Government – education and training body. This government body provides careers advice and guidance plus the provision of training development.
Client Requirement and Business Drivers
As a consequence of the Whitehall data handling review following the HMRC data loss, new mandatory data handling requirements were defined for government bodies.
Data handling is: the protection of sensitive personal information in accordance with specific measures covering access; removable media, controlled disposal, authentication, audit, forensic readiness and citizen-facing work.
The client therefore decided that it was essential to engage with an independent, expert information assurance consultancy provider to ensure they comply with government requirements in this area.
Additionally in order to ensure appropriate control of the organisation’s operational risk the client also requested assistance with Business Continuity Planning and Management and the ISO27000 Information Security Management framework.
The business drivers for this engagement can be summarised as follows:
- Compliance with Cabinet Office mandates regarding data handling
- Secondary benefits for agency in terms of managing their operational risk by improving their organisation’s information security and business continuity to recognised industry standards
- The client recognised the sensitivity of any potential data leaks in the current political context
Recognising the importance of the right specialist expertise, together with the need for objectivity and independence Commissum was engaged to meet the strategic, business and technical security and continuity related objectives of the client.
Commissum has considerable expertise and experience in addressing both government, i.e. IS6 and SPF, and commercial e.g. Data Protection Act and Financial Services Authority requirements in this area.
The assignment delivered services in the following three areas:
Design and implementation of the information handling project at the client consisting of the design of a framework to identify and classify sensitive and critical information in the organisation. Identification of data handling governance roles and responsibilities for the individuals concerned within the organisation. Development of a risk assessment and classification tool and information handling tables to facilitate demonstrable compliance.
Commissum provided business continuity and planning consultancy to both review existing business continuity and disaster recovery plans, address key points from a recent audit report and update the plans accordingly. Commissum also identified the composition of the BCDR teams, the parameters of the BCDR control centre and the contingency materials in order to facilitate more localised involvement and ownership of the plans.
Commissum conducted a comprehensive ISO27001 gap analysis for the client, which included audit of ISMS, risk assessments, Statement of Applicability and a comprehensive governance and technical review of the implementation of ISO 27002 controls.
Commissum continues to provide information assurance services to this government body as a trusted security partner.