To exceed the government target of offering at least 80% of its services to citizens electronically by 2005.
Done.
Security Consulting to benchmark procedures/practices and develop
security strategy.
Benefits
Unisys has proved invaluable, allowing Essex to move the whole e-government project forward significantly, by understanding what procedures were already in place and ascertaining strengths and weaknesses.
The customer
Essex County Council is a local government authority in the United Kingdom that provides a vast range of essential services for one and a quarter million people throughout much of eastern England.
As the county’s largest employer with an annual turnover in excess of £900 million, the Council is responsible for planning the future of Essex and working to ensure its prosperity. As well as providing lifetime education for all ages and care for the elderly, the disabled, children and families in need, Essex CC also protects consumers and businesses while keeping people and goods on the move by building new roads and maintaining existing ones. Libraries, managing waste disposal and much more all come within the remit of the authority.
The problem
E-government is high on the agenda for Essex CC. One of its key objectives and driving factors is to exceed the government target of offering at least 80% of its services to citizens electronically by 2005.
"Electronic government doesn’t just mean that people have to have a computer to access them", explains Cliff Mulenga, Corporate Information Security Manager at Essex County Council. "It is all about offering new channels into our business – for citizens that could include telephone-based call centers, 24 x 7 availability as well as internet-based access from computers, kiosks or even web-TV."
With increased internal pressures and looming government deadlines to move into the e-government age, Essex County Council recognized that security would present a key challenge for the authority in opening up its services and IT systems to the outside world. "We have a stated commitment to e-government and needed to understand exactly where we might be exposing ourselves to risk in the implementation of our policy", says Mulenga. "Making our systems available to interact with citizens, other local authorities and the other business services we work with, needs another level of security and our aim was to understand all the implications that this entailed."
The challenge facing the council was to establish its security baseline in order to define the long term strategy and determine the policy that would be appropriate in the more open infrastructure required to support its e-government ambitions.
The structure of the existing organization comprises disparate businesses or service units covering social services, learning services including libraries, environmental services and corporate services. Information security for the council, therefore, has to be interpreted initially at the business level and then defined in terms of principles and procedures which can then be broken down into appropriate individual guidelines for use within each of the services.
BS7799– a well-established and proven British standard that describes a code of practice for information security management– offered a way forward. Since its introduction in 1995, it has been widely adopted by many commercial and public sector organizations throughout the world and has recently been ratified by the International Standards Organizations a global standard. Compliance to BS7799 offered the framework that Mulenga and his team needed to help determine this
baseline and the eventual goals of a security structure for the organization. "It gave us a benchmark to start measuring our existing procedures and practices against and a framework to develop our future security processes within", says Mulenga.
Assessing the options
Recognising that information security today is a specialized area of work, Essex CC looked for a partner who could bring the expertise and professionalism that they needed, but in such a way that its internal staff could learn from the process. The ensuing documentation would also form the basis for further work within the authority.
"We had already built a relationship with Unisys, and had a high regard for the professionalism and expertise of its staff ", says Mulenga. "Because they understood our business and were on the same wavelength as us in terms of how we viewed security management, selecting Unisys as our partner gave us a faster route to achieving our objectives".
Together with the council’s information security forum, which included representatives from all areas of the business, Unisys set about helping Mulenga and his team refine the statement of work and the exact requirements specification, together with agreed timescales. "Once we had agreed on the scope of the work and the timescales, this was then documented into a project plan that became the basis for the work", says Mulenga. "Our objectives were to review and address our current security policies and then develop and redesign them as appropriate against our overall strategy."
The solution
Initially the work with Unisys was concentrated on two key areas. The first entailed looking at the existing situation within Essex CC and what was already in place before auditing it against the current implementation of the authority’s security policy. Unisys then focused on helping Mulenga and his team to define what would be needed to develop this strategy to meet the future needs of the business, including the implications from the proposed e-government plan.
"Unisys drove us through the process – its experts took a view on our strengths and weaknesses", says Mulenga. "However, we did discover that we had indeed defined our security objectives fairly clearly, but Unisys helped us to take this forward and develop it further within the context of achieving BS7799 compliance".
In order to meet its e-government objectives and extend the reach of its services through technology, Unisys identified immediate work that would be needed. Some of these recommendations were technology-focused and included redesigning parts of the IT architecture and hardening firewall systems to cope with the additional security implications of increased interaction with external agencies. Other proposals were more process-related and included reviewing the roles and responsibilities of the council’s current security team and conducting a pilot program to better quantify the effort required to develop and deliver common security standards.
Customer value
For Mulenga and his team, the work with Unisys has proved invaluable, allowing them to move the whole e-government project forward significantly. By understanding what procedures were already in place and ascertaining its strengths and weaknesses in the security arena, the team were able to re-shape the whole programme and make it more realistic.
"BS7799 is all about documenting, managing and demonstrating competence. From the work with Unisys, this knowledge allowed us to scope our work and ascertain the real resource requirements", says Mulenga. These requirements were then measured against the authorities existing resources, identifying the commitment that would be needed by the authority to successfully complete the anticipated projects.
"Security management is often seen as a negative, and we needed to take a good look at our own business culture", explains Mulenga. "This project has allowed us to position ourselves in such a way that we have given the authority belief in our abilities to provide tangible benefits, as well as satisfy the levels of confidence demanded by the external agencies that we will be working with in the future in our progress towards e government."
