SERVICE DESKS
DIGITAL STRATEGY
CLOUD COMPUTING
www.governmenttechnology.co.uk | VOLUME 10.7
PUBLIC SERVICES NETWORK
SHARED SERVICES Opportunity knocks to
improve data management
IT SECURITY
MAY THE FORCE BE WITH YOU How to prevent breaches in IT security - the Star Wars way
WEE RECYCLING
WASTE IT: FIVE KEY CHALLENGES
The Papyrus Communications and Process Platform Papyrus Adaptive Case Management for Government Business. Papyrus is ideal for document-centric applications in the public sector, such as Immigration, Customs, Tax, Child Allowances, HR, Student Loans, Healthcare and Social Security, closing the loop between inbound and outbound communications to consolidate ECM,
BPM and CRM.
There is no process without content. Once Papyrus captures and classifies an incoming document, e-mail or message (social networks), it will automatically trigger the process/case handling and goal assignments based on rules, pattern matching or participant selection to add the goals. Alternatively, management defines the goals and business actors define the tasks.
Powerful document design and formatting capabilities. Enable the knowledge worker to create and manage content, templates and documents for batch and online document production, as well as for interactive, ad-hoc reporting, contracts and correspondence used by the business front office.
Key Platform Features Communication Hub Closed-loop Business Communication Adaptive BPM - real-time, event-based Collaborative Case Management Integrated Security / Auditing Adapters - loosely coupling data Portal, Desktop, Mobile
www.isis-papyrus.com
info@isis-papyrus.com
it! s s i ’t m n o D
Global Open House and User Conference | Vienna/Austria | May 6–8, 2012 UK Open House and User Conference | Kingsclere/UK | June 21, 2012
COMMENT/CONTENTS
COMPLIMENT SANDWICH FOR DIGITAL STRATEGY The Government’s Digital Strategy, launched in early November, has been met with praise from both sides of the IT fence. Web guru Tim O’Reilly heaped praise on the document, describing the GDS digital action plan and design principles as“the most significant since Apple’s” and “the bible” that other countries should follow (see page 10). Gartner analyst Andrea Di Maio, however, thinks it’s a mixed bag, and is “missing how to better equip employees and make human-intensive interactions more innovative” (see news on page 4). You can’t please all the people.... As Neil Rogers of BT Global Services points out, the promotion of shared services is hardly a recent development, but a year after its launch, the Public Services Network is seen as a real opportunity to redraw the public services map. More on page 6. Cover Story: There’s plenty of IT security lessons to be learned from the classic Star Wars story, which surely wouldn’t have lasted that long if the Empire followed the sound advice of Terry-Greer King. If only Lord Vader had fixed vulnerabilities earlier...
Comment / Contents
BUSINESS INFORMATION FOR LOCAL AND CENTRAL GOVERNMENT – www.governmenttechnology.co.uk
Danny Wright
10
04 NEWS
13 SERVICE DESK
G-Cloud ii is up and running with more products from SMEs on its digital shelves; Central Government sites begin shifting over to GOV.UK; plans afoot to open up pupil database
A look at the Service Desk Institute’s Certification scheme, used across the globe as an industry best practice standard
14 IT SECURITY
There are many IT security lessons to be learned from the classic space opera Star Wars. Terry Greer-King, Check Point’s UK managing director shows how organisations can avoid the Empire’s mistakes
07 PUBLIC SERVICES NETWORK 19
Kable’s BT sponsored report looks at the outlook for shared services in light of the opportunities emerging though PSN’s implementation
19 IT EQUIPMENT DISPOSAL
10 DIGITAL STRATEGY
The Digital Strategy has received praise from some prominent IT figures worldwide, and could provide a blueprint for local government to follow suit
Steve Mellings of the Asset Disposal & Information Security Alliance examines revisions to the Waste Electrical and Electronic Equipment Directive (WEEE) legislation expected in 2013
P ONLINE P IN PRINT P MOBILE P FACE TO FACE If you would like to receive 6 issues of Government Technology magazine for £45 a year, please contact Public Sector Information, 226 High Road, Loughton, Essex IG10 1ET. Tel: 020 8532 0055, Fax: 020 8532 0066, or visit the Government Business website at:
www.governmenttechnology.co.uk | www.governmenttbusiness.co.uk PUBLISHED BY PUBLIC SECTOR INFORMATION LIMITED
226 High Rd, Loughton, Essex IG10 1ET. Tel: 020 8532 0055 Fax: 020 8532 0066 Web: www.psi-media.co.uk EDITORIAL DIRECTOR Danny Wright ACTING EDITOR Angela Pisanu EDITORIAL ASSISTANT Lisa Harris PRODUCTION EDITOR Karl O’Sullivan PRODUCTION CONTROLLER Jacqueline Lawford DESIGNER Richard Gooding WEB PRODUCTION Reiss Malone ADVERTISEMENT SALES Deborah Rae, Julie Holbrook, Bernie Miller, Steve Day, Michael Kennedy, David Morgan PUBLISHER Kelly Scott GROUP PUBLISHER Barry Doyle ADMINISTRATION Victoria Leftwich, Lucy Carter, Charlotte Casey REPRODUCTION & PRINT Argent Media
© 2012 Public Sector Information Limited. No part of this publication can be reproduced, stored in a retrieval system or transmitted in any form or by any other means (electronic, mechanical, photocopying, recording or otherwise) without the prior written permission of the publisher. Whilst every care has been taken to ensure the accuracy of the editorial content the publisher cannot be held responsible for errors or omissions. The views expressed are not necessarily those of the publisher. ISSN 1362 - 2541
Volume 10.7 | GOVERNMENT TECHNOLOGY MAGAZINE
3
News
BUSINESS INFORMATION FOR LOCAL AND CENTRAL GOVERNMENT – www.governmenttechnology.co.uk
NEWS IN BRIEF NHS IT spend set to increase NHS acute trusts in England will be spending £830 million a year on IT in four years time, as they respond to the axing of the National Programme for IT and other pressures, according to research. The Market by numbers report from EHI Intelligence reveals that total IT spend in the sector will increase by 4.2 per cent in 2012-2013, despite overall budgets remaining flat. Spending will continue to grow in each of the following three years. The forecasts are based on key data collected through EHI Intelligence’s in-depth interview programme with NHS IT directors.
Universal Credit IT suppliers chosen The Department for Work and Pensions has announced the suppliers which will manage online identities for its unviversal credit programme. The Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon have been chosen to design and deliver a secure online identity registration service. This will enable benefit claimants to choose who will validate their identity by automatically checking their authenticity with the provider before processing online benefit claims. Providers will be required to offer a simplified registration process
Cameron’s bespoke iPad app could have wider government use Prime Minister David Cameron is trialling an application on his iPad that not only feeds in data that will help him make government decisions, but also provides live feedback on the country’s feelings towards him and the Conservative Party. According to the BBC, the Cabinet Office will offer the app to more government figures next year. Cameron is ‘looking forward to showing it to President Obama at the G8 summit’.
Library e-book services hampered by co-operation ‘breakdown’ The UK’s libraries are being hindered in their ability to offer e-book services by an inability to co-operate nationally, according to a report by the House of Commons Culture, Media and Sport select committee. According to the report, several witnesses argued “it would be impossible for libraries to engage with e-books except on a national basis: publishers were not interested in the concept of lending e-books as licensing difficulties could not be addressed at a local level, and demand for a lending TO READ MORE VISIT... service from readers was yet www.parliament.uk/cmscom to emerge.”
