Information and its management is a growing responsibility across the public sector and local government is no exception.
Any chief executive is ultimately responsible for:
- information a council holds across departments
- how much information needs to be publically available
- the level of risk entailed in storing and protecting this information
A chief executive will not know the specifics but he or she has to be able to get those answers – and know from where to get them if they are to make appropriate risk management decisions. In other words, they need to understand the role Information Assurance (IA) plays in their business.
Any use of information brings an element of risk – the key aspect is how and by whom that risk is managed. I believe that having people who are competent in IA, ie are IA professionals, will go a long way to meeting such a responsibility.
Everyone who handles information, or is involved in some way with information and communications products and systems will need some level of understanding of IA. The level of understanding or expertise will depend on their role.
Those involved with delivering IA products and services, setting standards, developing guidance, will need deep specialist knowledge and skills, whilst those involved with delivering, managing or using systems will need an awareness of the role they play in managing information risks.
That is why I and like-minded people in the sector are seeking to boost IA professionalism across the public sector and its delivery partners.
The concept of an ‘IA profession’ for IA specialists is already well recognised beyond the Public Sector and is represented by such organisations as the Institute for Information Security Professionals (IISP). Within the Public Sector we have the Skills for Government and we are working with them to ensure IA is formerly recognised within that initiative, either as a Profession or as a discipline unser an existing profession.
The need to develop well-defined roles within organisations has been recognised for some time, and within Government has been promoted through Skills Framework for the Information Age (SFIA). SFIA promotes the concept of a ‘role profile’ that defines the professional skills and personal attributes a person should have to carry out a particular job.
Whilst SFIA provides a common language to describe levels of responsibility, its coverage of IA relevant skills is limited. Significant progress had already been made to define IA skills.
For example, the IISP has an IA skills framework for assessing competence of its members and we at CESG have developed an internal IA skills framework. However it is clear that we need to coalesce around a common definition for IA skills.
Organisations can use these skillsets to recruit, assess performance and develop staff. They can also be used as a basis for assessing that people are competent to carry out particular roles, assessing the relevance of training and education for skills and roles, and assessing the potential for employee development schemes to deliver competent individuals.
There will need to be appropriate mechanisms in place to enable people to develop competence in the specialist IA skills and roles. These will need to integrate recognised education and training courses with on-the-job training and mentoring.
Information Assurance, like other disciplines, needs to adapt if it is to be able to manage the risks of complex and changing technologies.
Councils are required by law to deal with the management of their information professionally. A recognised professional within the organisation to take on such responsibility is vital.
While there is lots of good work going on in different parts of the public sector, bringing a holistic approach to IA professionalism is going to be key to ensure information risks are being properly managed.
Chris Ensor, technical director, CESG - the Information Assurance arm of GCHQ at Cheltenham