I'M MUHAMMADU BUHARI REPORTING FOR DUTY AS THE PRE... » MY PROMISE 1. I promise to be your President - the president of all Nigerians, treating all Nigeri... Imperva unveils new cloud architecture to maximi... » London, UK: Today Imperva, Inc., committed to protecting business-critical data and applications on-... Local Brentwood company raise over £5,000 for limb... » Nick’s Tyres of Ongar Road, Brentwood have raised £5,500 for Blesma, The Limbless Veterans who are b... Pace of change, BYOD and underappreciated threats ... » UK: In the wake of the recently uncovered DarkHotel attack which used compromised Wi-Fi networks in ... Challenges, Education, Networking and Swag – Secur... » London (UK): Information security consultancy MWR InfoSecurity has outlined details of the challenge... How Britain foiled MUHAMMADU BUHARI'S 'coup' again... » AN ALMAJIRI AT NUMBER 10 DOWNING STREET IN LONDON ASKING FOR ALMSDEAS! Sad tale of a General wit... New hardened security appliance with most in-depth... » Check Point is extending its comprehensive Industrial Control Systems (ICS) security solution with t... Axis Communications’ Academy celebrates ten years... » This year Axis Communications’ Academy is celebrating ten years, a training initiative that since it... First NSI Gold Certificates of Approval for Invest... » R-ISC Investigation & Surveillance Company Ltd, Global Options and Esoteric Ltd are the first th... New surveillance system for future Royal Navy airc... » Computer-generated image of flight deck operations on the aircraft carrier HMS Queen Elizabeth. (Pic...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

Interconnected nature of local government IT and growing outsourcing requires more InfoSec training and user awareness

UK: “Information security is a tricky and often sensitive subject within local government,” explains Philip Ayers, Technical Infrastructure Manager within the ICT Shared Services at Norfolk County Council. “Most county councils don’t have a dedicated budget for information security training but this is changing and it is critical that other parts of the public sector start to think beyond just IT security policy and more around continually testing and securing systems.”

 

Ayers, who has been working for Norfolk County Council for 6 years arrived at an organisation that had no formal InfoSec training. “It took a persistent effort to help raise awareness around the dangers posed by cyber criminals as Norfolk is essentially a mostly rural area and not necessarily an obvious target.”

Norfolk is the seventh most populous county of England with just under a million people and four major towns including Norwich and Great Yarmouth. The county is relatively sparse with smaller communities spread across its 2000 square mile area. “One of the first things I did when I started was to ensure events were logged and system monitoring installed – this was a real eye opener and started us along a journey to get a core of skilled security professionals on staff.”

The council recognised the need to identify risks by instigating external penetration testing and Ayers began a process of getting a few staff on basic courses. “I initially organised an IT forensics course for myself and sent the most enthusiastic team member on a security essential course – between us we then had a basic grounding on examining logs and enforcing the security policies set by the council.”

Over the years, Ayers has continued on-going training through SANS and now has a core team of four staff with broad information security knowledge and skills. “We are realistic,” he says, “We know that an environment can never be 100% secure but we now have the ability to spot and highlight significant areas of risk and present our guidance to the senior management team on a regular basis.”

The Infrastructure manager believes that this risk awareness process is essential and will grow in importance as the Norfolk ICT Shared Services are involved in the ICT responsibilities for Great Yarmouth Borough Council, Breckland District Council and County schools, whilst starting to engage with the local NHS trusts and GP surgeries as part of shared services. Through pursuing a process of obtaining industry recognised certification offered by SANS, the Council is able to offer professional ICT security service to these organisations.

“Budgets are stretched and the public sector is looking for savings,” says Ayers, “But on an IT level, the government is striving towards a highly connected underlying network and this poses a danger that seemingly soft targets could be used as the entry points for attacks that are aimed at more valuable targets.”

“For us SANS training is not just a ‘do once then forget’” explains Ayers, “Security threats are evolving and with SANS we gain access to a community of experts and peers that are continually sharing knowledge and providing both theoretical and practical support as well as training to make us more effective in doing our jobs.”

Today Norfolk County Council has both policies and technical process such as vulnerability scanning and regular audits that meet both internal and national guidelines. “We have document process and the ability to respond to a formal audit from organisations such as CESG, “says Ayers, “…and if we have an incident, we have the internal resources to respond and the knowledge to deal with issues in an effective and methodical fashion.”

Ayers suggests that other public sector IT managers should start to push for an InfoSec training budget. “There are significant longer term cost benefits of a good understanding of information security best practice and technical application,” adds Ayers, “Although many organisations may think that they are not real targets, with a bit of understanding at what to look for, it will quickly become clear that the public sector is a significant target for criminals, vandals and hacktavists.”

The Infrastructure Manager believes that alongside training, a wider education program is needed across the public sector. “Our staff need to understand why policies exist and the basics of safe working, especially as more remote users and inter agency outsourcing becomes prevalent. These things don’t happen overnight, but working with SANS is at least a positive start.”