"The world is changing around us at an incredible pace due to remarkable technological change. This process can either overwhelm us, or make our lives better and our country stronger. What we can't do is pretend it is not happening." Prime Minister Tony Blair on commissioning the Transformational Government strategy.
To survive in this era of accelerating technological change, and to implement the edicts of the Transformational Government strategy, every public sector organisation will have to undergo fundamental technology-enabled change. This article provides a five-point check list for senior managers responsible for developing and delivering a successful Transformational Government change programme.
Ensuring that an organisation can satisfy the necessary information security requirements to enable it to be a component part of joined-up government, requires consideration that will inform budget and strategy, reshape organisational process and procedures, and redefine culture and working practices.
As a guide to those responsible for their organisation's information assurance and implementation of the Transformation Government agenda, this article provides a five-point check list to provide a basis for ICT-enabled organisational change.
Point 1 - Be fully appraised of current Government policy and strategy
Current UK Government policy and strategy is leading public service organisations through a significant period of change to achieve efficiency gains through streamlined citizen-centric, ICT-enabled, secure shared services.
Understanding current UK Government policy and strategy will assist you in:
Understanding measures you should take to deliver ICT enabled business changeIdentifying expected business benefits
Identifying costs
Identifying scope of change
Identifying risks.
A list of the key sources of UK Government policy and strategy can be found in the thought leadership section of the VEGA website.
Point 2 - Ensure board level buy-in and understanding
A board level information assurance champion should be appointed to act as Senior Information Risk Owner (SIRO) for your organisation. This recommendation meets mandatory requirement 3 from the HMG Security Policy Framework (SPF) V1.0.
Your SIRO should agree to terms of reference which clearly define their role and responsibilities with regard to the information assurance of your organisation. Additionally, your SIRO should meet regularly with your organisation's security staff to discuss security policy and discuss a risk managed approach to information assurance. This ensures that information assurance and governance is a recognised board level responsibility which includes the protection and utilisation of all of your organisation's assets (information, personnel and physical).
Point 3 - Manage your stakeholders
Obtaining stakeholder buy-in to your organisation's information assurance strategy is critical to its success. Good stakeholder management creates awareness, provides the framework for supporting delivery and assists you secure budget where resource is scarce and competition is fierce.
A communications plan should therefore be developed to identify:
Desired buy-in outcomesAudience of stakeholders (internal and external)
How to best engage stakeholders
How messages are to be communicated
Ownership of responsibility for maintaining communications
Frequency of communications.
Stakeholders should subsequently be plotted on a stakeholder map prioritised by power and interest. This will assist you in grouping them. Your communications strategy can then focus on key stakeholders whilst ensuring other stakeholders are engaged to the level required.
Failure to gain buy-in from key stakeholders has sealed the fate of many information assurance projects.
Point 4 - Involve the experts
When pursuing an information assurance strategy, you should seek advice from recognised Government and industry experts. These organisations have faced the same challenges as you and have valuable information and knowledge to share. This will save you time and money, whilst ensuring that the information assurance solutions you plan to implement are fit for purpose and proven across Government.
The organisations you may wish to contact include:
Office Government and Commerce Buying Solutions (OGCBS)Communications-Electronics Security Group (CESG)
Government Computer Emergency Response Team (GOVCERT)
Central Sponsor for Information Assurance (CSIA)
Centre for the Protection of National Infrastructure (CPNI)
Warning, Advice and Reporting Point (WARP)
Information Commissioners Office (ICO)
Public sector organisations similar to your own
Consultancies with expertise in enabling Transformational Government change programmes
Point 5 - Achieving and evidencing compliance
Recent data losses across Government have placed an increased focus on information assurance. Public sector organisations must comply with centrally released security policy (e.g. HMG SPF) which defines mandatory minimum security measures.
To connect to a secure network, your organisation must comply with mandatory security controls. Depending on the security impact level of the secure network, your organisation will either have to complete a Code of Connection (CoCo) or produce a Risk Management and Accreditation Document Set (RMADS).
To answer the requirements of a CoCo you should treat each control like an exam question (answer the question with relevant evidence), and sell your strengths, if you comply with standards such as ISO/IEC27001:2005 or PCI DSS.
The completion of a RMADS is much more involved. Unless your organisation has significant experience, you should involve a CESG Listed Advisor from the CESG Listed Advisor Scheme (CLAS).
Connection to a secure network will only be permitted once the relevant governing security authority is content that your organisation meets the information assurance requirements of the network you wish to connect to. This ensures that the risk your organisation poses to other organisations on the network is managed.
Once your organisation's connection is authorised, you should expect regular audits which ensure the level of information assurance your organisation has achieved is maintained and improved.
These five points will hopefully act as an aide memoir� when your organisation starts to consider its connection to a secure government network. The most important thing to understand is that information security is not just about technology; it is the catalyst for organisational change that encompasses people, training, policy and procedures.
VEGA is a member of the CESG Listed Advisor Scheme (CLAS), as well as a registered CHECK service provider. VEGA has an established track record of working across Government providing strategic advice and technological expertise to help secure public sector information through the implementation and use of secure Government networks.
By Damian Schogger, Communications Manager, VEGA
About VEGA VEGA is a professional services company that delivers technology-enabled change in complex environments, often where security and resilience are key. We have an in-depth knowledge and experience to support organisaitions planning to gain connnection to secure government networks, gained from working on several major UK government projects in this area.
Please contact us for further information. Connecting to Secure Government Networks