Gov Data security

[BigDave]

What is missing in this thread is a little context. Precisely what data do Argon and IT Works come into contact with in the performance of their contract?

 

[craggy_steve]

32 minutes ago, BigDave said:

What is missing in this thread is a little context. Precisely what data do Argon and IT Works come into contact with in the performance of their contract?

 

Indeed. Great question.

Argon - supply multi-function (printer / scanner / copier) devices  (MFDs) with internal data storage to queue print documents, store scanned documents for emailing or printing etc., some of which will contain sensitive / personal data etc.. Most larger MFDs include a decent size hard disk / SSD from which data can be recovered. 

IT Works seem to be more about desktop support - which likely includes repairing / replacing desktop PCs and laptops containing hard disks / SSDs similarly potentially holding sensitive / personal data either saved locally intentionally by the user or cached locally by the applications used to access that data from back-end systems.

Both MFDs and PCs can also be subverted to covertly echo the data they process to another system.

Not denigrating Argon or IT Works in any way, but the reality is that IT service providers and their technicians are a great back door into corporate IT systems and the data they hold / process. The OP has a valid point in principle - but without seeing the ITT or the tenders we can't know what other data security assurances were asked of bidders aside from 27001 - like most ISO standards it is of limited value.

 

[Andy Onchan]

3 hours ago, craggy_steve said:

....- like most ISO standards it is of limited value.

 

 

Ain't that the truth.

[HeliX]

Anyone know if the Gov currently utilises any sort of Security Assessment service?

[joeyconcrete]

Quote

The OP has a valid point in principle - but without seeing the ITT or the tenders we can't know what other data security assurances were asked of bidders aside from 27001 - like most ISO standards it is of limited value.

I don't agree that they're of limited value. The relevance and applicability are really dependant upon their implementation, scope, endorsement and the level of ongoing oversight.

The truth is that any ISO standard can be implemented relatively easily and there are a variety of pre-packaged sources available, whether for ISO 9001, 27001 etc. The existance of ISO 27001 (or any standard) assures nothing - it is the scrutiny/audit of a such a system that provides the assurance. You would hope that any body asking for ISO 27001 would  consider following up to ensure its adoption/implementation/scope.

Having spent a week with an ISO 27001 auditor to ensure compliance with a UK regulator, I can assure you that (done right) they leave no stone unturned and make sure any organsiation fully considers the cybersecurity/information security risks.

That auditor's job would prove very difficult if he didn't have a consistent standard to measure against.

The absence of ISO 27001 does not mean security is lax, equally - ISO 27001 doesn't prove security is first class. What ISO does provide is a consistent framework on which security can be measured.

CIS Top 20 is a more relevant, tactiful measure of security.

 

 

[craggy_steve]

@joeyconcrete I think you've just explained why the ISO standards are of limited value    And I do mean limited - I don't write them off, merely recognise that other methods and measures may deliver greater assurance - whether one is looking at 9001, 14001, 27001 or whatever.  The ISOs are mostly useful baseline assurances, not awards of superiority.