Information security and data protection

The past five years have seen unprecedented media coverage of high profile cases of data loss in the public sector which have resulted in significant negative publicity.

The impact is greatest where the loss relates to personal information. Our consultants will employ their significant experience to support you in ensuring you have appropriate policies, strategies and processes in place to minimise the risk of an information security incident.

Information is a critical business asset but with the volume and sensitivity of much of the data held in the public sector, it is essential that organisations implement and maintain robust processes to ensure information is securely managed. The Information Commissioner was granted new powers in April 2011 to enforce financial penalties of up to £500,000 for a breach of the Data Protection Act 1998.

What we do

Our knowledge and experience of the practical and legislative requirements of maintaining effective information security mean that we are able to ensure our clients minimise the risk of a data loss incident occurring.

We develop and implement information security management systems consistent with the requirements of the international information security standard, ISO27000.

We can also conduct reviews against ISO27000, produce a gap analysis and develop remedial plans to address any identified risk areas. This includes coverage of areas such as:

  • Security policy
  • Organisation of information security
  • Asset management
  • Human resource security
  • Physical and environmental security
  • Communications and operations management
  • Access control
  • Information systems acquisition, development and maintenance
  • Incident management
  • Business continuity planning
  • Compliance with legislation

Our reviews will also cover business processes to confirm compliance with the Data Protection Act 1998 and confirming compliance with information assurance standards in the public sector such as the Security Policy Framework in Central Government and NHS Information Assurance standards.

Our approach

Our approach is as follows:

  • We work closely with our clients to understand their core business processes as well as the mechanisms through which they collect, maintain and secure the data they hold.
  • With increasing data sharing between organisations, we review the arrangements (legal and technical) for sharing data. This is particularly relevant in the public sector where there is increased partnership working and data sharing such as for joint health and social care or criminal justice.
  • We reference best practice standards such as the international information security standards (ISO27000).
  • We ensure that organisation practices are consistent with the eight principles of the Data Protection Act 1998.
  • We will ensure that practices are consistent with relevant information assurance standards.
  • We will highlight to management and staff the need to develop a positive culture towards information security within an organisation.