There but for the grace of God…

Few organisations hold the sheer volume of sensitive data that was compromised in the recent HMRC debacle, or even the mere 600,000 personal records lost in an MoD laptop.


However, most ICT professionals will be heaving sighs of relief that a security disaster hasn't happened on their patch – yet. The appearance of Home Office data on a laptop bought from eBay will though send a shiver down the spine.

In the HMRC case, when two CDs holding the details of 25 million UK families went missing in the internal post, it seems the weak point was one or more employees failing to apply corporate security policy. If they had been fully trained in that policy and made aware of its importance, there would have been no excuse.

Equally, if they hadn’t been, it would be no surprise. Time and again my colleagues and I see cases where policies and procedures reflect best practice but no one has told the infantry about them. Theory and practice remain some way apart.

Take a project we recently carried out for a local authority that had decided some time ago to work towards ISO 27001 certification. Policies and procedures had been written and implemented, and they now wanted us to audit their current information security controls and produce a gap analysis against ISO 27001 certification.

The results of our audit were an eye-opener. ISO 27001 certification involves demonstrating appropriate implementation of 133 controls, and had this been an actual certification inspection the council would have failed on more than half.

The main problem was that staff at all levels were simply not applying the Council’s information-security policies and procedures to their work. In fact, they were blissfully unaware of their responsibility as individuals for information security and maintaining the confidentiality of council data.

"Recommended For You"

Our response to the Operational Efficiency Programme Enfield council moves to protect sensitive emails