ISAF Welcomes Strengthened UK Government IT Security Awareness

It is Essential That the Education and Awareness of Information Security Becomes a Top Priority for UK Government IT Users

(25.07.08) - Dr David King, ISSA-UK and Chair of the Information Security Awareness Forum (ISAF), said he is delighted that the requirement to provide information security awareness has been raised to the top of the agenda amongst UK government departments and agencies. "The move is welcomed by the ISAF and will, I have no doubt, also be greeted in a positive manner by other IT security bodies across the UK," said Dr King, who added that the sea change in the government's approach to information security is the result of conclusions of a number of relevant reports in recent weeks.

"The new security ethos permeating through the various strata of the UK's government and its agencies will, we hope, encourage all managers in the public sector to take a responsible attitude towards looking after their computer data," he said.

According to Dr King, there is now a greater need for education and guidance on information security matters for existing and new employees of the government and its agencies. "This need is about to become pressing as the government and its agencies gear up to take on the several tens of thousands of newly-qualified graduates that have decided to enter the public sector this coming September," he said.

Most of these new employees, he added, will have grown up with computers, both at home and at school, but many will lack a basic understanding of data security issues. "It's down to their new public sector employers to educate them on this front and they can only do this if the relevant managers get behind the security policies that already exist in many government departments and agencies, and pro-actively apply them," he said.

"Here at the ISAF, we believe that government departments and their agencies should develop positive strategies to raise awareness and understanding of information security principles, taking into account the DPA, HRA, RIPA, Computer Misuse Act, Police & Criminal Justice Act, Defamation Act, Fraud Act, Obscene Publications Act. They should also prepare for the governance provisions of the Companies Act 2006, which is due to become law later this year," he added.

Dr King went on to say that, as individuals as well as employees, ISAF members and associates, as well as anyone involved in business management, need to be more aware of the issues that affect us all in our day-to-day handling of personal data.

"This is especially true when it comes to developing the resources required to provide information security guidance to all members of staff, covering issues such as incident reporting, data handling and taking a holistic approach to the topic," he said.

The ISAF had already seen the need to do this at a Director level with the production of its Directors’ Guides on Information Assurance launched in April 2008, sponsored jointly by IAAC, ISAF and BT. The ICO has warmly received and reviewed these and believes that they should be on the desk of every single director of every single company / organisation in the land. When asked by the ISAF as we seek to use the Directors’ Guide to spread the message that information risks must be understood and effectively managed, Richard Thomas the Information Commissioner replied, "Every Director should have one!” and continued, "We will be saying more about board-level accountability in the Thomas/Walport Report on Data Sharing due out shortly."

Founding members of the forum included the ISSA, (ISC)2, BCS, Infosecurity Europe, IISP, ISACA, EURIM, Get Safe Online, NeCPC and Security Awareness SIG.

"The Security Awareness SIG is looking forward to assisting the public sector by sharing the knowledge and skills learned by corporations in the private sector. Our members have been tackling the challenging issues surrounding data protection for many years, and there is a wealth of good practice and experience that will save the painful reinvention of many wheels," said Martin Smith MBE BSc FSyI, Chairman and Founder of the Security Awareness SIG.

"The CMA is proud to be a founding ISAF member and though our organisation is not an obvious one for Information Security, we have long recognised that security issues arise from our increasingly interconnected and converging world and that top down business involvement is key element in improving the security posture of any organisation (or country)," said Peter Wenham CISSP MICAF CLAS, Director, CMA.

Nigel Jones, Director of the Cyber Security Knowledge Transfer Network, commented: "It is essential that the education and awareness of information security becomes a top priority for UK government IT users. Meeting today’s information security challenges relies on addressing three key issues - how to make our technology more secure; how to help business understand the positive economic impact of reducing e-crime; and how to change the way society thinks about the value and vulnerability of its sensitive information. This announcement offers a positive outlook on all three. Information security may be a global issue but it must be tackled locally first. The decision to increase government focus on Information security awareness demonstrates that the UK will lead from the centre on cyber crime and security."

For more on the UK government's enhanced security ethos: http://tinyurl.com/6hx9hy. (ISAF: ra)