Cabinet Office CSIA

Information for the public sector

Government needs to ensure that the systems underpinning key public services are made as secure and resilient as possible. Government systems from the military and health to education authorities all need to be adequately protected. As more and more government services go online, it is vital that we ensure that the public has trust and confidence in those services. Public sector organisations must create policies and processes to minimise risks to their information and the systems in which it is handled.

There is a requirement that all central government departments must meet internationally recognised information and security management standards (e.g. ISO/IEC 27001) for their systems. The Cabinet Office has produced an e­Government Interoperability Framework (e­GIF) which defines the technical policies and specifications governing information flows across government and the public sector. Public sector bodies must be vigilant in monitoring and auditing the systems holding their information. The CSIA has produced and maintains security framework documents which provide key guidance for both central and local government on providing secure online services.

Telecommunications resilience

The CSIA works with other government departments in maintaining emergency telecommunications planning and business continuity plans. The CSIA, in conjunction with industry, addresses the vulnerabilities of public sector and commercial telecommunications systems as well as those of the financial and banking sector.

Privacy, data processing and data sharing

The public sector is responsible for the collection and provision of an enormous amount of data which it deals with on a daily basis. Some of this information is of an extremely sensitive and personal nature and needs to be treated with the utmost respect and confidentiality. Patient health records, social service details, tax returns ­ all are held on information systems. Private sector organisations also handle personal data on behalf of citizens and must adhere to legislation governing the protection of that information.

Information systems must protect the information they handle by making the correct information available when necessary and only for use by those people who are authorised to have access to it. The Data Protection Act (DPA) lays down the principles for the processing of personal data. Sharing of data is covered not only by the DPA, but also the Human Rights Act as well as common law confidentiality. The Ministry of Justice has published guidance on Data Sharing in the Public Sector and has also published a A Public Service Guarantee on Data Handling. For more information go to the Ministry of Justice website [External website].

Government Secure Intranet

Central government depends on the Government Secure Intranet (GSI) for its telecommunications and e­mail services and Internet access. The GSI has been running since 1997 and is constantly being improved to increase the range of services provided and it now includes scope for local government and other government agencies to join, creating a wider reaching, more secure and joined­up government service.

It's not just a matter for the IT department

It is often the case that responsibility for the security of government department information systems rests in the hands of the IT department who do not necessarily have the power to enforce adequate processes. Public sector bodies have to acknowledge their dependence on information and communications systems and place overall responsibility for the risks they face at the appropriate level within the organisation. They must recognise the fact that any lapse or weakness in security can have a direct impact on the reputation and value of the organisation as a whole.

The Cabinet Office has required that central government departments must appoint a Senior Information Risk Owner, at board level, who will take responsibility for ensuring that the information security procedures within their department are managed appropriately. The CSIA will work with departments to develop a framework for assessing information assurance standards in departments based on the security controls of  ISO/IEC 27001 and the Manual of Protective Security and through procurement via the Office of Government Commerce Gateway process.

• Information Assurance Governance Framework

Local government

More and more local government services are becoming available online. People will go to their local authority website to do anything from paying their council tax to filling out forms for their children's school admission. Citizens have a right to expect that any information they give to local government is treated with due care and respect for privacy.

The Department for Communities and Local Government (DCLG) actively encourages local government to meet national information security standard requirements.

Protecting local government online services

Luton Borough Council receives more than 20,000 e­mails a day. It has collected over £1.25 million in e­Payments since April 2003, when the service first started. Add to this the fact that the number of attempted electronic attacks is in the hundreds and sometimes thousands per day and they have a very good reason for ensuring that their IT systems are adequately protected.

Adherence to the disciplines of security standards (ISO/IEC 27001) means that not only do you ensure that the right information security products are active but that you constantly test and retest your ability to react and respond to electronic attacks. This also means that you must ensure that key staff are adequately trained to deal with events and that a continuous campaign to inform users of basic housekeeping procedures (e.g. password policy) is maintained and reviewed.

But what about the cost of putting these IT security systems and procedures in place? Luton is confident that a bit of investment up front can save a lot of expense in putting things right after the event.

"If you add the cost of staff sitting around twiddling their thumbs while their computer system is down to the cash­flow implications if monetary transactions are halted ­ you will quickly realise that the losses you incur can far outweigh the cost of combating the attacks in the first place." CE Kadwill, ICT Manager and Acting Head of Service, Luton Information Management Services

Publications and documents

• Information Assurance Governance Framework, November 2005
• Accreditation Documentation Set (ADS): Information Security Policy Document (ISPD) BS 7799, February 2003. (Link to Word 97 document, 718KB)
• Accreditation Documentation Set (ADS): Information Security Policy Document (ISPD) BS 7799, February 2003. (Link to PDF file, 789KB)
• Security: e­Government strategy framework policy and guidelines, September 2002 (Link to PDF, 219KB)
• Assurance: e­Government strategy framework policy and guidelines, September 2002. (Link to PDF file, 219KB)
• Business services: e­Government strategy policy framework and guidelines, September 2002. (Link to PDF file, 270KB)
• Confidentiality: e­Government strategy framework policy and guidelines, September 2002. (Link to PDF file, 270KB)
• Network defence: e­Government strategy framework policy and guidelines, September 2002. (Link to PDF file, 272KB)
• Registration and authentication: e­Government strategy framework and policy guidelines, September 2002. (Link to PDF file, 371KB)
• Trust services: e­Government strategy policy framework and guidelines, September 2002 (Link to PDF file, 290KB)
• Use of biometrics for identification and authentication ­ advice on product selection, December 2003. (Link to PDF file, 191KB)
• Security architecture, September 2002. (Link to PDF file, 671KB)
• HMG's minimum requirements for the verification of the identity of individuals, January 2003. (Link to PDF file, 133KB)
• HMG's minimum requirements for the verification of the identity of organisations, January 2003. (Link to PDF file, 136KB)