I’m writing a series of articles to illustrate how security lessons learnt within a big organization – in this case the British civil service – can be adapted to just about any organization, anywhere – big or small. In this article, I’ll try and draw down some of the most useful lessons I learnt from being an information security officer in the British civil service over two decades.
If you’ve read my previous articles, you’ll know I have tried to clear away any myths about government information security. The biggest collections of data requiring protection by governments are about individuals, and in this they are no different from any private sector or public health organization. ‘Out of the box’ technology and a growth in citizen empowerment have been great levelers to the ways that private sector and government manage their information. Yes, governments sometimes have a lot more at stake when it comes to taking risks with the data they hold – ultimately through the ballot box choices of the electors who are also their customers. They also have some big secrets they would never risk exposing, because to do so would cause harm to people and damage international relations. But they have many touch points with the majority of organizations who do not have these constraints.
So how can we learn to save costs from the way a government manages its data security?
Categorize Data Assets
My experience in government is that learning how to manage risks does not come naturally. I wrote more about this in my article Risk Tolerance: Good to have – Hard to do. Basically there are many levels of command which decisions about risk have to pass through. This acts as a brake upon more adventurous proposals.
In one area though, a form of risk management is more commonly applied than I believe is the case for most private sector organizations. This is data classification, by which I mean that originators of data decide what level of security it should have and label it accordingly. The British civil service uses a classification system that roughly equates to the US government version. There are four levels of classification, though in recent years the need to correspond with citizens electronically has created some sub-categories to cover less sensitive – mostly personal to the owner – information.
The original classification system is very old – it was really just a way of ensuring that very sensitive information, usually in paper form, could be managed on a ‘need to know’ basis. It did however help ensure that the most sensitive material was locked in the strongest cupboards. Clearly this was not a pattern for managing data security and the British government wrestled for years to produce a more modern system. It finally plans to simplify the original system by reducing the number of classification levels from four to three in 2013.
For all its defects and rooting in civil service tradition at its most unflinching, the classification system was a well-established taxonomy for assessing risk and ensuring assets were managed securely. It’s not foolproof – many assets were over-classified (because of their authors ‘playing safe’). However, a breakdown of the sensitivity of data assets can help system designers to ensure information systems have security features that are proportionate to the risks. For this reason alone, a classification system should not be exclusive to government. The Information Security Standard ISO 27001, which is used internationally by a wide variety of public and private organizations, actually includes information classification as part of the Control objectives for information asset management.
So the classification system is underpinned by more up to date systems of risk management and, because of its near ‘traditional’ status, is well recognized by most civil servants. The advantage of a smaller, non-government organization making a similar labeling system is that they can start up from scratch. And they won’t need to manage too many different labels – as the British government now recognizes was a problem. I would suggest that however you decide to classify your data assets, you should not use more than three labels to do it. For a medium sized organization, I suggest that some appropriate classifications might be UNCLASSIFIED, PERSONAL-CUSTOMER and CONFIDENTIAL. However, if you do work with US government assets, you’ll need to sign up to their system (which has been reduced to three levels already.)
Notwithstanding what I write here about its difficulties with change, I believe much progress with managing risks has been made by the British civil service. If it were as risk averse as when I started working for it, it would never have used the Internet!
Legislation – Security’s Anchor
The original classification system was conceived at a time when government information was protected just because it was held by government. The portability of information via electronic means coincided (and sometimes influenced) new laws and regulations that gave citizens greater access to the records held on them and also made government and other organizations accountable for the proper control of citizen information. In Great Britain, these laws included the Freedom of Information Act and the Data Protection Act. So along with every other organization the government now had to make sure its security systems supported laws tilted more in favor of the citizen. For the first time there were legal consequences for failing to do this. The government can (and has been) taken to court because its data security failed.
This sort of legislation (including HIPPA and GLBA in USA) have revalidated the need to protect information. Previously, there were few laws that supported security and those which did exist were arcane and seldom used. In Great Britain, the Official Secrets Act – aimed specifically at spies from Imperial Germany on the eve of the First World War – was for years the only legal redress for any loss or theft of government information. Security was not really based on anything beyond a natural expectation that government would hold its assets in good faith. Clearly this model is unsustainable given the fluidity of data and a much less deferential – and more litigious – public. Again the ISO 27001 Standard underpins this by ensuring that security management is shaped around compliance with legal requirements .
