The Information Assurance Advisory Council (IAAC) in the UK was invited to conduct an investigation into the Ministry of Defence (MOD) data protection plans in the wake of the January 2008 data breach of 600,000 Royal Navy recruits on an unencrypted laptop. The report by Sir Edmund Burton, Chairman of IAAC, gave 51 recommendations to the MOD in the policy, practice and management of personal data. You can find the relevant documents here:

The IAAC report, passed to the MOD on April 30th and made public recently, contained a detailed audit of events leading up to the January data breach. Such information revealed that 4 laptops containing the database of over 600,000 records for the Army Recruit & Training Division have gone missing since 2004, all from parked cars. Although this was against rules, existing rules did not dictate the encryption of the laptops – the existing policy is too open to interpretation.

Other issues include not treating information as an operational asset, not managing information risk, a lack of awareness of threats to information, a lack of understanding of the Data Protection Act, and more. The report was quite thorough, even looking to the rapid technological changes that affect the work culture & ways of working, and how these pose risks to security. The “Facebook Generation” is accustomed to “the rapid and often uninhibited exchange of information,” and these behaviors must be tempered by common sense and informed by data protection practice.

The IAAC report contains 51 recommendations and an action plan for implementation. The recommendations include new security procedures, audits, revising the data access & retention procedures, and better training & sharing of best practices.

The MOD has created an action plan to accept all 51 recommendations in Sir Edmund Burton’s IAAC report. The action plan breaks down into a set of workstreams that include doctrine, policy, awareness, compliance, technology, governance and more. They have paired up all 51 recommendations with the outcomes and the workstreams that will be responsible for acting upon them.

The IAAC has also recently published 3 guides to managing information risk. The guides cover organization, people and process and are meant to provide directors with information to understand the risks they face and how to address them.

Via intergovworld, computer weekly (2), daily mail logo © Crown Copyright/MOD 2008 ; Tags: , , , , , , , ,

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • Digg
  • StumbleUpon
  • Technorati