Councils strengthen GCSX CoCo defences

Rush to install compliance software in a bid to avoid ICO fines keeps software vendors happy

Cherwell District Council, North Oxfordshire has installed software specifically to handle GCSX CoCo rules

Local government bodies are hastily installing compliance software in a bid to avoid the potentially large fines that can be imposed by the Information Commissioner’s Office (ICO).

Government Connect Secure Extranet (GCSX) Code of Connection (CoCo) rules on data security are controls with which all local authorities must be compliant before they can access and swap data with central government departments, approved suppliers and other national bodies over the Government Secure Intranet (GSi), the Government Secure Extranet (GSX), the National Health Service Network (N3), the Criminal Justice Extranet (CJX) and the Police National Network (PNN), for example.

As of 6 April this year, the ICO has new powers to impose penalties of up to £500,000 for serious data security breaches under the Data Protection Act.

Cherwell District Council in North Oxfordshire is one local authority to have installed software specifically to handle GCSX CoCo rules since the 6 April law change.

It has focused on establishing what it calls ‘best practice information assurance’ and ‘user awareness’.

This is essentially educating end users and business partners as to what is expected of them with regards to data security, and installing software that alerts anyone logging onto its network that they need to sign up to an acceptable usage policy to access the restricted data.

“The GCSX was the primary driver for installing MetaCompliance software,” said Cherwell information systems manager Gareth Jones.

“All employers, contractors and third parties receive appropriate training and awareness information on screen when they log in, making sure that once they have read it, they have to action it by pressing an agree button.”

Cherwell is facing its annual GCSX audit on 16th July this year, but also wanted to make sure it complied with the ISO 27001 information security management system standard.

By automating information delivery at login, MetaCompliance provides auditors with demonstrable proof of the council’s compliance efforts, as well as automated risk assessment procedures which save the IT department time and effort, and a way to integrate workflow processes into e-learning schedules.

“Trying to track people moving in and out of different data security groups is time consuming, and this software tracks them for me,” said Jones.

The stronger government stance on data security represents a significant opportunity for software vendors.

There is currently no specific solution for GCSX CoCo in the UK, leaving them to sell a wide variety of security applications into nervous local authorities to help them achieve compliance.

Encryption software that protects the data on laptop and homeworker hard disk drives, USB sticks and other removable media have proved popular, for example, as has login management software that keeps a track of people logging into local government networks and helps authenticate verified users.

Much like insurance policies that guard against events that may never happen, it is always hard to show clear return on investment for any compliance software, however, and in some cases the additional management burden can put a significant strain on in-house IT staff.

“I don’t have the ROI calculations to hand, but there are significant savings in people’s time – the HR department would normally have to check everybody’s files manually to see if they had done the e-learning, for example,” said Jones.