Select Committee on Education and Skills Third Special Report

Sub-Appendix A




The Department of Education and Skills (DfES) embarked on an overall review of the Individual Learning Account (ILA) programme and its operation.

Cap Gemini Ernst & Young were engaged by DfES as part of the overall review of the ILA programme to produce a report on the Security of the Individual Learning Account Programme.

The ILA Service was scheduled to be provided under a five-year contract by Capita Plc. The original contract specified the requirements for the service and detailed controls to be operated in running the service for DfES. Capita used a sub-contractor, Mastek Ltd, for software development and ongoing software support for this contract.

The ILA Service went live in September 2000, the interim system having been operation since June 2000.

A Security Report was produced between January and May 2002. It was clearly not practicable to seek to revisit every physical and technical component of the work done, nor to understand the detail of every discussion involving DfES, Capita and other third parties. The report was therefore based on judgements we reached drawing on information generally available or provided to us in documentary form by DfES, Capita and other third parties.

This document is a synopsis of the Security Report, listing the main findings and the lessons learned From them. The main report contains legally and commercially confidential material that cannot be placed in the public domain.


2.1  The findings listed here are summarised from the investigations carried out for the production of the main report. The elements that comprised the investigation included interviews with key personnel, investigation of log files, audit of documentation and assessment of the technical architecture.

The lesson learned, associated with each of the main findings, are the conclusions and recommendations from the Security Report and other investigations associated with the ILA system.

2.1.1  Contractual Issues

The contract between DfES and Capita Business Services Ltd is for the provision of the Individual Learning Account Service, not for the delivery of a system.High-level requirements for the service are detailed in schedule 2 of the contract. The contract made no clear mandates or stipulations regarding the assessment of the security requirement or the ongoing security management. This also resulted in no ILA-specific security policies or procedures.

Lesson Learned:

Future iterations of the ILA System should have more specific contractual stipulations regarding the security provision, with ownership and responsibilities being clearly defined.

2.1.2  Security Definition

No requirement was specified with regard to the determination of the security requirement, nor were existing Government guidelines regarding Security Risk Analysis followed.

Lesson Learned:

Future iterations of the ILA System should have a formal Risk Analysis carried out to identify specific areas to be addressed by security mechanisms and procedures.

2.1.3  Security Management

The Security Management of the ILA System was incorporated into existing security management functions within Capita Business Services, rather than as a separate function within the ILA structure. With hindsight this could be considered to be unsuitable.

Lesson Learned:

Future iterations of the ILA System will, as part of the initial Risk analysis and Security Architecture design, be assessed regarding the security management requirement and the relevant hierarchy established.

2.1.4  Trend and Pattern Analysis

No structured mechanisms and procedures were established to identify promptly trends and patterns of access and usage of the system that might have indicated possible instances of misuse.

Lesson Learned:

Suitable mechanisms and procedures for identifying promptly suspect trends and patterns of usage should be incorporated into future iterations of the ILA System.

2.1.5  Compliance Monitoring

No procedures were established to ensure that the requirements of the Security Policy were being adhered to.

Lesson Learned:

Future iterations of the ILA System should include compliance monitoring procedures.    

2.1.6  Security Testing

No procedures or plans were established for ongoing testing of the system to ensure that the security provision was adequate.

Lesson Learned:

Future iterations of the ILA System should include ongoing and periodic testing of the security to ensure its suitability.

2.1.7  Security Archiving

No procedures were established for the archiving of relevant log files for retrospective analysis.

Lesson Learned:

Future iterations of the ILA System should include a provision for the archiving of relevant log file information.


Cap Gemini Ernst & Young would like to thank the Capita and Mastek staff for their time and effort in attending meetings and providing information to the authors of this report.

The Security Investigation was hampered by very tight timescales and the unavailability of some information. This information included some firewall log files as well as testing and security analysis methodologies and results used by Capita, that would have enabled more definitive results to have been achieved.

Bearing in mind the above no specific evidence of unauthorised access to the ILA system by external third-parties was found during the course of the security investigation. Rather, the findings of the investigation highlighted areas were security should be looked at in more detail with those specific issues highlighted in section 2 of this synopsis being the most critical.

Those security issues identified in the Security Report must all be addressed in future iterations of the ILA System. A structured approach to the identification, definition, implementation and ongoing management of security should be used. A high-level schematic of this approach is shown overleaf.

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2002
Prepared 26 June 2002