Two years ago, the federal government’s Treasury Board Secretariat came up with a new Policy on the Management of Government Information. The initiative was subject to review in five years. But given the exponential growth of information managed by government, security and privacy concerns will clearly outpace current assessment standards.
Scott Campbell figures that’s just about the way it should be.
“Security and privacy are a prerequisite for any aspect of e-government,” says Campbell, former CIO of Ontario and now senior advisor for e-Health with Ontario’s Ministry of Health and Long-Term Care. “For example, if we cannot assure people that their medical records are safe in an electronic world, they are not going to allow us to put them into the electronic world.”
That’s the benchmark Campbell says he has used for years — and will continue to use.
“What we are trying to do is create a trust model between the two players at the highest level — the citizens on one hand and the government on the other,” Campbell said. “And if the government is perceived as not being a trusted information partner with its citizenry, this agenda is not moving forward.”
The public trust is a lightning rod for concern and must be managed on behalf of citizens by government to ensure that private information – regardless of the source, how submitted or how gathered – is not only protected, but government security apparatuses remains vigilant.
In terms of information management in the public sector, Campbell suggests that, if people conclude that government is unable to deal with both privacy and security aggressively and comprehensively, the e-government agenda can’t be advanced in any jurisdiction.
Federal legislation describes how to manage information in a way that respects privacy and security. And guidelines, employee training programs and other tools help ensure the appropriate management of information.
Simon Gauthier, deputy CIO in the Chief Information Officer Branch at Treasury Board, says the federal government “is entering into a phase of significant transformation of federal programs and services for Canadians as well as strengthening and modernizing its own operations.”
“The implication of this is that all components of the GOC business will need to be addressed properly starting, amongst others, with the information management requirements.”
Federal policy is plain: “Federal government institutions must manage information in a privacy protective manner that supports informed policy and decision-making…”
At the project level, that means an ongoing review of the way projects are implemented. Privacy impact assessments as well as threat/risk assessments may be part of this stewardship. The emphasis on outlining requirements for privacy and security early in the development life cycle is to ensure that the privacy and security of the information is well protected.
But privacy policy isn’t cheap. The run-up of security costs prior to full implementation of large initiatives can appear massive. The continuing rollout of Secure Channel, the portfolio of services that forms the foundation of the federal government’s Government Online (GOL) initiative, is expected to come in at $600 million.
Gautier says that’s not simply a question of increasing or decreasing spending on information management. “We are continuously looking at ways to better spend the monies allocated to IM and IT in the federal government and to gain efficiencies directly delivering benefits to Canadians.” Gauthier said. “…the future IM expenditure requirement will become better defined, as part of an over-all agenda of improved public service delivery and management.”
Secure Channel aims to provide citizens and businesses with secure, private, high-speed access to all federal government online services. It also offers additional services for security, registration and authentication.
“The main challenge of IT security is related to a continuously changing threat environment,” Gauthier said. “As IM evolves and information sharing is better enabled and expands in scope, we foresee more standardization around reference models and schemas.
“These reference models and schemas will be implemented from the outset with security and privacy in mind. . . . “Currently, the effectiveness of an IT security solution is measured by a range of criteria, from using products that have been evaluated to conform to stringent security requirements, to doing vulnerability testing of systems before they are put in operation.”
The Government of Canada Management of Information Technology Security Standard provides the over-all management framework that departments must conform to in order to ensure that their IT systems are not only built but are operated continuously to maintain an adequate level of security.
Without the common infrastructure and services provided by Secure Channel, and the assurances it provides with respect to security and privacy, GOL’s vision of client-centric, cross-government service anytime, anywhere, cannot be realized.
The Secure Channel network connects 129 client organizations.
Scott Campbell believes that the security devil lies in the broad details. Government, he says, needs to spend more time working out how it actually goes about explaining security and privacy issues to the general public and then to subsets of citizens (based on their e-awareness).
“One of the things that we do in the technology world is get into a lot of jargon that makes explanation very complicated. We have to start to demystify the process and put it in language that people can understand.” Henk Dykhuizen comes at it in terms of the relationship between privacy and security.
“Part of the problem became that you can’t have privacy without security,” says Dykhuizen, vice president, Government, Education and Health Care with Oracle Corp. Canada. “How can you tell me that you are keeping my information private if you don’t have proper secure systems? But there is no privacy if you don’t put a lot of time and effort into security.”
Dykhuizen says Oracle, a long-time participant in the development of Secure Channel, has spent approximately $1 million per version testing the security certifications set out by the U.S. and British governments.
“These are the qualifications we bring to securing Canadian government information,” he said. “We want to expand our service offerings to include web-based capabilities. If you want to do stuff with the government on the web, you have to believe that when you send them information it is being looked after.”
Dykhuizen, who remains optimistic that secured change will be the way of the future, admits that this could be the beginning of a long process for government. He compares the confidence citizens must gain from government advances in information security to the 20 or so years it took people to become confident with automatic teller machine (ATM) technology.
“The government is going through a very dramatic period right now in trying to show people that it can deliver services in this way,” Dykhuizen said.
Brian Eaton ([email protected]) is senior writer with CIO Government Review
