February 2006

IS YOUR LA REVIEWING
DATA MANAGEMENT SYSTEMS?

There is growing concern amongst local authorities over the use of Access databases and spreadsheets in holding customer information. Many authorities are reviewing their systems to ensure compliance with ISO/IEC17799 following the release of the Information Assurance Governance Framework (IAGF) in November.

The ISO17799 standard came about in 2000. It is an internationally recognised information standard encompassing a set of controls outlining best practice in information security.

The IAGF is currently aimed at central government, but it is intended for eventual use by the whole of the public sector. The framework states: Information Assurance is the confidence that information systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users. The Central Sponsor for Information Assurance (CSIA) is part of the UK Government’s Cabinet Office, and has web pages giving information on how local authorities are to comply with the IAGF, and how it affects their practices.

The site asserts that public sector bodies must be vigilant in monitoring and auditing the systems holding their information. This means that public sector services must keep tight control over where and how their data is stored and who has access to it. More information can be found on the ‘Information for the Public Sector’ section of the cabinet office website at www.cabinetoffice.gov.uk.

This is something that we have had to take into account in defining EnsembleXP.Net’s security parameters; allowing infinite Users and User Groups to be set up so that access can be allowed and restricted to a great extent. Each individual operator of the system can have a user group of their own so that their level of access can be specified according to their needs.

There is also new function and event log feature that tracks all processes and changes taking place in the database. Ensemble users can see who has made changes and who has run processes. This feature can help to identify staff training needs because it shows where and when users are making consistent mistakes. If these are identified and tackled, future mistakes can be prevented.

It seems that the reason for concern over in-house data manipulation solutions is that they are potentially insecure and access to them cannot be protected. Data stored on local PC hard drives is less secure than that which is stored on centralised servers, which are subject to stringent security and resilience procedures.