in the course of this activity – the sort of incidents the briefing suggests are endemic throughout the public sector – and sets out what it has done to prevent them in future. This includes putting in place information governance arrangements, reviewing information handling processes, and implementing measures to raise staff awareness and change behaviours.

One issue uncovered by Chelmsford on this journey has been the fact that the role of senior information risk officer (SIRO) is challenging for senior managers. Typically senior managers take a ‘big picture’ view, but in order to be effective as a SIRO, they have to get into the detail and probe details of incidents and future risks.

Related reading