4
GOVERNMENT TECHNOLOGY MAGAZINE | Volume 10.7
DIGITAL STRATEGY
Gartner analyst on what’s ‘good’ and ‘less good’ about the Digital Strategy Andrea Di Maio, an analyst with Gartner Research, has put his analytic skills to use in examining the Cabinet Office’s recently launched Digital Strategy, concluding that it contains several ’misses’. Di Maio’s online blog contains the article Digital by Default, but Not Smart Enough: Hits and Misses of the UK Government Digital Strategy analysing what is ‘good and ‘what is less good’ about the strategy. On the ‘good’ side, Di Maio’s blog states: “It rightly focuses on departments with high transaction volumes, where the digital channel can have the most immediate and evident impact both on constituent service and on efficiency.
On the not so good side, Di Maio says: “The strategy is a good document that did not consider digital government beyond constituent transactions or consolidation of web sites, hence missing how to better equip employees and make human-intensive interactions more innovative. Oddly enough, it has several repetitions, as if it has been rushed to publication. It would be great if – going forward – the Cabinet Office could find a better balance between the desire to mandate and dictate, and a more organic and bottom-up transformation process.” TO READ MORE VISIT... tinyurl.com/c9evh8z
G-CLOUD
Three quarters of new G-Cloud vendors now SMEs The latest version of the G-Cloud framework, G-Cloud ii, went live in late October. Three quarters of the 458 suppliers on the new framework are SMEs. One key difference between G-Cloud i and ii is that contract terms are now longer. The value of contracts has also increased and work has been done around data protection and liability issues to ensure that government can buy off the shelf services on a pay-as-you-go basis, avoiding duplication of services that cannot be shared. G-Cloud ii now offers over 3,000 cloud products and services. This round of the framework attracted 662 expressions of interest and resulted in 458 successful suppliers, double that contained on G-Cloud i, offering a much broader range of services, including accessibility tools, end-user device services, agile tools, anti-spam and captcha, gamification, learning management, simulation and training. To date there have been 99 purchases of IT services through the CloudStore, totalling more than £2.2m, and 70 per cent of this spend (more than
£1.5m) has been with SMEs. G-Cloud programme director, Denise McDonagh stated: “The high representation of SMEs on both G-Cloud frameworks and in purchases from CloudStore are positive signs that government is moving away from dependence on a small number of large suppliers for IT services. It also demonstrates growing support for the G-Cloud concept. We are creating a truly competitive and diverse marketplace that encourages service providers to improve the quality and value of the solutions they offer, reducing the cost to taxpayers and suppliers, who also benefit from the speed and ease of procurement that G-Cloud offers.” TO READ MORE VISIT...
gcloud.civilservice.gov.uk/cloudstore
News
BUSINESS INFORMATION FOR LOCAL AND CENTRAL GOVERNMENT – www.governmenttechnology.co.uk
Central government websites begin migrating to GOV.UK in a move which could save £50m per year The Department for Transport (DfT) and Department for Communities and Local Government (DCLG) were the first to move their websites to the government’s new web platform, GOV.UK, in a departmental migration that should save the taxpayer ‘at least £50m a year’. The closure of Directgov and Business Link followed by the departmental migration to GOV.UK is also a boost to transparency aspirations. “The government’s approach to transparency has been very clear in the field of open data. Presenting policy in a clear and succinct way - as we are doing with this latest iteration of GOV.UK - will, I hope, contribute to those efforts,” said Government Digital Service (GDS) executive director Mike Bracken. “People often regard open data as being the core component of a transparent government, but clear content is equally vital if citizens are to have the information that they need, both from an information and participatory point of view. We look forward to getting feedback on this latest iteration of GOV.UK.” Bringing this information under one roof will also benefit civil servants, said Cabinet secretary, Sir Jeremy Heywood. “Presenting policy information in this way will help the civil service to become more open in the way it works, as set out in the
Civil Service Reform Plan. It will become much easier for civil servants to understand the wider context when they are developing and implementing policy and for the public to access the information they need.” On the GDS blog, Sir Jeremy said that he was “particularly excited about the way government policy will be presented and explained on GOV.UK” as this would open up policy making to people inside and outside of Whitehall and lead to a more connected policy profession. “It will become much easier for
civil servants to understand the wider context when they are developing and implementing policy; and it will be much easier for outside experts to feed in their views.” He added:“The two departments that have moved to GOV.UK have blazed a trail for others to follow - they have worked hard to meet demanding deadlines, and taken all the risks involved in being the first. I congratulate them on their effort and thank them for learning a lot of lessons in the process that others will benefit from.”
OPEN DATA DWP’s new Stat-Xplore website: an impressive demonstration of data A new way of accessing Department for Work and Pensions statistics has been launched which allows for greater access to official figures, Minister for Welfare Reform Lord Freud has announced. The DWP Stat-Xplore website will provide statistics that are clearer and easier to navigate and will allow users to explore data on housing benefit claimant numbers. The new site also lets users download tables and graphs, embed them into their own websites, and share statistics across social networks. In coming months the website will be expanded to cover Universal Credit and Personal Independence Payments, and allow users to create their own bespoke sets of data. The user interface lets people switch between different data groups, graphs and tables. Find out more at: tinyurl.com/cb2mz84
OPEN STANDARDS
EDUCATION DATA
Central Gov must comply with Open Standards
Plans to open up National Pupil Database announced
From 1 November government bodies must comply with new Open Standards Principles published by Cabinet Office minister Francis Maude. Developed following a lengthy public consultation earlier this year, the seven principles are designed to make public sector IT more open, cheaper and better connected. They are expected to form the foundation for the specification of standards for software interoperability, data and document formats in government IT. Launching the principles, Francis Maude said: “We know that there are more real savings to be made in Government IT contracts - in the first half of this year, we have already saved £409 million on ICT services. Government must be better connected to the people it serves and partners who can work with it – especially small businesses, voluntary and community organisations.
Education secretary Michael Gove has announced a consultation on whether to open up the National Pupil Database “to maximise the value of this rich dataset”. Under the plans, outside organisations will be able to tap into an exhaustive school database revealing pupil performance. Currently, the Prescribed Persons Regulations restrict its use by third-party organisations to any research project “into educational achievement”.
Having open information and software that can be used across departments will result in lower licensing costs in government IT, and reduce the cost of lock-in to suppliers and products.” During the consultation process nearly 70 per cent of respondents believed that the principles would improve innovation, competition and choice, and over 70 per cent agree that they would help improve value for money. All government bodies must now either comply with Open Standards Principles for software interoperability and data and document formats in government IT - or apply for an exemption. A key focus in the development of the standards was levelling the playing field for open source and proprietary software providers competing for government IT contracts.
Gove said that his department had been forced to reject requests to use the data for analysis on sexual exploitation and the impact on the environment of school transport. In a statement to MPs, he described those areas as “legitimate and fruitful areas for further research”. Gove added: “We want to give organisations greater freedom to use extracts of the data for wider purposes, while still ensuring its confidentiality and security.”
TO READ MORE VISIT... tinyurl.com/btf5uzy
Volume 10.7 | GOVERNMENT TECHNOLOGY MAGAZINE
5
Shared Services
BUSINESS INFORMATION FOR LOCAL AND CENTRAL GOVERNMENT – www.governmenttechnology.co.uk
PUBLIC SERVICES NETWORK
PSN: CAN IT REALLY SAVE MONEY?
