The Department of Defence recently became certified under the standards for best practice in information security, writes Eamon McGrane
The Department of Defence would not be the first Government body you would expect to be blazing a trail for best practice.
Thoughts would naturally gravitate to the higher profile departments or areas such as finance or revenue; perhaps education and science or even communications.
Defence, it seemed, had become blighted by the highly publicised Army compensation payments for deafness and successive ministers who seemed incongruous for the portfolio.
Not that those considerations should have anything to do with how the employees of the department handled their day-to-day workload.
So it might come as surprise to learn that the Department of Defence recently became the first Government sector to become certified under the standards for best practice in the field of information security - BS7799/IS17799.
The certification process was conducted by Certification Europe, an organisation that has been accredited by the State to issue certificates of compliance to international standards.
Michael Brophy, chief executive of Certification Europe said the department was very impressive in its quest for certification.
"It was a Government department that was already very security conscious. The concepts were well ingrained and people were well used to following set policies and procedures and understanding how information has to be handled in a secure manner.
"And I know for some of the other State bodies we deal with that's a major challenge because you're trying to bring in a culture of security and having to explain to people that some of the information they handle has to be treated in a protected manner. Defence was already streets ahead of many of the other departments in that regard."
While information security will probably have connotations of information technology, IT was only part of the picture for certification. The overall standard is far broader and takes in physical security, legal compliance, document management and other communications. "Information exists in a lot of other forms besides residing on a computer or network," said Mr Brophy. So, for example, the certification process took into account how the department communicated over telephone and fax and how hard copy documents were treated in terms of classification, handling and exchanging with third parties.
The physical security of the building was also examined in addition to security of the employees, business continuity and compliance. Of course there was a significant IT section which addressed issues such as safeguarding access to the computer system and operational issues relating to PC use and protection.
"This is an internationally accepted standard for information security," said Brophy. "Essentially, it's a benchmark for how things should be done and how information should be kept secure. And what the department wanted to do was show it was capable of operating to international standards - and it demonstrated that."
A spokesperson for the Department of Defence told The Irish Times that gaining the certification was a valuable exercise in having its security procedures audited against an internationally recognised standard.
"It gives the reassurance that our security measures meet with the best practice standards of information security. Also, as the certification is subject to continuing review, it ensures that we remain vigilant in all aspects of system security.
"As a key player in the national security sector we have always regarded security as a vital element of our systems and it is gratifying to have our procedures validated against a reputable security standard."
In a small twist, however, just as the department gained its certification, the best practice rug was pulled from beneath its feet as a new standard superseded the one it had just been accredited with. This means it will have to reapply to be endorsed under a nascent international ISO standard.
According to Mr Brophy, recertification will only take some minor tweaks and adjustments and the department said it planned to have the process complete by the end of this year.