7 Security and privacy|
91. We heard during our inquiry that government's
special security requirements increase commercial and technical
complexity, thereby increasing cost and reducing competition.
The Government argued that its status meant that it was more likely
to be the subject of hostile attack than private sector organisations.
92. IBM highlighted security as one area where "gold-plating"
of specifications often takes place:
The security arena is often an area where excessive
constraints may distance the programme from the original operational
93. Similarly one SME argued that government needs
to be more realistic about its security needs and "not
ask for American Defence Department standards for systems that
no one is going to want to hack."
Another described it as being equivalent to using "a
sledgehammer to crack a nut."
Bracknell Forest Council said that the current arrangements were
"too draconian and seen as a hindrance by most outside
of the security industry."
We were also told that "overly prescriptive security conditions
limit adoption of newer technologies and limit data exchange."
Soctim concurred with this view. 
94. Logica argued that:
Security issues also pose a challenge to the
co-ordination of technology policy. Different government departments
can interpret security policies in a way that can mean that solutions
agreed by one department are not accepted by another.
95. However, we also heard some encouraging evidence
from SMEs who had spoken with CESG
and believed they were in the process of adopting a more
pragmatic approach. The BCS were also less critical of the current
arrangements saying that the "Government's approach to
information security and information assurance has improved significantly
over the last decade and policy is more pragmatic and generally
understood by users". However, they also raised concerns
about the lack of a holistic approach to data security. 
96. A number of organisations expressed concerns
about the Government's record in guarding the personal information
it holds, with particular reference to incidents where disks or
laptops had been lost.
The Information Commissioner emphasised the importance of Privacy
Impact Assessments (PIAs), which assess the data protection implications
of new projects, stating that these needed to be "more
than mere paper exercises."
The BCS recommended that Government should have "
and deeper adoption of the 'Privacy by Design' principles espoused
by the Information Commissioner's Office".
97. The over-classification of data was another problem
highlighted. Protectively marking information when not required
has enormous cost implications and prevents Government taking
advantage of commodity products and services, including the adoption
of commercial cloud services.
98. Following a number of high profile data losses
by departments a number of reviews were undertaken examining and
strengthening in the Government's information assurance capability.
In its guidance the Government recognises that over classifying
data has negative consequences:
Applying too high a protective marking can inhibit
access, lead to unnecessary and expensive protective controls,
and impair the efficiency of an organisation's business.
99. Governments have learnt that they must secure
both personal data and data relating to national security, whilst
also guarding against gold-plating its security requirements -
which can greatly inflate costs without delivering any tangible
benefits. Over-classifying routine administrative and operational
information causes unnecessary technology and operational costs,
and prevents the public sector taking advantage of the economies
and efficiencies of commodity software and new opportunities.
It also acts as a further barrier to more effective use of SMEs
in the supply of IT goods and services. Government must do more
to demonstrate how a risk-based approach is helping achieve a
better balance in information assurance.
120 Q 516 Back
Ev w131 Back
Ev w3 Back
Ev w4 Back
Ev w13 Back
Ev 91 Back
Ev 102 Back
Ev w50 Back
CESG is the Information Assurance (IA) arm of GCHQ. It is the
UK Government's National Technical Authority for IA, responsible
for "enabling secure and trusted knowledge sharing" Back
Ev 96 Back
Ev w43, Ev 98 Back
Ev w43 Back
Ev 98 Back
See for example Cabinet Office, Data Handling Procedures in
Government: Final Report, June 2008 Back
Error! Bookmark not defined.para 19 Back