An external security audit at Newcastle City Council uncovered significant data protection problems.
On the council’s web site, it states that the situation came to light because the council discovered it – not because of evidence of any fraud or misuse of inappropriately released data. This was effectively a security audit – someone being hired to review the security of the council’s IT systems discovered the problem.
The security audit covers seven categories: systems understanding, security management, security administration, system configuration, access controls, file and directory protection, and reporting and post-audit actions. The formal security audit involves providing independent evaluations of an organization’s whole systems infrastructure, including its operational practices for safeguarding electronic information from loss, damage, disclosure, or denial of availability.
Information security protects the business from a wide range of threats in order to preserve business continuity. The security audit needs to be aligned with the specific risk profile of the business, its exposure at a regulatory compliance level, and overall to ensure that it can trade effectively without putting the business or its customers at risk.
Whatever form information takes and however it is stored (including encrypted data), it is important to protect it appropriately. In essence, a security audit is a policy-based assessment of the procedures, practices, and systems of an organization, and involves assessing the level of risk created by its normal operational actions. As such, more focus should be placed on the use of regular internal security audit checks, and more frequent vulnerability testing.
Although the security breach identified by Newcastle City Council should not be applauded, many organizations in the private sector should take note of the positive outcome that this particular security audit has had, in removing the one threat that has been identified. Organizations not already undertaking regular security audits should consider doing so, and thank Newcastle City Council for bringing this to their attention.
