Following yesterday's industry criticism of the Prime Minister, one security expert has claimed that taking the right steps can prevent problems.
David Harley, director of Malware Intelligence at ESET claimed that to a point Gordon Brown is correct as there is ‘no way of eliminating the risk of data loss completely because systems, however good they are, are implemented, administered and used by human beings.'
However Harley was critical of the government's perspective that it is not responsible for directly managing risk, as there are steps that can be taken to risk management.
Harley said: “When an agency requires the party to whom they outsource to fill in the detail, it makes sense to have the group or individual that manages liaison with the provider to be at least as knowledgeable about the technology being provided as about purely contractual issues, and the contracts should require adequate two-way communication so that the outsourcing party can properly assess the efficacy of the service provision.
“I'm not convinced that this is the norm. In fact, it's not unknown for an agency to cancel a contract because the provider hasn't done the job properly, and then have to ‘reward' the provider for its incompetence by paying hefty severance payments.
“Actually, there does exist some very specific guidelines and policies on the handling of certain categories of sensitive data, storage and transfer procedures, and so on. In many cases, they require a high level of security clearance before they're accessed, so even quite senior managers are not in a position to cascade specific recommendations for secure processing, and have to re-invent wheels themselves. Which, of course, they may or may not have the technical knowledge to do well.”
Harley offered the following security tips for when outsourcers are being used;
* You can accept risks where mitigation costs are disproportionate to the anticipated benefits. For instance, you might decide it's acceptable for data to be lost below a certain level of sensitivity. Of course, that would beg the question of what we mean by loss: the political hot potato here isn't loss of data, but disclosure. Of course, both are important.
* You can take measures to mitigate risks directly, for instance by installing or requiring the installation of specific measures. You might, for instance, specify levels of encryption, transport mechanisms and protocols, restricted use of portable devices, and so on.
* You can prevent or avoid a risk by taking an approach that bypasses it. That's not very practical with human error, though.
* You can eliminate it altogether by re-engineering your approach to the problem: abandon on-line tax returns, for example. That may sound like a silly example, but it's no sillier in principle than reacting to the failure of an outsourced exam marking process by scrapping SATS.
* Or you can transfer it. This is the way government agencies often like to work, putting together a contract that specifies fairly high-level requirements, because government agencies (in the UK at any rate) tend to outsource as much as they can. The whole issue of when it is and isn't appropriate to outsource is worth a fairly long book on its own.