September's announcement of a relaxation in the GCSx requirements should be welcomed but claims are made that it is important to maintain standards.
According to a report by Computer World, the society of information technology management (SOCITM) and the Local Government Association (LGA) reached an agreement with the Cabinet Office to relax some of the security standards requirements for local authorities to connect to the government's network.
The move will reduce the cost for local public organisations connecting to the Government Secure Extranet (GCSx) and local authorities will not be required to carry out certain expensive investments involved in complying with the Government Connect Code of Connection (CoCo) version 4.1 for these low-threat environments.
This will include no requirement for EAL4 firewalls, while local authorities will not have to have ‘formal assurance for higher domains' and will be allowed to add protective markings to emails manually, without having to use national markings. The agreement also makes it explicit that local authorities will have a ‘reasonable' time to implement controls.
Alex Teh, commercial director at Vigil Software acknowledged that the relaxation of rules would help some councils who had been struggling with finding budgets to comply with these requirements for a long time, but admitted that with relaxed rules there could be heightened risks.
He said: “Budget cuts and constraints have slowed down the investment in GCSx, but the security concerns that gave rise to their introduction have not gone away. The security requirements around CoCo4.1 addresses many issues such as data loss, prevention of security threats and ensuring only people with right authorisation levels are permitted into government secure networks.
“What are the implications of such measures, particularly at a time when malicious threats are on the rise and instances of accidental data loss continue to hit the headlines? Whilst it is inevitable that cuts will need to be made, will relaxing some of the security standards requirements mean there is an increased risk of security breaches either through accidental loss or malicious theft of data?
“By lowering the requirements for GCSx and not providing the councils access to funds to become compliant, there could be long term repercussions for the security of the government networks. The issue here is that short term cost savings could prove to be a false economy in the long term, should a data breach occur.
“Take the issue of email labelling for instance; the consequences for not fully implementing a data classification scheme can be severe and as the volumes of unstructured data organisations have to manage multiplies, it will become more important to have effective policies and tools to ensure labelling and classification rather than relying on processes which can be prone to human error.”
He went on to claim that the security issues that have led to the revisions of version 4.1 have not gone away and, if anything, there could now be a heightened need for additional security measures. As stories of insider threat, lost devices and accidental sending of confidential emails ensure that the issues are more, not less, relevant in times of austerity.
“The relaxing of these rules sends a mixed message to the public sector; the financial and reputational implications associated with the loss or leakage of sensitive data can be devastating,” he said.
“Whilst there is no simple solution for departments faced with cuts, surely in these difficult times it is more important than ever to maintain the standards, policies and procedures for the protection of sensitive, confidential data?”