Sunday 31 January 2010

Secret Government Security Standards Heard of CoCo & IL3?

In the UK much of our digital sensitive and personal information entrusted to UK government departments and their commercial partners, are supposedly protected by sets of unpublished information security standards. These non-public accessible standards, such as the Government Code of Connection (CoCo) and the required security controls around the various “Impact Levels” classifications (IL2, IL3 etc.), have only been made available to a select few bodies, some of which decide on whether organisations comply with these standards or not, all out of the public eye.
Why the Secrecy?
Why aren’t these important security standards concerning the protection of UK sensitive citizen information made public? What exactly are the specific requirements to which UK government departments and their commercial partners are seemingly vetted against? Are these requirements up-to-date and strong to ensure to ensure the breach risk to our information is adequately low? Why can’t the public find out which organisations are currently complying with these standards, and which organisations that handle our information are not complying with these imperative security standards?

I certainly don’t have the answers to these questions, I’m afraid this is a rare blog posting of questions rather than my usual solutions and ideas. But I do believe these security standards and their specific requirements must be opened up to the public. Not only that but the process to their creation, their review process; to ensure they are kept up-to-date in the fast paced infosec-threat world, while these standards enforcement process must be completely transparent. As a result of heir currently shadowy nature, I think the public will only conclud these standards requirements are a shame, and aren’t strong enough and out of date, or are not being properly being followed across the board.

Anyone should be able Google the names of these security standards, find the standard specific requirements in black and white, understand how organisations are independently assessed in meeting the standard requirements, and then find out which organisations are currently compliant with them.

Other commercial based security standards such as the payment card industry data security standard, PCI DSS, are published, and as a result have become a stronger standard for it. The PCI DSS assessment process for companies handling payment cards is controversial to some, but it is clear to see, while the largest PCI compliant companies are publicly listed as being compliant with the standard.

The only way to ensure any security standard and its specific requirements are fit for purpose, is for it to be publically scrutinised. I would have thought it is overall principle for government to be open and transparent to its citizens. Another side of public scrutiny, it places pressure on organisations’ to actually meet standard compliance. In an information security "minimum spend required" world, there must be motivation for organisations to make the investment in meeting security standards, there is no greater motivate than public and media criticism.

12 comments:

Mr Think said...

I have considered this previously and have reached my own conclusions. Rather than preventing access to the standards for any shadowy purposes or preventing scrutiny, perhaps the release of the HMG standards is controlled so that the interpretation and availability of advice is also controlled.
It is interesting that you compare the standards to the PCI DSS. Control of the HMG standards, has perhaps stifled the surge and buzzword excitement which seemingly plagues PCI DSS. The advent of the PCI DSS saw an influx of vendors promoting their tools as PCI DSS compliant or listing a magnificent number of requirements that their solution will address for an organisation. Without exploring the merits of the current QSA training and examinations, there are also a number of “PCI DSS” consultants (not referring QSAs in this instance) in the market that have very little real experience of working with payment systems.

Anonymous said...

Mr. Think,
Well said... very informative.

technotera,
Really? Is this your marketing plan?

Richard Johnson said...

Have you considered submitting a request for this information under the Freedom of Information Act?

I've worked in an organisation that had to adhere to CoCo. From what I've seen of the various documents involved I don't think there is anything that would be exempt under the FOI Act.

Quite often, government bodies keep things secret by default even when such secrecy is not necessary. The FOI Act was intended to break that down.

Surreptitious Evil said...

Personally, I'd start here and here.

"Anyone should be able Google the names of these security standards, find the standard specific requirements in black and white, understand how organisations are independently assessed in meeting the standard requirements"

Why? HMG InfoSec Standards are not "Other commercial based security standards" - there is quite a lot published in the open bits of SPF. You can't even get open access to ISO27001 - you have to pay for it.

Why should 'anybody' (so also 'everybody') be able to get access, especially via Google?, to the detailed security standards that protect highly sensitive government information - not just your personal data but material whose compromise could cause significant injury or death? By the way - I had to use google to find the link to the CESG document.

"and then find out which organisations are currently compliant with them."

That's a much more reasonable demand - the US GAO do publish ratings of their departmental security compliance - not in the detail that you seem to want but on the good / bad / ugly and getting better / getting worse axes. I'd try an FOI request to the Cabinet Office if I was that interested ...

Mr Think said...

I believe that the footer of the HMG documents contain the statement "This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation."

Surreptitious Evil said...

@Mr Think,

Indeed. Under s23(3)(c) of the Act. But this shouldn't necessarily stop Dave (or anybody else) asking the Cabinet Office for details of compliance (or lack of), which should be being reported under SPF MRs 6(b) and 7, the CO not being an exempt body under s23.

They could, of course, claim a s24 or s33(1)(b) exemption (there are others - s26 for MOD information, for example). Won't know until some-one tries.

Callum Wilson said...

If you wish to look at the structure of UK Gov security system inspection and see these documents then you should apply to be a CLAS consultant. But don't get too excited about them.

The CLAS consultancy I was working for at the time structured it like a box ticking audit exercise rather than anything approaching the sort of compliance level you would expect.

Brian said...

Thanks for sharing this information. Great post.


Locksmiths Shepherds Bush

Anonymous said...

Its no big secret really. Have a look at :

http://www.toshiba.co.uk/informationassurance/Impact-Levels.html

As always the truth is much more boring than the conspiracy

best essays said...

Thanks a lot! This post is great.

Anonymous said...

Excellent blog you have here but I was curious about if you knew of any user discussion forums that cover the same topics talked about here?
I'd really love to be a part of online community where I
can get feedback from other knowledgeable individuals that share the same interest.

If you have any suggestions, please let me know. Cheers!


Here is my web-site: mascara you can swim in

Unknown said...

Thnaks for this post