These are times of unprecedented change for the Public Sector. Whilst the dust settles following the recent comprehensive spending review which hit police and councils budgets, the analysis continues on how the measures outlined will impact the way that IT departments, and projects, are run. Its effects are certain to be felt beyond the public sector with suppliers and service providers also feeling the force as CIOs look at strategies to drive efficiencies and cut expenditure on areas such as maintenance.
Against this backdrop, compliance regulations have created additional challenges for IT departments already tasked with ‘doing more with less’. There is, however, one area where the rules have now been relaxed following pressure from local authorities concerned about the existing pressure on budgets.
It was announced earlier this year that SOCITM and the Local Government Association have reached an agreement with the Government to ease some of the requirements around connection to the GCSx – the Government Secure Extranet. This had stipulated that local authorities that wished to connect to the Extranet were required to comply with the Government Code of Connection (CoCo) security policy framework. However many Councils have been struggling with finding budgets to comply with these requirements for a long time.
Relaxed Rules – Heightened Risks?
Budget cuts and constraints have slowed down the investment in GCSx but the security concerns that gave rise to their introduction, have not gone away. The security requirements around CoCo4.1 addresses many issues such as data loss, prevention of security threats and ensuring only people with right authorisation levels are permitted into government secure networks.
The announcement from SOCITM now means that local authorities will not be required to carry out certain investments to achieve compliance. For example, those in local government will not have to use technology to enforce the marking of confidential emails, instead they will be allowed to add marking denoting the sensitivity of content, manually. This process is obviously flawed due to potential human error.
What are the implications of such measures, particularly at a time when malicious threats are on the rise and instances of accidental data loss continue to hit the headlines? Whilst it is inevitable that cuts will need to be made, will relaxing some of the security standards requirements mean there is an increased risk of security breaches either through accidental loss or malicious theft of data?
By lowering the requirements for GCSx, and not providing the councils access to funds to become compliant there could be long term repercussions for the security of the government networks. The issue here is that short term cost savings could prove to be a false economy, in the long term, should a data breach occur.
Take the issue of email labelling for instance; the consequences for not fully implementing a data classification scheme can be severe and as the volumes of unstructured data organisations have to manage multiplies, it will become more important to have effective policies and tools to ensure labelling and classification rather than relying on processes which can be prone to human error.
The security issues which have led to the revisions of version 4.1 have not gone away and, if anything, there could now be a heightened need for additional security measures. Disgruntled employees or those with an axe to grind with their existing employer have the potential to do significant harm. In fact, issues such as lost laptops, misplaced CD’s, inadvertent sending of confidential emails, and the new risks emerging in cybercrime are more, not less, relevant in times of austerity.
The relaxing of these rules sends a mixed message to the public sector; the financial and reputational implications associated with the loss or leakage of sensitive data can be devastating. Whilst there is no simple solution for departments faced with swingeing cuts, surely, in these difficult times it’s more important than ever to maintain the standards, policies and procedures for the protection of sensitive, confidential data?