It has been more than a year since the first procurements for the Public Services Network (PSN) were launched, and it is on track to save the public sector up to £130m a year by 2014. A new research paper, compiled by Kable on behalf of BT, looks at the outlook for shared services in light of the opportunities which have emerged though PSN’s implementation Across the public sector, the transition to the PSN has started, and Central Government organisations have until 2014 to achieve mandatory compliance and departmental plans are in place. Local government, Police, Fire and Rescue, and other Authorities and agencies are already moving towards PSN compliance, and as more providers and services become available, Government estimates that 80 per cent of the public sector, approximately 4m users, will be connected to the PSN by the end of 2014. Since the beginning of 2011 tests have been completed, a number of companies have signed deeds of undertaking for places on its core Government Conveyance Network, various services have been certified, and the first procurement frameworks have been set up. In March 2012 the Cabinet Office announced the connectivity framework, following up in June with one
for services such as secure gateways, mobile communications and video conferencing. PSN’s savings are generated by reducing procurement cost and complexity, eliminating network duplication, and standardising network services. As a medium for innovation, the PSN can enable much greater benefit by enabling transformation through new ways of working, shared services, and more efficient public sevice delivery. Neil Rogers, president, Global Government, BT Global Services, said: “The promotion of
shared services is hardly a recent development, and has been a government priority for some years, if only to assist in the reduction of spending in the public sector. But while this may have been the catalyst for the creation of PSN, the sharing of essential organisational operations has since been recognised as a real opportunity to redraw the public services map, and in turn to reshape, fundamentally, how the public sector works together to serve citizens. Since the inception of state-run E
“This paper not only provides us with a glimpse into a PSN-enabled world, but also shows us the steps that public sector organisations need to take in order to get there.” Neil Rogers, president, Global Government, BT Global Services
Volume 10.7 | GOVERNMENT TECHNOLOGY MAGAZINE
7
The world is complex. Your decisions don’t have to be. Aerospace Defence Supporting armed forces in gaining, and maintaining, decision-making and operational superiority
Helping to make air travel safer, smoother, cleaner and more enjoyable
Security Protecting citizens, sensitive data and infrastructure with integrated and resilient solutions
Enabling transport operators to run networks more swiftly and efficiently
Space Optimising space solutions for telecommunications, earth observation, navigation and science
Thales supports the Public Services Network Programme.
Whenever critical decisions need to be made, Thales has a role to play. In all the markets we serve – Defence, Security, Space, Aerospace and Transportation – our understanding of the Critical Decision Chain helps customers to decide and act in a timely fashion and obtain the best outcomes. World-class technologies and the combined expertise of 67,000 employees in 56 locally-based country operations make Thales a key player in assuring the security of citizens, infrastructure and nations. To find out more, scan the QR code or visit www.thalesgroup.com/uk/psn
Transportation
Shared Services
BUSINESS INFORMATION FOR LOCAL AND CENTRAL GOVERNMENT – www.governmenttechnology.co.uk
PUBLIC SERVICES NETWORK
There are also concerns over the security and reliability of connections to services provided through an outside organisation. This is one of the issues that prompted the development of the Public Service Network in the first place. social initiatives, the public services map has always been dominated by locality. Not only were services obviously easier to implement on a regional basis, but also proximity allowed for deeper understanding of specific local requirements.” “In the 21st century, however, initiatives like PSN are transforming infrastructures and enabling an unfettered flow of information, thus removing those barriers. These changes have clearly been identified in this paper, with one of the key findings showing how common processes are becoming more important than geographic location in the success of shared services, and the resulting benefits to the nation.” LOOKING BEYOND REGIONAL One of the key findings of the report is that over 70 per cent of respondents agree that common processes are more important than geographic factors in the success of shared services, and that it is possible to run successful services that are shared across the country. This indicates an opportunity for the PSN to stimulate the use of national shared services with the potential to realise more benefits. But, the report says, to achieve those benefits there must be a concerted effort to look beyond regional initiatives and suppliers, and to build a culture within the public sector that embraces change, is willing to look hard at its business processes and be honest about the degree of customisation that is really needed. They also have to overcome reluctance to cede control. That will enable public sector organisations to cast the net more widely in seeking partners across the country for shared services based on common process to deliver real savings. Some obstacles to progress were also identified by the research. The most common barriers were identified as a reluctance to cede control, a tendency for public sector organisations to exaggerate unique features of their operations, doubt surrounding the potential financial benefits and concerns over the security and reliability of connections to services provided through an outside organisation. The issue of losing control was raised by only a handful of respondents to the Kable survey, suggesting that it is receding over time. The National Audit Office says in its report of March 2012 on central government shared services that they have not yet delivered
Scotland plans its own PSN Scottish ministers have revealed details of a plan to create a £325 million wide area network, dubbed SWAN, which will be available for use by all public service organisations within Scotland.
value for money to Whitehall, and a few respondents to the Kable survey expressed doubts that they would be cost-effective. Even in the ventures that have apparently satisfied the partners, little data has been put out to demonstrate the benefits. This suggests a need for clearer evidence that shared services can deliver value for money. The Cabinet Office has recognised this in its Strategic Vision, responding with a plan to publish performance data for the ISSCs serving Whitehall. Similar steps could be taken for other parts of the public sector. SECURITY CONCERNS There are also concerns over the security and reliability of connections to services provided through an outside organisation. This is one of the issues that prompted the development of the PSN in the first place. These are significant issues, but against the financial pressures on the public sector some will shrink in importance and there will be more resolve to overcome the others. There is a strong interest in sharing common processes around the country, and while senior officials have struggled to envisage how it could be achieved with their existing communications infrastructure, the implementation of the PSN now strengthens the potential to realise the benefits. Research by BT shows attitudes to the PSN are generally positive. Of the public servants questioned for its PSNsus Survey, 69 per cent considered themselves to be well informed about the programme, and thought it would be important or very important to their organisation’s efficiency programme. They identified a number of expected benefits, the most important being the secure exchange of data, followed by a fast and reliable network, economies of scale, and the ability to strengthen ICT systems against attack and data loss. GEOGRAPHICALLY DISPERSED SHARED SERVICES Parts of the Kable survey focused on the potential for the network to facilitate more geographically dispersed shared services, and the results provide a guide to the priorities in dealing with suppliers. A key finding was that 90 per cent of respondents agree or strongly agree that accountability for service level agreements on connectivity is among the requirements for a successful shared
It is hoped that SWAN will create a single telecommunications service that enables infrastructure and service sharing, which will over time replace the existing model where individual organisations procure, implement and maintain their own network. The initiative has stemmed from the McClelland Review of Scottish Public Sector ICT Infrastructure, which was released over the summer, and takes forward recommendations on collaborative procurement, aggregation of network demand and use of common standards. An online procurement notice reads: “The SWAN programme is designed to deliver that single public services network in Scotland open to all public service organisations and with combined demand delivering both cost and performance advantages. FURTHER INFORMATION tinyurl.com/cl4s7hk service. This implies that suppliers need to be able to provide that accountability across broad geographical areas if the potential from national shared services is to be fully realised. Neil Rogers, president, Global Government, BT Global Services, said: “This paper not only provides us with a glimpse into a PSN-enabled world, but also shows us the steps that public sector organisations need to take in order to get there. “The Public Service Network opens up so many possibilities to share resources across public sector organisations. If PSN is used smartly and proactively, organisations will see a significant increase in the efficiency of their service delivery. It’s a massive opportunity for the public sector, with advantages that go far beyond ICT cost‑saving.” L FURTHER INFORMATION The research paper Shared Services in the PSN era, compiled by Kable on behalf of BT, can be downloaded from tinyurl.com/dx8dqc5
Volume 10.7 | GOVERNMENT TECHNOLOGY MAGAZINE
9
Digital Strategy
BUSINESS INFORMATION FOR LOCAL AND CENTRAL GOVERNMENT – www.governmenttechnology.co.uk
DIGITAL
STRATEGY
GETTING THE DIGITAL HOUSE IN ORDER
Launched in November, the Government’s Digital Strategy aims to make transactions with central government easier, cheaper and more accessible. It has received praise from some prominent IT figures worldwide, and could provide a blueprint for local government to follow suit. With the publication of the Government’s Digital Strategy (GDS) and Digital Efficiency reports, Minister for the Cabinet Office Francis Maude has attempted to fulfil commitments made in the Civil Service Reform Plan (CSRP) announced in June. It is generally considered that central Government services have until now offered a poor user experience. The report states that the government’s 650 public services consist of over a billion different transactions, but many of these are not digital. Some need to be redesigned, and are under-used. According to the BBC, a study of local councils showed that face-to-face transactions cost £8.62, by phone this comes down to £2.83 and online transactions via a website cost only 15 pence. The strategy says that the changes could save up to £1.2bn by 2015 by making everyday transactions digital, and £1.7bn a year beyond 2015. TIDYING UP WITH GOV.UK The Whitehall departments that handle most of the central government service transactions for citizens will be the first to be redesigned. These are HM Revenue and Customs, Department for Transport, Department for Work and Pensions, Ministry of Justice, Department for Business, Innovation and Skills, Department for Environment, Food and Rural Affairs and the Home Office. The GDS says that by the end of Liam Maxwell, deputy government chief information officer: “We’re designing everything around the user need.”
