Sunday 31 January 2010

Secret Government Security Standards Heard of CoCo & IL3?

In the UK much of our digital sensitive and personal information entrusted to UK government departments and their commercial partners, are supposedly protected by sets of unpublished information security standards. These non-public accessible standards, such as the Government Code of Connection (CoCo) and the required security controls around the various “Impact Levels” classifications (IL2, IL3 etc.), have only been made available to a select few bodies, some of which decide on whether organisations comply with these standards or not, all out of the public eye.
Why the Secrecy?
Why aren’t these important security standards concerning the protection of UK sensitive citizen information made public? What exactly are the specific requirements to which UK government departments and their commercial partners are seemingly vetted against? Are these requirements up-to-date and strong to ensure to ensure the breach risk to our information is adequately low? Why can’t the public find out which organisations are currently complying with these standards, and which organisations that handle our information are not complying with these imperative security standards?

I certainly don’t have the answers to these questions, I’m afraid this is a rare blog posting of questions rather than my usual solutions and ideas. But I do believe these security standards and their specific requirements must be opened up to the public. Not only that but the process to their creation, their review process; to ensure they are kept up-to-date in the fast paced infosec-threat world, while these standards enforcement process must be completely transparent. As a result of heir currently shadowy nature, I think the public will only conclud these standards requirements are a shame, and aren’t strong enough and out of date, or are not being properly being followed across the board.

Anyone should be able Google the names of these security standards, find the standard specific requirements in black and white, understand how organisations are independently assessed in meeting the standard requirements, and then find out which organisations are currently compliant with them.

Other commercial based security standards such as the payment card industry data security standard, PCI DSS, are published, and as a result have become a stronger standard for it. The PCI DSS assessment process for companies handling payment cards is controversial to some, but it is clear to see, while the largest PCI compliant companies are publicly listed as being compliant with the standard.

The only way to ensure any security standard and its specific requirements are fit for purpose, is for it to be publically scrutinised. I would have thought it is overall principle for government to be open and transparent to its citizens. Another side of public scrutiny, it places pressure on organisations’ to actually meet standard compliance. In an information security "minimum spend required" world, there must be motivation for organisations to make the investment in meeting security standards, there is no greater motivate than public and media criticism.