Introduction

“Achieving BS7799 is a cornerstone of the Government’s strategy in bringing about fundamental changes in the way it uses IT and in its external positioning as the e-island.”

Allan Paterson, Director
Information Systems Division, Treasury
Isle of Man Government

In 2001, the Island’s parliament, Tynwald commissioned an e-commerce and e-society strategy so setting in progress the Jupiter programme which was to bring about fundamental changes in the way the Isle of Man Government uses its IT. The objective of the programme was to modernise the business of government itself, achieving joined up working between departments and create new and innovative ways for the island’s citizens and business to communicate with Government and receive its services.

The Information Systems Division (ISD) is at the heart of this project, providing a robust and effective technical infrastructure and promoting development of pan Government processes. Achieving high standards of information security was fundamental to the project and in ensuring the integrity, accessibility and availability of information to its clients – other governmental departments, police, fire and health services on the island.

ISD embarked in 2004 on implementing an information security management system (ISMS) compliant with BS7799 together with a clear view to gaining certification to the standard within six months. Early 2005 saw the achievement of this vision when the division’s ISMS became approved to BS7799 pt2 by LRQA.

ISD has now made compliance with BS7799 a contractual obligation for its business critical outsourced services. This policy has already seen Manx Telecom, who manages the Government’s WAN, achieve certification to BS7799 for its business.

First | Previous | Next | Last

Benefits

Benefits of the ISMS and the certification programme which supports this include:

Process improvement

Areas for improvement are now easier to identify. ISD changed the way in which it approached its formal incident procedure which has led to service improvement. A typical example of this would be where a server has failed. Previously, the failure would have been noted, fixed and normal service resumed. Now, it is classified as a corrective action, the reasons for the failure examined more carefully and measures put in place which in turn should help reduce system down-time.

Certification to the standard has raised the profile of the ISD within the Government and gives valuable assurance to customers and suppliers that it is following best practice, which is particularly important where data is shared with off-island organisations. For example, the Island’s police and health services regularly share data with their UK counterparts. Here, it is important that these organisations know they are handling secure data and that all relevant legislation – such as the Data Protection Act – is being adhered to.

The division had a clear objective of gaining certification from the outset. This provided a clear goal which all employees were able to work towards. The external, independent view provided by LRQA against the appraised scope demonstrates that ISD continues to undertake process improvements in its management systems. Once certified, regular visits from their assigned assessor helps provide a focus for continual process improvement and ensures the management system remains on track.

The move from a technical focus to a more business-led focus has seen some significant changes in working practices. There are now clearer responsibilities and roles and a single repository for information with centralised documentation under strict version control therefore more easily accessible. This in turn has helped improve communications throughout the division which consists of 150 users spread over three sites.

First | Previous | Next | Last

Identifying the need

“BS7799 has enabled us to drive through a significant business change and improvement programme and will continue to keep us focused on new initiatives and process improvement.”

Allan Paterson, Director, ISD

By their very nature, in-house IT departments provide a support function and it is often said that IT is only noticed when problems occur – a server has failed, e-mails cannot be sent or received and end users cannot access the information they need in order to carry out their daily work. This was very much the situation that ISD was in, however, the Jupiter programme was to act as a catalyst for change. It was recognised that information security was a fundamental element of a stable, dependent technical infrastructure. This gave the division an opportunity to take a fresh look at the way in which it managed risk and the security implications of its operations.

Ed Clague, the division’s Government Information Security Officer explains. “Our customers are looking for best practice. They need to have the confidence that their systems are secure and demonstrate good corporate governance. Many of our customers share data with other organisations, for example, the police and health service deal with their UK counterparts and therefore need the reassurance that they are meeting appropriate legislation such as the Data Protection Act. We identified the requirement for an information security management system and recognised BS7799 as the de facto standard.”

There was also recognition that while the division had always had high professional standards and levels of expertise, this knowledge was often locked away in people’s heads or in individual project teams. The division had grown from 50 people over ten years ago to over 100 today working closely with a number of third party IT service providers, so it was a far harder job to keep track of information and knowledge. A robust management system would help provide the disciplines to control and manage data and capture best practice from around the division.

First | Previous | Next | Last

Scoping the system

Working closely with senior management from the outset, it was decided that ISD should work towards certification to BS7799 within six months. This was clearly a challenging objective which would call for commitment from all levels within the division.