10
GOVERNMENT TECHNOLOGY MAGAZINE | Volume 10.7
2012, each of these departments will choose three significant services, with over 100,000 transactions a year that will be ‘tidied up’. All new or redesigned transactional services that go live after April 2014 will have to meet a new Digital‑by‑Default service standard first put forward by UK digital champion Martha Lane Fox in 2010, with the report Directgov 2010 and Beyond: Revolution Not Evolution. In response to the report, the government has already began the migration of sites, by launching single domain for government services, GOV.UK. The transition is seen as a priority. Between November 2012 and March 2013, the corporate publishing activities of all 24 central government departments will move onto GOV.UK, with agency and arm’s length bodies’ online publishing to follow by March 2014. Mike Bracken, Government Digital Service executive director, led the development of the strategy. He stated: “This is the first time that the Government has produced a strategy in this way, a truly digital document which reflects our ambitions and signals a clear roadmap for working with departments to help them achieve the goals set out in this strategy.” A WORLD SERVICE? The strategy has been developed using digital tools, with civil servants working alongside software developers, content editors and designers using open source digital version control systems. The GDS digital action plan and design principles are “the most significant since Apple’s” according to Web 2.0 guru Tim O’Reilly, who is himself a supporter of the free software and open source movements. At a key treasury meeting detailing the strategy, he stated: “This is the new bible for anyone working in open government. Everyone around the world should be following this. If we can apply that as our scripture for government best practices at every level around the world we would be doing a fantastic service.”
Liam Maxwell, the deputy government chief information officer appointed in April, says it’s all about user need. Maxwell, previously head of computing at Eton College and head of IT at Capita Resourcing, told the Guardian: “That’s at the core of everything we do, and I have those words on the back of my phone. It’s not a question of pushing or forcing anything on people. We’re designing everything around the user need. That means driving people more towards the digital channel because it’s easier for them. If you give people the ability to use your technology, it will be cheaper for you, they’ll get it quicker, and your user experience will be so much better”. CUTTING SPENDING Senior policy officer to the Prime Minister, Rohan Silva, has said that the government can look forward to cutting public sector spending on IT by £10 billion in the coming years. “It’s really interesting to remember where we were on this agenda two and a half years ago. In May 2010 there were 750 separate government websites, there was no Government Digital Service, even basic data about performance of public services and government spending wasn’t being released,” explained Silva. “People are talking about very big figures and potential savings
DIGITAL STRATEGY
Socitm conference to debate GDS
Digital Strategy
BUSINESS INFORMATION FOR LOCAL AND CENTRAL GOVERNMENT – www.governmenttechnology.co.uk
A debate on the Government Digital Strategy will be one of the highlights of the Socitm conference to be held in Birmingham 27–29 November.
This is the new bible for anyone working in open government. Everyone around the world should be following this. If we can apply that as our scripture for government best practices at every level we would be doing a fantastic service.” Tim O’Reilly in the Welfare budget, but it’s my view that over time we can take just as much out of IT. I think we can take £10 billion out of public sector IT spending in the years ahead, without any change in the experience for the citizen, other than it will get better.” LOCAL PERSPECTIVE Local Government IT group Socitm has welcomed the new strategy and suggests it offers a good opportunity to review thinking about digital services in local government. Under the strategy, government departments will be required to submit data that will enable measurement of service performance around four key indicators: cost per transaction; user satisfaction; transaction completion rates; and take-up levels. Socitm says that every local public service should
run a similar dashboard, comprising at least these four critical indicators and use it as the way of measuring the impact of channel shift for reporting to top management. “In addition, and to take proper advantage of digital technologies and the opportunity for cost saving channel shift, local public services need to address ‘a major information gap’” says Socitm Insight’s Martin Greenwood. “While the Government Digital Service now has information about offline and online use of central government’s 650 transactional services, there is a paucity of similar information available from local authorities. We recommend that every local public organisation starts now to collect systematically such information about their top ten or twenty services by volume and adds this to their dashboard.”
The debate will be chaired by journalist and commentator Michael Cross, and panelists will include Glyn Evans, former CIO at Birmingham City Council, Steve Halliday, Head of IT at Solihull Council, Jos Creese, CIO at Hampshire County Council (and chair of the Local CIO Council), John Callan, Head of ICT at Liverpool City Council, Paul Brocklehurst (Head of IT at Surrey County Council) and Kay Brown, Head of ICT at South Lanarkshire Council and also current President of Socitm. The Government Digital Strategy acknowledges that many government services are actually delivered locally, and that the Strategy’s aim is to deliver digital services that are ‘so straightforward and convenient that all those who can use them will choose to do so whilst those who can’t are not excluded.’ This aspiration has prompted those managing and delivering local public services to ask what they might take from the Strategy to address the huge challenges local government organisations are facing thanks to continuing recession and severe spending cuts imposed by central government. As well as the panel debate the Socitm conference includes a keynote plenary, master classes and lightning sessions on the impact of the Strategy. FURTHER INFORMATION socitm.gov.uk A BIG HURDLE The Cabinet Office estimates that the Strategy could deliver £1.7 to £1.8 billion a year in savings beyond 2015, but getting disadvantaged people and those not used to transcating in this way could prove to be a big hurdle. According to the 21st century challenges website, 10 million people in the UK still do not have internet access, with 4 million of these aged 65 or over. Getting these people involved in the Digital Strategy plans is a different problem altogether, but the UK government is making progress in getting its digital house in order. L FURTHER INFORMATION digital.cabinetoffice.gov.uk publications.cabinetoffice.gov.uk/digital
Volume 10.7 | GOVERNMENT TECHNOLOGY MAGAZINE
11
BUSINESS INFORMATION FOR LOCAL AND CENTRAL GOVERNMENT – www.governmenttechnology.co.uk
TC-Voice Guardian
TC-Wireless headset
Please visit our stand at Call Centre Expo 2012 No: D68 for further information on how to limit noise exposure for your operators or contact us on the number below. Clement Clarke Communications Ltd, Unit A, Cartel Business Estate, Edinburgh Way, Harlow, Essex. CM20 2TT T: 01279 456320 F: 01279 456339 E: info@c3headsets.com www.c3headsets.com
12
GOVERNMENT TECHNOLOGY MAGAZINE | Volume 10.7
SERVICE DESKS
Service Desks
BUSINESS INFORMATION FOR LOCAL AND CENTRAL GOVERNMENT – www.governmenttechnology.co.uk
SERVICE DESKS: SETTING THE PUBLIC SECTOR STANDARD SDC offers a comprehensive assessment of an organisation’s current service desk operations and covers nine key concept areas, based on the EFQM® (European Foundation for Quality Management) model. The nine concept areas (listed in the panel opposite) cover the diverse aspects of a service desk’s operation. In addition to these nine concepts, the auditors also conduct observations of the service desk and its personnel, and interview key stakeholders and customers. This structure allows a full picture of the service desk operation to be created. DRIVING IMPROVEMENTS So just how has SDC helped to improve service desk standards in the public sector? Progress in the public sector has been achieved through SDI’s inherent understanding that the public sector faces massive and unprecedented pressure to change and adapt, all at a time of widespread austerity. Working with the public sector using SDC has enabled local councils, authorities and public services to fully understand and appreciate the whole picture of their service delivery – this ranges from aspects of the cost of running the service desk to the quality of customer service that service desks provide to their customers. SDC looks at both the quantifiable and qualitative aspects of a service desk operation to truly understand and deliver a crystal clear picture of the current state of the service desk. Our involvement in the process does not end there. Indeed one of the most fundamental aspects of SDC is the report that is produced at the end of an audit. This report clearly identifies the current state of the service desk and offers clear guidance and instruction on the steps needed to improve the service desk, and by extension, its maturity rating. We advocate an approach to service improvement that is intelligent and pragmatic. We understand that Rome was not built in a day, and guide service desks away from
implementing mass change in a small space of time. Our approach is to advocate gradual improvements to allow the steps of success to be built methodically, ensuring that each new improvement has time to bed in. Embedding improvement and change is, ultimately, how you change culture and perspective. Too much too soon creates a wave of change that can quickly engulf your service desk and may lead to loss of focus and appetite.
