We’re not allowed to see the ContactPoint security review
ARCH members will know that we have put in a Freedom of Information request for the full security review of Contactpoint (following publication of the executive summary) so far without success.
Our internal appeal has now been rejected and so it’s onwards and upwards to the Information Commissioner and, probably, the Information Tribunal. Amongst other things, the rejection notice says that making the Deloitte report available would undermine security ‘by potentially making it easier for those seeking to access the system unlawfully to succeed.’ …
The executive summary seems pretty damning in itself::
- security hasn’t been adequately designed in from inception (a common cause of security breaches);
- the right people haven’t been involved in the design of the security controls that do exist (a common cause of project failure);
- stakeholders are unclear about responsibilities and accountabilities (a common cause of project failure);
- technical and procedural controls are not subject to formal assurance under a recognised standard;
- processes for secure disposal of electronic and hard-copy media do not exist;
- there is unclear or no guidance about information security matters (again lack of effective engagement with stakeholders, a common cause of project failure);
- there hasn’t ever been a formal risk assessment and there hasn’t been much of a risk assessment at all since 2004;
- there is no ‘formal assurance using a recognised framework’ for security controls and countermeasures; and,
- the self-certification process poses a significant risk.
So it looks like ContactPoint may well be added to my Government IT Gone Wrong page. Which is nice.