The first step on the journey was to decide the scope of the ISMS. While the Division had a customer-base of over 4,000 users, the most feasible option within the timeframe available was to limit the scope initially to the Division’s 150 users spread across its three sites. This would enable ISD to build a robust and agile ISMS which once established could then be expanded to include other departments as necessary.

First | Previous | Next | Last

Implementing the system

“BS7799 isn’t a difficult standard to understand or to design a system to meet – despite its bad press. However, it does require hard work and commitment from all involved.”

Edward Clague, Government Information Security Officer, ISD

Following an in-depth selection exercise, ISD appointed specialist BS7799 consultancy, Red Island to help in the implementation process and to deliver training to staff. With the help of Red Island, ISD undertook a risk assessment to fully understand both the risks the organisation faced and the status of existing processes and procedures.

“We have always been a professional organisation but the exercise clearly showed areas in which we could improve. There was too much that was implicit, a case of well-used working practices that had become ingrained over time but were not necessarily well documented or consistently implemented throughout the department. Looking forward, we needed a solid, sustainable framework utilising best practice throughout ISD to manage the growth and increasing profile of the department within the Government,” comments Ed Clague.

A ten-strong management system board consisting of managers from around the Division was created with each responsible for key tasks. “The idea here was to gain real buy-in from those people actually doing the job, the experts in their particular field. The message here was ‘security is your responsibility too.’ With BS7799 covering 127 controls and ten domains, it is clearly impossible for a security manager to own all procedures, therefore getting people to take ownership early on in the project is critical to its overall success,” comments Ed.

A security improvement plan was agreed and implemented which saw job roles and lines of responsibility clarified, existing processes streamlined and management of procedures tightened. In practical terms, this saw a bank of central procedures established and held on the intranet for ease of accessibility by all users and certain processes such as user administration and helpdesk procedures revised.

First | Previous | Next | Last

Changing culture

The experience of implementing a management system and undergoing certification has changed the day-to-day working practices at the Division. On a practical level, all employees wear identity badges, operate a clean desk policy and through attendance on security awareness workshops are far more aware of the security risks.

On a wider scale, the project however has also become an agent for change in collective thinking. Ed explains: “In the past, where we would worry about bits and bytes, we are now more concerned about the information contained within it. We now look at computer files as information rather than a collection of digits.”

This sea change in thinking has only been possible because all employees ‘bought into’ the need for tightened information security and very early-on became willing participants in the project. “Typically in IT departments, employees work on specific projects. This is the only project, in my experience, where everyone in the IT department has been involved, to some degree, in implementing the system.”

First | Previous | Next | Last

Certification and beyond

“Our LRQA assessor obviously had experience in our industry and knowledge of our community which was important to us. Thus he was able to add real value to the assessment process which meant it was far more than a rubber-stamping exercise.”

Edward Clague, Government Information Security Officer, ISD

The ISMS was implemented within six months and from the very start of the project, ISD had its sights set firmly on certification from an independent body. “While we had experience of being assessed by internal auditors, we really did not know what to expect from the LRQA assessor. This was my first formal quality auditing experience and we were pleased at how our assessor really wanted to work with us and bring a really realistic, pragmatic approach to the table.

“He obviously had experience in our industry and knowledge of our community which was important to us. Thus he was able to add real value to the assessment process which in turn meant it was far more than just a rubber-stamping exercise,” Ed comments.

ISD gained certification in January 2005 following its second stage assessment. However, following such an intense build up and achieving its initial aim of accredited certification, the challenge will be in maintaining the momentum and continuing to demonstrate progress in its system. This will be helped in part by regular audits undertaken by the government’s own internal audit service in addition to the regular surveillance audits carried out by LRQA to ensure the system remains in compliance. Underlying this, and possibly the most important change of all has been a shift in the culture of the Division, a collective mindset which will help ensure information security is just part of ‘service as normal.’

First | Previous | Next | Last

Isle of Man Government

The Isle of Man is a British Crown Dependency, an internal self governing territory setting its own laws and taxes. The Islanders are proud of their heritage. The Tynwald is the oldest continuous Parliament in the world having existed for over 1000 years and today, the Island is a highly respected international finance centre.

The Isle of Man Government is committed to effective and efficient public service delivery which reflects and supports the island’s external positioning as The e-island. To support this, Tynwald commissioned an e-commerce and e-society strategy in 2001 and set in progress the Jupiter programme to bring about fundamental changes in the way the Government uses IT to communicate with its citizens and business.

First | Previous | Next | Last