SDI certification – nine concept areas 1. Leadership 2. Policy and Strategy 3. People and Management
Written by Daniel Wood, Service Desk Institute
For twelve years, the Service Desk Institute (SDI) has certified numerous organisations across the globe using their industry best practice standard – Service Desk Institute Certification (SDC), writes Daniel Wood, head of research at the Service Desk Institute
4. Partnerships and Resources
OUR EXPERIENCES Audits are confidential, and thus I cannot share specific examples of what participation in the SDC programme has accomplished. However, in general service desks have realised benefits in three key areas: Customer satisfaction: The customer satisfaction concept of SDC has the highest weighting (20 per cent) of all of the criteria; and with good reason. Customer satisfaction is one of the key areas for service desks because they are so passionate about delivering the very best service that they can for their customers. Service desks that deliver excellent customer service are fulfilling the criteria of what a service desk should do: if customers are happy then we know that the service desk is delivering a great service. Typically, SDC customers make great strides in this concept because SDC requires both event (ongoing) and periodic (annual) surveys; asks for these surveys to be trended for at least twelve months; and show that customer satisfaction is trending towards the goal. We also examine the feedback mechanism (complaints and compliments) and ensure that there is a correct process that follows up on unsatisfied responses. By delving in to this level of detail, SDC exposes and highlights areas for improvement in this critical concept. Efficiency savings: By going through the SDC process, service desks can recognise areas for improvement. In addition, the report produced at the end of the audit and the ongoing advice and assistance provided by SDI show how these areas can be improved through practical advice based on international best practice standards. Areas where improvements are quickly realised include: processes, metrics and reporting, policy and strategy (particularly mission and vision statements), and employee and customer satisfaction. Improvements in these areas not only improve service delivery, but also help the service desk to
5. Processes 6. People and Satisfaction 7. Customer Satisfaction 8. Social Responsibility 9. Performance Results realise efficiency savings by streamlining their processes and ensuring that resources are used effectively and rationally. Resources: Resources encompasses everything that the service desk requires in order for it to deliver an exceptional service to its customers. The SDC programme devotes a whole concept to this critical area to make sure that the service desk is properly resourced and has identified areas for improvement and efficiency savings. We also devote attention to human resources and test whether the service desk has appropriate and comprehensive staffing models in place. In this area in particular, SDC really drives home the importance of a staffing model that can be flexed to meet peaks and troughs in the workload, and also plans for a forward schedule of work. Ensuring that the service desk is adequately resourced is absolutely critical if you want to create consistency for your customers. CHALLENGING TIMES These are challenging times in the public sector, where everyone is asked to do more with less and less resource. At some point something has to give. I meet so many great service desk people who are passionate about what they do and wake up every day with a burning desire to improve. L FURTHER INFORMATION www.sdi-e.com www.sdi-europe.com www.supportworld.co.uk
Volume 10.7 | GOVERNMENT TECHNOLOGY MAGAZINE
13
IT SECURITY
Written by Terry Greer-King
IT Security
BUSINESS INFORMATION FOR LOCAL AND CENTRAL GOVERNMENT – www.governmenttechnology.co.uk
MAY THE FORCE BE WITH YOU From applying security policies to DLP and effective user authentication, there are many IT security lessons to be learned from the classic space opera. Terry Greer-King, Check Point’s UK managing director shows how companies can avoid the Empire’s mistakes Star Wars: A New Hope is more than just an epic tale of the galaxy-wide struggle between the Galactic Empire and the Rebellion, and the triumph of good over evil. It’s also a great example of how a series of basic infosecurity mistakes can cost even a massive, powerful (but evil) organisation like the Empire dearly. As the Empire’s executive leader, Darth Vader certainly didn’t lack resources. He had huge teams of trained, highly‑motivated personnel at his command, not to mention some state‑of‑the‑art security hardware. He also knew what assets needed protecting – all of which are fundamental to an effective security strategy. WEAK POLICY – POOR PRACTICE But ultimately, the Empire was compromised by a fatal combination of weak security policies and poor practice. It’s a classic example of investing in a seemingly powerful security technology or product, then building
14
GOVERNMENT TECHNOLOGY MAGAZINE | Volume 10.7
policies based around that technology – rather than starting with a policy that covers what’s critical to their business, then acquiring and deploying solutions that map to it. Let’s take a look at some of the key security mistakes made by the Empire in Star Wars: A New Hope; how those mistakes were exploited; and how you can learn from them. LOCATING LEAKS In the opening sequence, Darth Vader and his Stormtroopers board a Rebellion vessel to recover intercepted blueprints of the Empire’s new terror weapon, the Death Star. So far, so good: the Empire detected a potentially dangerous data leak, and acted swiftly to contain it. However, the Empire’s good intentions were let down in the execution: their search of the ship was too focused. The stolen data was loaded onto a consumerised device (the droid, R2D2) which escaped the captured ship in a
lifepod. Even though Imperial forces detected the lifepod’s launch, they let it go: at that time, it wasn’t a droid they were looking for. The lesson is that there are multiple vectors for data loss – USB flash drives, consumerised devices, email, IM – whether the data is Death Star schematics or customer financial data. So organisations can’t afford to focus on one possible data loss vector while ignoring another. All possible vectors should be considered, in addition to the security policies developed to cover them and the solutions that enforce those policies. NO PRODUCT IS INFALLIBLE The intercepted blueprints were put to use by the Rebellion to create a highly targeted attack on the Empire’s main security appliance, the Death Star. However, at the Imperial board meeting convened to discuss the ramifications of the data breach, Imperial executives were more
IT Security
BUSINESS INFORMATION FOR LOCAL AND CENTRAL GOVERNMENT – www.governmenttechnology.co.uk
Create security policies that will help you reach your strategic goals, and deploy the appropriate action to enforce them
concerned with point‑scoring and squabbling with each other, instead of working together to find and close off possible vulnerabilities. Darth Vader warned Admiral Motti not to be too proud of the technology the Death Star represented; and Motti retorted that Vader’s knowledge and use of The Force had not located the stolen data. Vader found Motti’s lack of faith disturbing, but he should have been more concerned that the meeting failed to find a way to fix the vulnerability. Neither had grasped the fact that it doesn’t matter how strong you believe your security infrastructure to be; there are always vulnerabilities introduced through simple human errors or poor planning. Keeping important networks and data secure requires both a clear, business-led policy and coordinated effort across IT and security teams. The product alone is not enough. POOR AUTHENTICATION When the Millennium Falcon is captured in a tractor beam and brought into the Death Star, the Empire fails to properly inspect the vessel for payloads that could present a risk. Then the rebel crew exploit the Empire’s weak visual authentication test by stealing Stormtrooper uniforms, which gives them unchallenged access to the Death Star’s interior, networks and defence systems.
