National Audit Office NAO

Protecting information across government

2016 UK2016ProtectingInformationAcrossGov
SCALE
  • - In 2014-2015, the 17 largest departments in the government recorded 8 995 data breaches.
  • - Also in 2015, GCHQ dealt with 200 cyber national security incidents per month, up from 100 per month in 2014.
  • - The actual costs of security, which are thought to be "several times" the limited government estimate of £300m
COMPLIANCE FOCUS
  • - Data Protection Act 1998
  • - Freedom of Information Act
  • - Protective Security Policy Framework (PSPF)
  • - Government Protective Marking Scheme
PERFORMANCE ASPECT
  • - responsibility management
  • - effectiveness of reporting
  • - cost-effectiveness
  • - personel skills
1. Responsibility - Role - Scope

Too many bodies with overlapping responsibilities operate in the centre of government, confusing departments about where to go for advice. As at April 2016, at least 12 separate teams or organisations in the centre of government had a role in protecting information, many of whom produce guidance. And the governance arrangements above them are unclear and fragmented, with no formal links between the three most important information security decision-making bodies in the Cabinet Office.

Increasing dependencies between central government and the wider public sector mean that traditional security boundaries have become blurred. At present, the Cabinet Office remit for security only extends to central government departments. However, there is a clear dependency between central government and the wider public sector, driven by increasing information flows, the demands of public service provision and shared technical infrastructure

2. Coordination - Performance metrics

The Cabinet Office does not collect or analyse government’s performance in protecting information on a routine basis. This means it has little visibility of information risks in departments and has limited oversight of the progress departments are making to better protect their information. Reporting personal data breaches is chaotic, with different mechanisms making departmental comparisons meaningless

3. Monitoring - Data collection

The Cabinet Office does not have access to robust expenditure and benefits data from departments to take informed strategic decisions on protecting information. This is in part because departments do not always collect or share robust expenditure or benefits data. The Cabinet Office has recently collected some data on security costs, although it believes that actual costs are ‘several times’ the reported £300 million figure. Departments often do not share advice and knowledge effectively, either resulting in them repeating work at additional cost or missing the opportunities presented by adopting new technologies

4. Domain knowledge - Organisation capabilities

In the context of a challenging national picture it has been difficult for government to attract people with the right skills . The government established a security profession in 2013, and has undertaken some initial work to establish professional learning and development. Demand for skills and learning across government is growing and is likely to continue to grow. Plans to cluster security teams may initially share scarce skills but will not solve the long-term challenge, and will pose questions for departmental accountability.

Code (gexf) to continue analysis with GephiTerminology graph
svg
The items above were selected and named by the e-Government Subgroup of the EUROSAI IT Working Group on the basis of publicly available report of the author Supreme Audit Institutions (SAI). In the same way, the Subgroup prepared the analytical assumptions and headings. All readers are encouraged to consult the original texts by the author SAIs (linked).