The Cabinet Office has not yet established a clear role for itself in coordinating and leading departments’ efforts to protect their information, according to the National Audit Office.
Today’s report found that its ambition to undertake such a role is weakened by the limited information which departments collect on their security costs, performance and risks. It also notes, however, that the UK Government has a strong international reputation in some areas of information security and digital government.
Protecting the information departments hold from unauthorised access or loss is a critical responsibility for departmental accounting officers. Departments are, however, increasingly required to balance this responsibility with the need to make this information available to other public bodies, delivery partners, service users and citizens via new digital services. And increasing dependencies between central government and the wider public sector mean that the traditional security boundaries have become blurred.
According to the NAO, too many bodies with overlapping responsibilities operate in the centre of government, confusing departments about where to go for advice. As at April 2016, at least 12 separate teams or organisations in the centre of government had a role in protecting information, many of whom produce guidance. While the new National Cyber Security Centre (NCSC) will bring together much of government’s cyber expertise, in the NAO’s view, wider reforms will be necessary to further enhance the protection of information.
As accountability for information security is devolved to departments, government does not currently collect or analyse its overall performance in protecting information on a routine basis. This means it has little visibility of information risks in each department and has limited oversight of the progress departments are making to better protect their information.
Reporting personal data breaches is chaotic, with different mechanisms making departmental comparisons meaningless. In addition, the Cabinet Office does not have access to robust expenditure and benefits data from departments, in part because they do not always collect or share such data. The Cabinet Office has recently collected some data on security costs, though it believes that actual costs are ‘several times’ the reported figure of £300 million.
Some departments have made significant improvements in information governance, but most have not given it the same attention as other forms of governance. The Cabinet Office does not currently provide a single set of standards for departments to follow, and does not collate or act upon those weaknesses it identifies.
In the context of a challenging national picture it has been difficult for government to attract people with the right skills. The government established a security profession in 2013, and has undertaken some initial work to establish professional learning and development. Demand for skills and learning across government is growing and is likely to continue to grow. According to the NAO, plans to cluster security teams may initially share scarce skills, but will not solve the long-term challenge.
According to the NAO, the Cabinet Office is taking action to improve its support for departments, but needs to set out how this will be delivered in practice. The NAO recommends that to reach a point where it is clearly and effectively coordinating activity across government, the Cabinet Office must further streamline the roles and responsibilities of the organisations involved, deliver its own centrally managed projects cost-effectively and clearly communicate how its various policy, principles and guidance documents can be of most use to departments.
“Protecting information while re-designing public services and introducing the technology necessary to support them is an increasingly complex challenge. To achieve this, the Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved.”
Amyas Morse, head of the National Audit Office
Read the full report
Protecting information across government
Notes for editors
200 Number of cyber national security incidents dealt with by GCHQ per month in 2015, up from 100 per month in 2014. 8,995 Number of data breaches recorded by 17 largest departments in 2014-15 £300m Limited government estimate of annual spend on security in 34 departments. Actual costs are thought to be ‘several times’ this figure 12 Number of separate organisations in the centre of government with responsibility for aspects of protecting information £28m Estimated annual government expenditure on external IT security support £200-£400m Savings estimated, by 2014, from adopting the Public Services Network, as outlined in the 2011-12 business case. Actual PSN savings in 2014 were £103.4 million. No further savings are expected. 73 The number of teams covering security in central government departments 1,600 Number of protective security staff (information, physical and personnel) in central government departments- The Prime Minister is ultimately responsible for the security of the UK Government. She is supported in this by the Cabinet Secretary, who chairs a permanent secretary committee which sets the overall direction and strategy for government security. Across departments, responsibility for information security lies with the respective ministers, permanent secretaries and their management boards.
- Press notices and reports are available from the date of publication on the NAO website. Hard copies can be obtained by using the relevant links on our website.
- The National Audit Office scrutinises public spending for Parliament and is independent of government. The Comptroller and Auditor General (C&AG), Sir Amyas Morse KCB, is an Officer of the House of Commons and leads the NAO, which employs some 785 people. The C&AG certifies the accounts of all government departments and many other public sector bodies. He has statutory authority to examine and report to Parliament on whether departments and the bodies they fund have used their resources efficiently, effectively, and with economy. Our studies evaluate the value for money of public spending, nationally and locally. Our recommendations and reports on good practice help government improve public services, and our work led to audited savings of £1.21 billion in 2015.