These scenes highlight two very common security issues: first, without strong user authentication, it’s easy for a potential attacker to appear familiar and trustworthy. Simple visual checks (are you wearing an Imperial Stormtrooper uniform? Permission granted) are not enough.Security policies should take account of users’ credentials, and only grant access to users who can authenticate their identity, ideally with a 2-factor method. Second, it’s not appropriate to give all members of staff, contractors and third parties full access to all your network resources and data. Organisations should assess what information is business‑critical, and ensure that data is only accessible by those authorised to use it. THE DANGERS OF BYOD Having passed the Empire’s weak authentication systems on board the Death Star, R2D2 is able access confidential data on the Death Star itself, simply by plugging into an easily accessed wall port. What’s more, R2D2 isn’t just a portable storage device, but a self-propelled, intelligent robot that could not only take data anywhere, but then use that data selectively. This creates a real BYOD (Bring Your Own Droid) problem for the Empire. Consumerisation can offer benefits, but once again needs a coherent policy
to control it within an organisation. The policy needs to be supported by technologies including port or device management, data encryption, and remote lock and wipe capabilities. DO, OR DO NOT – THERE IS NO TRY In conclusion, while the Empire had clear strategic goals (i.e. ruling the Galaxy), and enormous technological and manpower resources at its disposal, it failed to apply proper policies to help manage and utilise those resources effectively. In fact, the exposed exhaust port on the Death Star was the least of the Empire’s worries. The security lessons we can take from this are simple: focus on creating security policies that will help you reach your strategic goals, then deploy the appropriate technologies to support and enforce that policy. Do, or do not, there is no try. And may the enforcement be with you. ABOUT THE AUTHOR Terry Greer-King is UK managing director of Check Point Software Technologies, which will be exhibiting at Infosecurity Europe 2013 on 23rd– 25th April 2013 at Earl’s Court, London. For further information visit www.infosec.co.uk L
Volume 10.7 | GOVERNMENT TECHNOLOGY MAGAZINE
15
BUSINESS INFORMATION FOR LOCAL AND CENTRAL GOVERNMENT – www.governmenttechnology.co.uk
Handheld rugged mobile computers: drop them drench them, pound them The why and when of accessibility testing Why everyone matters Because you are including everyone who may have access issues to your digital product, whether it be mobile, web, TV or gaming. When it makes good business sense Compliance with web standards isn’t just about the law – we all know it makes really sound business sense to be fully inclusive, just by including the extra 15-20% of users who may have difficulty in accessing your product. Achieving compliance isn’t always that easy and finding genuine expert help and advice can be a challenge. So working with Britain’s only independent pan-disability testing and accreditation operation can really add value to your organisation’s web presence and applications. Many years of technical and ‘real world’ experience combine with a pragmatic and can do approach that has just recently benefitted organisations as wide-ranging as Channel 4, Department of Health, Government Digital Service, National Audit Office and M&S.
For an informal chat about how we could help you please call Cam Nicholl on 07597 690358 or 01792 815267
Handheld is a leading manufacturer of rugged mobile computers and the fastest growing company in this sector. Its products are used in a wide spectrum of mobile field applications, often in the most harsh and demanding environments with the lowest total cost of ownership (TCO). With more than 25 years’ experience in the rugged industry, Handheld has successfully implemented solutions for every businesses sector. All Handheld products have memory and storage capacity to handle the most demanding of field, mobile or industrial applications, carry high IPratings and meet stringent MIL-STD-810G military standards for withstanding water, dust, drops, vibration and extreme temperatures – including the recently announced Nautiz X1 Rugged Smartphone and Algiz 10X Rugged Tablet PC.
With a strong network of dealers in multiple vertical markets throughout the world Handheld, together with its business partners, supply complete mobility solutions to businesses and industries such as public transportation, logistics, geodesy, construction, service & maintenance, forestry, military and public security. The Handheld headquarters are based in Lidköping, Sweden. Handheld has local offices in Finland, Italy, the Netherlands, Germany, Switzerland, United Kingdom, Australia and the USA. FOR MORE INFORMATION +44 (0)1926 333 266 info@handhelduk.com www.handhelduk.com
CHARTERHOUSE MÜLLER S Y S T E M A T I C
Disposable
D I G I T A L
A S S E T
M A N A G E M E N T
Valuable
Priceless
Data is the lifeblood of almost all businesses, containing the intellectual value of millions of man-hours and years of research, effort and initiative. All too often that data can be discarded at the end of life of the equipment it lived on. Whilst the equipment may be old and tired, the data is often not and its loss can have disastrous consequences. Charterhouse Muller are a leading UK specialist in digital asset management, ensuring that your business is protected from data loss, software wastage and disposal compliance, through our No Compromise process. To find out more, contact us on 0118 956 9000 or visit www.charterhousemuller.com.
16
GOVERNMENT TECHNOLOGY MAGAZINE | Volume 10.7
IT MANAGEMENT
While the traditional way to resolve IT management issues is often expensive and time consuming, Cheshire Constabulary turned to SolarWinds for an easy and cost-effective solution Although IT management issues are often resolved by hiring expensive consultants and going through long procurement processes and staff training, when Cheshire Constabulary needed an easy and cost-effective solution for network monitoring, it turned to SolarWinds Network Performance Monitor (NPM). Local and central government are turning to powerful software tools like SolarWinds NPM that offer IT management capabilities without all the complication and hassle. While other IT management vendors are looking to expand the scope and number of devices that can be supported by their software, SolarWinds is focused on usability
servers and storage as well as Link Analyst® to monitor their networks. They wanted a new product that could integrate all of that management, monitoring, and alerting into a single, easy-to-read dashboard. “Prior to having a dedicated monitoring and management system, we found – more often than not – that our customers told us we had IT issues before we knew,” said Chris Newton, network and storage manager for Cheshire Constabulary. The team sought a product that could provide proactive network alerting for IT problems, was easy to use, and didn’t require particularly intensive technical knowledge to
The SolarWinds solution has reduced the number of site visits required to resolve issues, reduced the time needed to fix problems, and allowed the IT team to identify crucial pieces of information. and ease of deployment – two areas that have been largely unaddressed by the market. NPM, for example, comes with a simple wizard interface that lets IT administrators easily install and configure the software. Aside from reducing operating costs, government departments measure technology return on investment by how much time was saved. Cheshire Constabulary deployed SolarWinds software in under an hour, and began to automatically discover and monitor its IT environment. Cheshire Constabulary has been enforcing the law and protecting the people of Cheshire since 1857. The Police Force is headquartered in Winsford, which is located about halfway between Liverpool and Manchester, and polices nearly one million people. With approximately 4,000 employees and 45 sites to serve, the IT Technical Infrastructure team is responsible for maintaining a high-functioning communication system to keep its law enforcement operations running efficiently. The Cheshire Constabulary IT Technical Infrastructure team had previously used HP® Systems Insight Manager to manage their
use. They considered multiple products. None offered consistent monitoring, and they were all aimed at a more technical audience. SOLUTION Newton came across SolarWinds products when a colleague showed him how SolarWinds Engineer’s Toolset offered simple solutions to his team’s problems. He was very impressed with an online demonstration of SolarWinds Network Performance Monitor (NPM) and decided to purchase several licences. “We wanted to have a single product that could monitor all the different aspects of our infrastructure,” he said. “We were able to customise SolarWinds NPM to monitor everything that all the previous products monitored but in one easy-to-use platform.” Newton said that while previously the team had used multiple software products to manage their hardware and assets and monitor their network links, the products worked together inconsistently: “SolarWinds products have given our technical teams the ability to monitor all aspects of our infrastructure that enables proactive fault-
RESULTS The Cheshire Constabulary IT Technical Infrastructure Team found SolarWinds NPM to be a simple solution for several of their problems. It offered centralised network monitoring and alerting and did so in an easy-to-learn, non-technical manner. Particularly in an industry that isn’t especially technology-focused, Chris said he was grateful for the straightforward style of SolarWinds monitoring and alerting features. “We are now in a position whereby we know we have issues before our customers, but more importantly, we know where our issues are. This provides us with the basis to find the root cause and resolution much faster. We are now more proactive and can address issues before they start to impact our customer base.” The IT Technical Infrastructure Team at Cheshire Constabulary faced a complex performance issue on their data warehouse but used a combination of SolarWinds NPM, SolarWinds Server & Application Monitor (SAM), and SolarWinds Storage Manager to identify bottlenecks and resolve the issue. SolarWinds end-to-end monitoring solution has reduced the number of site visits required to resolve issues, reduced the time needed to fix problems, and allowed the IT team to identify crucial pieces of information. “If you want a one-stop, integrated solution that is constantly being improved upon, then you will struggle to find a competing product that can assist with monitoring, performance, and fault-finding from applications to storage to networks like SolarWinds does – all at a very affordable price. On the back of our implementation and the benefits we’ve experienced, other police constabularies across the UK have followed suit and implemented SolarWinds solutions,” said Newton.
