Stating the obvious
June 30, 2008
Nikki Ross Martin’s analysis of the Poynter Report is well worth reading. Key take-aways:
- Information security, at the time of the incident, simply wasn’t a management priority;
- Even had it been a priority, HMRC’s organisational design and the governance and accountabilities underpinning it would have made it extremely difficult for it to be felt as such;
- Even with a more suitable organisational structure, the fragmentation and complexity that has accompanied the changes that HMRC has had to absorb makes information security difficult to control;
- HMRC’s information security policies were inadequate and those that they had were unduly complex and not adequately translated into guidance or training for the junior officials who needed them;
- HMRC continues to operate processes that hark back to a paper-based, rather than a digital, world; and
- Morale is low in HMRC and management needs to continue to focus on engaging with staff as the department embarks on a period of further change.
In her editorial email that arrived this morning, Nikki adds:
He manages not to point out that the underlying problem for HMRC lies in totally ineffective management. Not so much a case of weak internal controls, more like a case of no internal controls and no proper chain of command when it comes to data security. Scary stuff and apparently, a problem completely overlooked in implementing the Carter proposals.
One can speculate why Poynter does not want to spell out the obvious too clearly. Could it be the odd conflict of interest? Given the links that the big accountancy firms have to HMRC (all that consultancy work and seconding each other in and out) it would be unsurprising not to happen.
I’d go further. As is becoming increasingly obvious, the Big Four’s lack of detailed IT knowledge is starting to show. They are heavily involved in IT specification, implementation and management for government and large organizations. So as with many such a report, when there’s a finger pointing elsewhere, there are always three pointing back.
The temptation will be for HMRC to take a series of kneejerk actions instead of understanding the root and branch problems that exist. But let’s be clear, HMRC is not alone. It is almost becoming routine to find that one or other large institution has managed to ‘lose’ data.
Comments
2 Responses to “Stating the obvious”
Got something to say?
On FriendFeed, this post was liked by 0 people and commented on 0 times hide
Dennis, it is one thing to lose data - as you say many have managed this. But it is something else to be accused of the second bullet in your extract. Notwithstanding whether Poynter and his chaps have the requisite skills, I would be interested to understand to what extent this is endemic within other Government and public sector institutions - particularly given their penchant for large ticket IT.
Computing has been following government IT disasters for years - I’d say it’s endemic.