Most MoD systems miss gov't security target

Just 27 percent of IT systems at the Ministry of Defence and its agencies fully meet government security guidelines, the secretary of state for defence has admitted.

Bob Ainsworth revealed the statistics on Monday in a written reply to a question from Conservative MP Shailesh Vara. In the reply, Ainsworth wrote that 58 percent of IT systems at the ministry and its agencies have been through the security accreditation process laid out by the government a year ago. The systems range from corporate IT set-ups serving thousands of users to business-level systems used by smaller groups.

Only 27 percent of these systems are fully security accredited and are being operated within the ministry's "senior information risk owner (SIRO)'s risk appetite", according to Ainsworth, which balances security risk against operational reward. The other 31 percent have conditional or interim accreditation, "with constraints placed on the operation of the system to ensure that identified risks are adequately managed within SIRO's risk appetite".

The guidelines in question were instituted after an MoD laptop, containing the details of 600,000 people, was stolen. They cover issues such as the ability of staff to put sensitive or personal information onto flash drives or laptops — which may be mislaid — and the need to encrypt information.

Forty-two percent of systems are not accredited at all. "This represents the significant workload undertaken to plan and develop solutions for new equipment systems or platforms," wrote Ainsworth. "This also includes applications from legacy systems, many of which will be migrated onto the developing defence information infrastructure."

Ainsworth's breakdown covered systems whose accreditation is controlled centrally by Defence Security and Standards Assurance (DSSA). These number in the hundreds. In addition to systems connected to Ministry of Defence networks, the total includes systems not connected but which contain sensitive or personal data — those given a rating of "stand alone above Secret" or "contain significant value to the MoD".

Platforms and systems that are not security-checked by the DSSA are not included.

On the same day, Ainsworth also provided a written answer to a question from the Tory MP Patrick Mercer, who had asked how many mislaid desktop computers, laptops, hard drives and USB flash drives had been lost then recovered by the MoD and its agencies in each year since 2003.

According to Ainsworth, a total of 43 such devices were recovered in 2008 by the MoD (up from 11 in 2007). This figure includes one desktop PC, 26 laptops, five hard drives and 11 USB flash drives. The answer did not state whether 2008 saw a jump in recorded recoveries because of improved recovery processes, or because more data-bearing devices were lost that year.