Improving data handling: Applying encryption and penetration testing across government

Penetration Testing

In June 2008, the UK Cabinet Office Minister, Ed Miliband, announced the publication of the department’s Data Handling Procedures in Government. The report outlined how the UK Government plans to improve data handling and information security by implementing:

Core measures to protect personal data and other information across government
A culture that properly values, protects and uses information
Stronger accountability mechanisms within departments
Stronger scrutiny of performance

Heading the list of measures being implemented, was the introduction of ‘new rules on the use of protective measures, such as encryption and penetration testing of systems’.

In January 2010, these measures were supplemented by the Information Commissioner’s Office’s announcement of new plans to impose fines of up to £500,000 for data breaches, adding a whole new impetus to the Government’s drive to address this issue. The first fines for data breaches were issued in November 2010, totally £160,000, with two more fines totalling £150,000 issued in February 2011. The ICO's biggest ever fine was issued in June 2011 when Surrey County Council was given a £120,000 penalty for a serious breach of the Data Protection Act after sensitive personal information was emailed to the wrong recipients on three separate occasions.

A properly executed penetration test (sometimes referred to as pen test, security health check, vulnerability assessment or security audit) provides customers with evidence of any vulnerabilities, and the extent to which it may be possible to gain access to or disclose information assets from the boundary of the system. Penetration tests also provide a baseline for remedial action in order to enhance the information protection strategy.

The importance for Government organisations to ensure the integrity of their information systems was reiterated with the 2009 publication of the first UK Cyber Security Strategy. It highlights how the critical national infrastructure we all take for granted is now largely dependent on network automated information systems, any of which have the potential to be the subject of a cyber attack.

VEGA’s information assurance team provides a comprehensive and varied range of services to clients across the public and private sectors. The team comprises UK Government CHECK-accredited penetration testers who hold SC and DV clearances, supporting work at all levels of protective marking. The format of these penetration testing services can be tailored to meet an organisation's specific requirements.

This section constitutes some of VEGA’s latest work and thinking around improving data handling, information assurance and penetration testing, and the benefits they can provide our clients.