Independent information assurance review
Ahead of Scotland’s Census 2022, National Records of Scotland asked Bridewell Consulting to undertake an independent review of the strength of our security measures.
Bridewell Consulting are a specialist cyber security and data privacy consultancy and are certified by the National Cyber Security Centre (NCSC).
The aim of the review was to identify any risks to census systems, services and information. We also wanted to provide an independent view of our security for stakeholders.
The review looked at several parts of our system and how it will be delivered, including:
- the people involved
- processes and technology used
- our supply chain
Conclusions
Security
The review concluded that overall National Records of Scotland has a comprehensive security programme in place.
It has been designed to reduce the risk of compromise to the delivery of the census, and to citizen data.
The review found that strong controls were also in place to detect and respond to threats that may impact the census when it is in live operation.
Additionally, it found that security controls in place have built upon and improved on those in place during the 2019 census rehearsal.
Assurance
As well as assessing the security controls in place, the review also considered:
- how comprehensive the census assurance model is
- how effective the census assurance model is in improving the census programme’s security
The review found that Scotland’s Census 2022 has a clear and multi-level assurance model.
This model enables the census programme to follow-up on security risks and provides good visibility of the security situation.
The review also found that:
- bodies, including the UK Statistics Authority and the Scottish Government Digital Assurance Office, provide external assurance
- the census programme updates the National Records of Scotland Strategic Board, Executive Management Board and the Audit and Risk Committee
- there has also been extensive interaction with the Office of National Statistics, Scottish Government, National Cyber Security Centre (NCSC) and the Centre for the Protection of National Infrastructure, as well as cyber security consultancies
Findings
The review made 4 findings, all of a low or informational level.
This indicates only minor issues and areas for improvement, rather than problems presenting a significant risk to census security.
The review made recommendations for each finding and these will be implemented before census operations go live.
Methodology
The review was broken up into several assessment phases. This made sure relevant activities were assessed. The 3 assessment phases were:
- governance and management
- operational security, processes and design
- security assurance
The review assessed census security against a mix of standards and good practice from security industry-recognised frameworks, including:
- ISO27001, the international standard for information security
- the US National Institute of Standards and Technology Cyber Security Framework
- the Open Web Application Security Project Software Assurance Maturity Model
- the UK Government Security Policy Framework
- NCSC principles and other guidance
This approach strengthened the evaluation as it measured the census against criteria drawn from a number of different frameworks.
Please contact us if you have any questions about the security of Scotland’s Census 2022.