The UK government will benefit from being forensically ready
The UK government will benefit from being forensically ready

The backlash against coalition plans to give MI6 and MI5 unprecedented ‘email snooping' powers, illustrates the fact that people simply do not trust the government with their personal data.

The old cliché of ‘nothing to hide, nothing to fear' rings increasingly hollow when we see how frequently government departments lose, misuse and abuse sensitive information.

In 2011, over 300 police officers were caught illegally snooping on members of the public, while 132 councils lost vital public information, with errors ranging from unlawfully accessing databases, to sending emails over unsecured networks.

Yet these figures could be the tip of the iceberg; monitoring of internal systems is so poor that some organisations take months and even years, to discover data breaches. One police officer was found to have made 658 illegal checks on family members before finally being caught.

It is clear that the failure of many government bodies to properly monitor employee activity on internal systems means that our data is no longer safe in their hands.

Stringent rules now make the collection, storage and analysis of employee activity a legal imperative for government departments. The Information Commissioner's Office (ICO) can impose £500,000 fines on organisations that fail to prevent data breaches.

The ‘Cross Government Actions; Minimum Mandatory Measures' from the Cabinet Office places stringent requirements on public sector organisations to institute a ‘Forensic Readiness Policy' to capture, preserve and analyse audit logs for legal and security purposes.

Forensic readiness has been introduced as a need for government organisations to increase their ability to gather and preserve evidence before data security incidents occur. Typically forensic investigations are employed as post-event responses to information security incidents. Forensic readiness ensures risk is minimised by using the IT data to detect and deter crime before it occurs and by providing digital evidence of activities that organisations can use in their own defence.

But as CIO's know only too well, there is a difference between having a policy in place, and ensuring that it is actually being followed.

The failure to enforce data-privacy policies and protect confidential data from irresponsible employees is rooted in popular misconceptions about data security.

Many organisations regard audit logs as useful only for Freedom of Information Act requests or court cases, and take a reactive approach to forensic readiness. A recent survey found that 47 per cent of respondents only analyse internal audit logs after a breach has already occurred.

Thanks to sensational stories about cyber terrorists and hacktivists, many organisations wrongly believe that most data security threats come from outside the organisation, so they focus on perimeter defences instead of internal data analysis. Yet a recent Ponemon Institute survey found that 78 per cent of data breaches are caused by employees.

The CESG Good Practice Guide on Forensic Readiness (Good Practice Guide No. 18) details principles that organisations must observe as part of their adoption of forensic readiness, and key to this is a responsibility to "maintain the quality and effectiveness of their records management systems in order that specific business records can be produced as evidence in court or to address any legal or regulatory requirement".

Failures in commonly-used log management systems are shockingly common, especially where integrity and forensic readiness are concerned. Some of the most common SIEM (security information and event management) solutions only collect specific risk events, instead of complete records of user activity, and do not store the information in its original format.

This means that many organisations have extremely limited visibility over their internal infrastructure and do not keep complete, verifiable records of user activity as required by law.

The latest legal requirements for ‘forensic readiness' provide an unprecedented opportunity for the UK government to restore public trust in their handling of confidential data.

Many IT departments fail to realise that audit logs are not just useful for court cases; they are a potential goldmine of information that can be used to pre-empt security threats. If organisations can capture and analyse log data in real-time, they can instantly identify dodgy employees and spot suspicious patterns of user behaviour or rule breaches, before they spiral out of control.

New forensic log management and protective monitoring technology can securely gather complete, original logs from inside almost any system, server, network or device. Organisations can then automatically screen the information for anomalies and alert the relevant departments in real-time, giving a live overview of their entire IT infrastructure.

Critically, new technology can distinguish between ‘data access events' (which have the potential to cause privacy breaches) and actual ‘security events', allowing organisations to see when there has been a genuine security breach, as opposed to the mere risk that one may occur.

This empowers government departments to spot rogue employees and stamp out bad practices at an early stage, and allows them to respond to FOI requests and legal challenges with accurate and up-to-date information.

With the latest IT innovations, government departments can finally begin to end their reliance on employees to safeguard your right to privacy. The government's recent unveiling of the Communications Data Bill, that would require all ISPs and mobile phone network providers in Britain to collect and store information on everyone's internet and phone activity, demonstrates how important protecting the public's personal information is.

As the information stored on individuals grows, forensic readiness requirements go some way towards ensuring the safety of public information.

Terry Pudwell is executive chairman of Assuria