Written by Emmet Florish, SolarWinds UK manager
POLICING THE NETWORK PROACTIVELY
finding as well as important diagnostics to help diagnose faults,” he explained. “This now means that our technical teams are aware of issues before our customers tell us about them.”
Advertisement Feature
BUSINESS INFORMATION FOR LOCAL AND CENTRAL GOVERNMENT – www.governmenttechnology.co.uk
A NUMBER ONE SMALL COMPANY SolarWinds provides powerful and affordable IT management software to more than 100,000 customers in 170 countries from Fortune 500 enterprises to small businesses. More than one million registered end-users have downloaded SolarWinds free tools. In October, Forbes magazine named SolarWinds the number one small company in America. SolarWinds focuses exclusively on IT Pros and strives to eliminate the complexity that they have been forced to accept from traditional enterprise software vendors. SolarWinds delivers on this commitment through products that are easy to find, buy, use and maintain while providing the power to address any IT management problem on any scale. L FURTHER INFORMATION www.solarwinds.co.uk
Volume 10.7 | GOVERNMENT TECHNOLOGY MAGAZINE
17
Little Green Button is a software panic alarm that is perfect for organisations of all sizes that face the public. It appears as a discreet, positionable icon that floats on top of your other applications; simply double-click to request assistance. Launched in 2004, the Little Green Button now supports many thousands of governmental, educational, healthcare and commercial sites around the globe. The low price, simple installation and low maintenance continue to make it the number one choice for computer-based panic alarms.
According to figures from the HSE, public sector workers are amongst those most likely to be victims of serious violence, a statistic that is unlikely to improve in these difficult times as it’s often them that end up bearing the brunt of the public’s frustration. With the increasing availability of computers in the workplace and the prohibitive cost of a hard-wired system, the Little Green Button is the perfect solution. Some of the key features include: • • • • • • •
Interested?
You can download and install a FREE 21 day trial with no obligation from our website.
It’s a server-less system, buttons communicate peer to peer. Standard licence covers up to 50 workstations. Hosted entirely on your network – no dependency on other applications or off-site links. Compatible with all current versions of Windows™. Optional hardware switches and strips for mounting under desks or on walls. Volume licence discounts available for larger sites or group purchases. Free upgrades for life.
What our customers say about the Little Green Button
Most sites get themselves up and running in minutes, but if you need any help our support team are here to answer any questions you may have.
“…we have had occasion to use this in many genuine circumstances … It has been effective in 100% of cases. The tool, part of our overall strategy, is respected and understood by the whole team and we wouldn’t be without it.”
If you like it, the annual licence for a typical site is just £100.
“ We found it very easy to install and use. It required minimal staff training.”
www.littlegreenbutton.com
“…gave us the perfect security tool. It is always there, we know someone will always be available to see and respond. Basically, it is perfect! Thank you for such a well thought out and useful, simple tool!!”
Call us on 01263 834648
or email: info@littlegreenbutton.com
WEEE DIRECTIVE
GETTING WEEE RIGHT
IT Equipment Disposal
BUSINESS INFORMATION FOR LOCAL AND CENTRAL GOVERNMENT – www.governmenttechnology.co.uk
With revisions to the Waste Electrical and Electronic Equipment (WEEE) Directive legislation expected in 2013, Steve Mellings of the Asset Disposal & Information Security Alliance (ADISA) examines the specific parts relating to IT and Telecoms until a mysterious company comes and removes it. Clearly as data can still be resident on these items we can argue that the control needs to be greater now that the physical asset is being moved through internal and external hands than when it in service.
It’s common that e evic as soon as a d it gets , is switched offrently treated diffe was than when it live operating in a t environmen
CHALLENGE 2: LACK OF CENTRAL OWNERSHIP Within many businesses the number of departments who have a role to play within asset retirement is surprising. IT departments can control the physical asset; Facilities often look after store rooms where assets are stored
and can also control mobile phone and printer contracts; Procurement takes care of new product supply and therefore producer compliance, and IT Security / Information Governance have the overarching responsibility for data protection. This gets compounded in more complex businesses as there can be a greater number of people involved such as data centre managers, desktop support, and entire business silos can all operate autonomously. As a result there is a lack of co-ordination within many organisations whereby all participants do not know what to do so – one department may have proper control, while another may not. CHALLENGE 3: RE-USE OR DESTROY? The W in WEEE standard for Waste and there is an assumption that as soon as a business user finishes with a product then it is classed as waste and therefore comes under the control of the WEEE legislation. However, within category 3 as the items being decommissioned E
CHALLENGE 1: RAISING INTERNAL PERCEPTION It’s a common situation that as soon as a device is switched off it gets treated completely differently than how it was viewed when operating in a live environment. All too often we see that when equipment is decommissioned it is allowed to sit in a corridor, on top of a cabinet or to languish in a hidden store
Volume 10.7 | GOVERNMENT TECHNOLOGY MAGAZINE
Written by Steve Steve Mellings, ADISA
In January 2007 the Waste Electrical and Electronic Equipment (WEEE) Directive was finally introduced into UK law and was heralded as being necessary to stop needless landfill of household and business electrical waste. As we approach the 6th anniversary of its introduction it is clear that whilst great strides have been made there are still significant issues to address. In recent years there has been regular press coverage highlighting the e-waste issues within the developing world. Prominent programmes such as Panorama have identified several leading organisations and many government bodies as having assets which have been found loitering in landfill, causing environment and health issues. In June 2012 the Information Commissioner’s Office (ICO) levied their largest fine to date (£325,000) on Brighton and Sussex University Hospitals NHS Trust following improper disposal which resulted in the discovery of highly sensitive personal data on hard drives sold on an Internet auction site. As a result of this high profile attention many businesses, particularly in government, are reviewing their own operations when addressing redundant electrical equipment. Most are struggling to come to terms with their responsibilities and what they need to do to comply with legislation. In order to help this decision making process ADISA believes there are five key challenges which organisations should look to address in order to improve their own performance when dealing with retired IT equipment.
TotalMobile: The Only Enterprise Mobile Solution Consilium are the only provider on the market to be able to supply a Mobile Solution that is genuinely flexible enough to work for every department of an organisation. With 27 years experience providing efficiency saving mobile solutions to Local Government, Consilium have a unique insight into the needs of various departments. The TotalMobile solution lets almost any kind of remote worker stay connected to the back office through a mobile device. This saves time, cuts administration, boosts efficiency and productivity and allows the council to improve service delivery. • • • • •
Works on any device (Apple, BlackBerry, Windows, Android) Easy integration, simple to make changes in-house Securely access back office data Complete and submit electronic forms and capture images and signatures Schedule and manage work and staff in real time
Please visit www.ctechs.co.uk/enterprise-solution to find out more or register interest for our upcoming seminar. Alternatively give us a call to arrange a free consultation on 02890 330111
WEEE DIRECTIVE WHERE DOES YOUR DATA GO?
