Information Assurance within the public sector

When it goes live later this year, the full scheme will focus on developing and delivering an IA specialist certification scheme for anyone working in any government department or those working on government contracts.

Over recent years, government organisations and their handling of information has been highly scrutinised by the media and the public. The public sector is accountable to parliament for protecting a vast array of sensitive data supporting many public services. The sophistication of the threats to that data, the complexity of the information systems and the high potential business impacts of data loss, leave the public sector increasingly dependent on Information Assurance (IA) specialists to manage information risks.

Whilst there is substantial overlap between public sector IA requirements and those of other sectors, the combination of threats, business impacts and public expectations make the public sector distinct from them. The public sector needs to articulate the competencies required of the IA specialists working within it, to formally recognise the IA skills of those who have them and to encourage their continuous professional development.

In a recent BCS video debate, Chris Ensor, Head of Profession for Information Assurance, CESG (the information assurance arm of the Government Communications Headquarters and the UK’s national technical authority for information assurance), pointed out that: “Recent public sector data losses and the increasing numbers of attacks we see against government systems prompted a step change in the way we look at professionalisation of information assurance within the public sector”.

Being funded by tax-payers, everyone looks to the public sector for best practice when it comes to things like IA. In November 2011, the government published the UK Cyber Security Strategy. The publication sets out how the UK will support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment.

In September 2011 it was announced that BCS, The Chartered Institute for IT, was one of three organisations awarded a contract to provide an IA certification scheme to CESG to certify the competency of IA specialists to perform common public sector IA roles. The aim is to improve the matching between public sector requirements for IA expertise and the competence of those recruited or contracted to provide that expertise. The BCS CESG certified professional scheme will provide an independent assessment and verification process for those working in IA, along with a clearly defined career development path.

The Institute already has experience in promoting the benefits and importance of cyber security, data protection and information assurance and is able to build on its proven expertise in certification and the assessment of IT excellence and experience.

The BCS CESG Certified Professional scheme will focus on developing and delivering an IA specialist certification scheme for anyone working in any government department or those working on government contracts. The scheme reflects some of the government’s priorities in their UK Cyber Security Strategy, specifically: “building the UK’s cross-cutting knowledge, skills and capability to underpin all cyber security objectives”. The strategy states that one of the key actions is to “improve levels of professionalism in information assurance and cyber defence across the public and private sector which includes “establishing a scheme for certifying the competence of information assurance and cyber security professionals.”

Adam Thilthorpe, Director of Professionalism for the Institute, explains: “Cyber security is as much about protecting and even accelerating our economic growth as it is arm wrestling in cyberspace which is reflected in the strategy. The emphasis on cross-cutting knowledge, skills and capability needed to underpin all our cyber security objectives is particularly important. We need to ensure that individuals and business leaders have the skills and understanding they need to help keep them and their business secure”.

IT professionals appear to share the interest in developing this professionalism; since the pilot scheme was launched in November 2011 the institute has seen over 300 people register their interest in preparation for the full launch later this year.

When the full scheme is launched, it will be offered at three levels of certification: practitioner, senior practitioner and lead practitioner and currently cover six roles identified by CESG within IA including: security and information risk advisor, security architect, accreditor, IA auditor, IT security officer (ITSO) and communications security officer (ComSO).

The BCS CESG certified professional scheme will be based upon written submissions, examinations and expert interviews to ensure only those with the right skill set achieve certification. It will also support those who are currently working in the profession. However, the institute is equally concerned about the skills shortage across the IT sector, with IA and security divisions struggling to get the right people into the profession.

“You have to look at the pipeline right from school – even from GCSE, A levels, degrees – that pipeline may not be working as well as it might,” says Chris Ensor. “ICT doesn’t seem to have the sexiness it had 10 or 15 years ago. Since Y2K there has been a drop-off in numbers joining the profession. You need people who understand IA at all levels in the organisation, right up to the board. The board are very good at making business decisions, but information is far more intangible.”

All of this means that not only do we need develop the skills of those already in the IT profession but we also need to encourage youngsters into the profession and help individuals to understand their own role in personal cyber security. Thilthorpe explains: “It’s vital that we continue to encourage a cadre of cyber security professionals. This strategy needs to be underpinned by significant improvement in the teaching of mathematics, and in particular computer science in schools. While we’ve seen some commitment to this recently, we need to ensure it does come to fruition so that there is a pool of young people in the UK both to draw into the profession and to ensure, in the long term, that the overall understanding of basic cyber security by the public is such that everyone can safely access government services and conduct business on-line”.

“With so much information now being digital, it is vital that we ensure that those working in Information Assurance have achieved the high standards members of the public would expect for such a sensitive role," Thilthorpe says. "As the Chartered Institute we are constantly working to exceed those expectations and ensure our qualifications are suitably rigorous. Working with CESG to launch and implement the BCS CESG Certified Professional scheme is a real and positive step in the right direction for information assurance.”

Further information
About the BCS CESG Certified Professional scheme, including details of how to register your interest, can be found at www.bcs.org/IA