Practical steps to ensure GCSX Code of Connection compliance and beyond from Lumension

2010 Bloor Research

A Bloor White Paper

Practical steps to ensure GCSX Code of Connection compliance and beyond

The importance of compliance

Compliance is a fact of life for each and every

local authority and public sector organisa-

tion. Irrespective of their information security

compliance requirements there are a host of

legal and regulatory demands they need to

manage each day. Inevitably, there are some

compliance requirements that take more time

and effort than others and, indeed, some re-

quirements present a larger political issue

than others.

From a citizen s perspective, there is a high

level of expectation that their private informa-

tion will be kept secure and only accessed on

a need-to-know basis; this expectation can be

supported by demonstrating that organisa-

tional data is stored, maintained and used in

accordance with regulatory and compliance

requirements. Of course it is vital that organi-

sations understand the difference between

compliance and information security achiev-

ing a level of compliance may be a require-

ment, but in itself is not a guarantee that data

will be secure.

With public sector services, citizens will nor-

mally have no choice of service provider. In ex-

tremis, a resident can only opt to be serviced

by a different local council by moving house.

This monopoly of service provision may lead

to complacency on behalf of such a local au-

thority. To mitigate this, local politicians are in

place to ensure that service provision meets

the needs of local residents. This, in turn, puts

political focus on any incident where data se-

curity may be compromised. An information

security breach, data loss or compliance-re-

lated incident can rapidly turn into an election

issue and ultimately cost political posts.

The financial impact of a data loss incident, in

terms of the level of fine imposed by the Infor-

mation Commissioner, has historically been

fairly low. As of April 2010, the level of fines

the Information Commissioner is able to im-

pose have been dramatically increased to a

maximum of 500,000 per data loss incident,

reflecting the seriousness that these incidents

are now viewed.

Clearly compliance is now more important

than ever.

Other compliance requirements

The GCSX Code of Connection is only one of a

number of information security compliance and

legal requirements facing local authorities.

PCI DSS, the Payment Card Industry Data

Security Standards, are applicable to all or-

ganisations that accept credit card payments.

Most local authorities provide this facility for

the payment of services and penalty fees,

such as parking offences, and therefore need

to comply with PCI security standards. These

standards are quite proscriptive and require

authorities to provide a number of controls

and safeguards to protect credit card informa-

tion. Failure to comply with PCI DSS can re-

sult in fines or the termination of a merchant

agreement.

A law that uniquely affects public sector or-

ganisations is the Freedom of Information Act.

This allows access to recorded information

held by public authorities. Under the Act any

individual can make a request for information

and have the necessary data sent to them. Any

refusal to supply the information needs to be

justified in writing to the applicant, making the

reasons for the refusal clear. Disputes are in-

dependently arbitrated.

Data that is subject to the Freedom of Infor-

mation Act can reside in a variety of forms

throughout an organisation. This could include

emails, word processor documents, spread-

sheets or written notes. Computerised data can

be secured using data loss prevention technol-

ogies such as data encryption, but it is impera-

tive that decryption keys be made available so

that data can be retrieved in its original form.

The Information Commissioner can serve

an enforcement notice on a body that fails to

provide data covered by the Freedom of Infor-

mation Act. Failure to comply with an enforce-

ment notice may result in the Commissioner

referring the matter to the High Court, which,

in turn, can deal with the public authority as if

it had committed contempt of court. A public

authority may appeal against an enforcement

notice to the Information Tribunal.