Figure A: potential ways in which these assets can leave the business.
USB MOBILES PDAS
DR / BACKUP TRADE-IN
STORAGE
SERVERS
IT Equipment Disposal
BUSINESS INFORMATION FOR LOCAL AND CENTRAL GOVERNMENT – www.governmenttechnology.co.uk
DESKTOPS NOTEBOOKS
CHARITY / STAFF IT DISPOSAL WEEE TAKE RENTAL CLOUD HOSTED DATA WARRANTY / BROKERING PARTNER BACK / LEASE CENTRE RMA
can still hold significant resale value this is not necessarily the case. The following guidance is an interpretation of a series of scenarios issued by the Environment Agency to offer clarity on this question. Should the business user have functioning and viable assets which they wish to be re-used (no intention to discard) then by
CHALLENGE 4: ONE SIZE FITS ALL ADISA has seen that many business end users have a policy or process which states “we use x to overwrite our data” or “we destroy all hard drives” but when we see the full scope of asset disposal in part two of this article then we realise that there must be more to a proper policy in this area than a single fix. This is a more complex
In recent years there has been regular press coverage highlighting e-waste issues within the developing world. Prominent programmes such as Panorama have identified several leading organisations and government bodies as having assets which have been found in landfill. issuing them to a re-use organisation rather than a recycling company then the asset is classed as product, not waste. It is crucial for a business end user to decide whether they wish to re-use or destroy their equipment. This decision often depends on confidence in data sanitisation and how to achieve this is covered later in this article. However, the decision to allow equipment to be re-used or not will help define what type of suppliers they should use as there are experts at on-site hard drive destruction, expert recyclers who are properly licensed for material processing and then there are secure IT Disposers who can handle data, testing and refurbishing of the equipment.
service area and a failure to understand that leads to poor internal processes and uncontrolled disposal of assets. CHALLENGE 5: WHO TO TRUST? The introduction of the WEEE legislation resulted in an explosion of service providers who offered a huge variety of services to help businesses meet their WEEE requirements. The resulting highly competitive market has been marred by miscommunication, conflicting guidance and the emergence of many ‘expert’ companies guaranteeing “WEEE Compliance” without really understanding what compliance for business end users within this sector means. This has been compounded by the vast, but
often ambiguous advice from governing bodies which leaves the business end user unsure on their actual legal responsibilities and moreover, unsure who to trust. These challenges are not the only ones we at ADISA have seen but they give an insight into how businesses might struggle to understand, and therefore have confidence in, this business process. In order to meet these challenges a formal and complete policy for asset disposal needs to be developed and implemented. Unless such a policy is in place and that policy controls all aspects then all efforts, whilst genuine, are not going far enough to protect from potential of breach and exposure in the press. The second part of this article explores the key elements to be included within a disposal policy. The starting point for improvement within the act of asset disposal must be the development and implementation of a policy to govern the processes undertaken by all external and internal participants. This needs to reflect the overarching business security policy, be prescriptive in service provision and include all media types and businesses streams where disposition could incur. STAGE 1: SET THE PARAMETERS AND IDENTIFY PARTICIPANTS The starting point for any policy is to set the parameters of the business process in question. ADISA defines asset disposal as follows: “Any situation where the data controller transfers custody of an IT asset to a third party for management or processing whether on a temporary or permanent basis”. When this definition is viewed E
Volume 10.7 | GOVERNMENT TECHNOLOGY MAGAZINE
21
IT Equipment Disposal
BUSINESS INFORMATION FOR LOCAL AND CENTRAL GOVERNMENT – www.governmenttechnology.co.uk
WEEE DIRECTIVE
Within the UK there are t ses over 650 IT As nies, a Disposal comp es to so when it com n, it’s o vendor selecti lem often a prob for end users
operationally it can be seen that assets leave the business in countless different ways and each of these need to fall under the control of the disposal policy. This simple illustration (Figure A) shows some of the different product types (this is not exhaustive) and potential ways in which these assets can leave the business. When we include BYOD and external consultants into this equation we can quickly see that what from the outset may have been a simple problem actually has many different layers which need to be fully understood and included within the policy. The number of different departments within each business who participate either directly or indirectly within the asset disposal process is surprising. Who would ever have thought that HR needs to be included in the policy? How else can we get the terms of employment contract amended to include an allowed sanitisation process to be performed on each leaver who has used their own device on the business network. STAGE 2: CREATE AN APPROVED PROCESS FOR SANITISATION This can be a fairly complex process depending on the sophistication of the business and should include the following key steps: Step 1: Data Categorisation – What is the sensitivity of your data? Do you have a hierarchy of sensitivity? Step 2: Business Impact Tables – What would be the impact on the business should any of the data become compromised. The impact on the organisation can be quantified in terms of financial loss, reputational damage, client/customer confidence, litigation issues etc. Step 3: Threat Profiling – Who is most likely to exploit and benefit (the threat source) from security breaches of an organisation’s
22
GOVERNMENT TECHNOLOGY MAGAZINE | Volume 10.7
data. What is their capability to exploit (threat agents) any vulnerabilities or weaknesses in the asset disposal chain. Step 4: Risk Analysis – The final step, maps Step 1 to 3 to produce a hierarchical range of risk levels which can then be used to determine what the actual means for sanitisation should be. For example, if the risk is relatively low and the corporate policy is to support sustainability (by reusing whenever possible), then this would rule out destruction options (e.g. shredding) and promote the use of a cost-effective data wiping option. However, if the resultant risk level is unacceptably high then a physical destruction may well be the only sensible option. The point being that whatever disposal process is chosen it has been based on an intelligent risk-based analysis. STAGE 3: FINDING A PARTNER Once the organisation has a prescriptive disposal policy which denotes approved processes against each media type, then the next step is to work with a third party who can provide these services. Within the UK alone there are over 650 IT Asset Disposal companies so when it comes to vendor selection it is often a significant problem for end users. Furthermore, IT Disposal is often bundled up in general ICT provisioning service contracts and as such selection of the disposal agent can often be done through a third party. Complete transparency is required during such engagements and the specification of all disposal parties whether directly contracted or not need to be controlled by this policy. ADISA introduced a standard for this industry in 2011 which allows end users to narrow their search by starting with those companies who have already been pre‑screening against the standard via a thorough assessment of their capabilities.
These can be viewed on www.adisa. org.uk or business end users can make their own assessment of their partner’s capabilities against the work specification required. Once this assessment has been made their needs to be on-going auditing to ensure consistent delivery of the required services. This is crucial in the fight against poor service provision and lack of transparency in downstream suppliers as to who exactly is performing these services. STAGE 4 : TRAIN AND IMPLEMENT Despite now having a prescriptive policy in place and a partner selected there is still a lot of work to be done. There needs to be a thorough internal education programme to ensure that all parties who participate within the process understand the policy and their role in ensuring the policy is followed. For example; Procurement needs to understand the policy when writing and negotiating contracts. Every department / regional office / separate site needs to know that the policy exists and who the chosen vendor is. Finally, the internal process needs to be followed and measured as all too often the external service provider’s performance is the focus of attention when in many cases internal failings are a greater vulnerability. After all, if an asset gets lost before reaching the chosen sanitisation provider the whole policy falls at the first hurdle. In summary: Just because a business has finished with its IT or telecommunication equipment it cannot just put it out with the rubbish. A policy must exist which, after a risk based decision process, has a prescriptive service requirement to address data and brand protection needs and which is then delivered by a selected, managed, and audited partner. L FURTHER INFORMATION Launched in October 2010, the Asset Disposal and Information Security Alliance (ADISA) is a group of leading experts on the area risk management, compliance and data protection within the area of IT Asset Disposal. Visit www. adisa.org.uk for further information.