Use Those Free Resources
In security terms, the advantage of starting off with a blank canvas is that your organization can concentrate pretty much exclusively on ensuring its security management is based around legal requirements, not just a vague desire for good governance. Why is this advantage? Quite simply, government has a big stake in ensuring its laws work, so they put effort into creating resources to ensure this can happen. These are usually open source. There is plenty of information available to organizations that want to comply with the law, including boilerplate guidelines and other resources. Also, there are plenty of established organizations that are trying to achieve the same thing, and with whom establishing a good information exchange is a good first move towards any new security system. It provides reassurance that others have been there before you and is often a generous – and free – source of practical solutions to your InfoSec problems.
Overcaution – A Cautionary
This sort of crowdsourcing is good: but security deals with imponderables and what ifs, and the areas of decision making about threats in particular need a skeptical and hard-nosed approach. Government security officers are only now coming to terms with the expense around some of their solutions to threats. It was not always so, and I have spent many hours listening (and sometimes contributing) to a long list of risks – a register of risks is necessary upon which to start working out how your organization is ready to respond to them. But there is also a risk of too many expert voices needing to be heard and seeking to influence security outcomes. And creating a ‘fear register’ rather than a ‘risk register’. As I have said in this space, governments are averse to risk for a variety of reasons and there is a tendency for their approaches to risk management being flavored by threats to the relatively small amount of its most sensitive assets, not the much larger volumes of more common ones. The result is that security can get bogged down as in-house (and sometimes contractor) security risk evaluators shoot too high and possibly end up putting unnecessary shackles upon the less sensitive data which makes up the majority of its assets. As an example of this, I remember some years ago that the emerging vulnerabilities of active content and mobile code caused one security officer to stamp on the brakes of the organization’s effort to roll-out workstation access to the Internet. The technology had not really been around for long enough for the risks to be evaluated, but the knee-jerk caution from security caused an equal and opposite reaction from those tasked with developing a solution. The result was a rather uncomfortable stand-off, during which the security office was held up as the reason for project delays, rather than part of the solution to them. This perception took years to clean out, and security became known as a log-jammer. This created a new risk: that project managers in a hurry might be tempted to steer around security altogether.
Winning Small Victories
But one area that the British civil service exceled was compromise (though some might argue that any anxiety to patch up differences for the sake of forward momentum leads to future problems). I have no doubt that the fine art of compromise in security matters is absolutely essential. It is very much part of the security “trade off” cited by Bruce Schneier. It is however important that security officers make it very clear who has responsibility for residual risks. As I have said in my article A Security Officer’s Playbook, organizations expect someone with the word ‘security’ in their title to hold full responsibility for anything that happens in that area, including full responsibility for anything that goes wrong. But there are other areas where a security officer has to be ready to compromise their professional instincts. On several occasions, I had to trim the scope of a security management ideal to fit the realities of a crowded and competing schedule that is the public service’s lot. In this world, it was necessary to achieve small victories in order to aim for success in larger ones at a later time. For example, if it is necessary to make a choice about bringing a system up to date and improving security for the whole organization, I would probably opt for the system, and develop plans to introduce wider improvements over a fixed period of time that could be measured – and audited. Sometimes this can lead to the need for quit painful choices about security priorities. Bu if you have an authoritative risk assessment and can use your social skills to ensure any risks of taking a prioritized approach are understood by senior stakeholders, then a carefully planned and phased program of installation can ensure you are not overwhelmed by having to fight bushfires.
Security Is NOT an Island
Finally, there is one approach that a well-established security organization within government would find difficult to accept. That is, the integration of security within overall business issues. This is actually more attractive to smaller organizations, which lack the scale (and probably funds) to separate security issues from their business. In fact the mantra of government security was always that it “enabled business”. Nevertheless, standing separately from it, even as a means of maintaining a core expertise is not the ideal. In particular, I sometimes felt that the separate maintenance of registers of ‘security risks’ and ‘business risks’ created problems of structure and of understanding (once again, supporting that perception with senior staff that security is a ‘dark art’, that could be left to the experts). If security were a natural part of the business we security officers will have achieved our goals. We should be as natural a part of the business landscape as HR.
Argue with me if you believe that would take our jobs away, or diminish our profession!