The requests asked detailed questions about the progress and management of GCSx (Government Connect Secure Extranet) – a government-wide programme which provides a secure private Wide-Area Network (WAN) that enables local authorities to share data with central government. To gain access to the GCSx, local government authorities have to comply with the Code of Connection (CoCo), and also Good Practice Guide 13 (GPG13), which mandates specific security and network controls for protective monitoring in order to prevent data leakage.
“The FOIA responses were really enlightening,” said Bill Roth, Vice President at LogLogic. “It appears that Northern Ireland and Scotland are not currently required to comply to GCSx but are following different, localised regulations such as the Network NI Initiative and GSX in Scotland, however a few councils did indicate that may be subject to joining the GCSx programme in the not so distant future.”
Of the questions related to data management (tracking and recording user activity), several of the Scottish and Northern Irish councils refused to answer them on the grounds of national security - making comparisons amongst these impossible. Fortunately English and Welsh local authorities were more transparent with their responses and the following data can be shared:
• All five of the largest councils were GSCx compliant
• Four out of the five had implemented log management to assist with tracking and audit management (the remaining council didn’t answer the question)
• Four of the five could track and report in logs in real time (the remaining council didn’t answer the question)
• Four of the five carried out an annual audit to stay on top of requirements. One did not carry out an annual audit as such.
• Interestingly four of the five hadn’t received any specific funding to help meet the requirements of GCSx CoCo but had still managed to achieve compliance. The remaining council had received funding for GCSx 4.1 but nothing for version 4.2 onwards.
• Three of the five largest councils were fully GCSx compliant and the other two were still at the implementation stage
• Three had implemented log management solutions to help achieve compliance
• Only two of the five could track and report in real time (the other three could not)
• Two of the five kept their log data for just 0-3 months, another for 3-6 months and the remaining two kept the logs for 6 months plus. The recommendation for GCSx compliance is six months plus.
• On a positive note all five carried out annual compliance audits
• Three of the five councils had received extra funding for GCSx, the remaining two did not receive any funding.
“Managing IT data – from collection to storage and being able to report on it in real time is key to addressing the cornerstones of GCSx,” concluded Roth. “Overall I think the English and Welsh authorities have fared pretty well, but they were let down (the English authorities particularly) on being able to track and record in real time which is essential for monitoring and preventing sensitive data from leaking out of the Government Connect Secure Extranet. Storing logs for the recommended six months plus time period is also critical for compliance and a surprising number fell short of that measure.
I was also surprised that funding seemed so random – some authorities receiving extra help and others none – we had also had a comment from one authority saying that although funding had been provided for GCSx 4.1, they had received no help for version 4.2 and onwards. It’s baffling since yes, the initial investment is large, but there’s an ongoing cost for upgrades and keeping on top of requirements. Funding needs to be standardised at the very least so that councils across the board can benefit.”
*Largest councils by population estimates according to the most recent tables (mid 2009) produced by the Office for National Statistics.
About the Freedom of Information Requests
Councils included in this research were:
• Scotland – Fife, North Lanarkshire, South Lanarkshire, Edinburgh, Glasgow
• Wales – Cardiff, Swansea, Rhondda Cyon Taff, Caerphilly, Camarthenshire
• Northern Ireland - Newry & Mourne, Derry, Belfast, Craigavon, Lisburn
• England – Birmingham, Leeds, Sheffield, Liverpool, Bradford
FOIA requests were initially submitted in May 2011.
LogLogic® (loglogic.com) is the IT Data Management Company. More than 1,200 customers worldwide entrust their most sensitive IT data to LogLogic’s award-winning products. For more information on LogLogic and IT Data Management, visit us on the web or on Twitter or Facebook.
All trademarks mentioned in this press release are the property of their respective owners.