Bridewell Consulting, a National Cyber Security Centre (NCSC) certified cyber security consultancy, was engaged to undertake an overarching Independent Information Assurance Review (IIAR) of the security of the 2021 Census Programme. It encompassed the people, process and technology used to deliver this, including the Census supply chain, for the Office for National Statistics (ONS) and the Northern Ireland Statistics and Research Agency (NISRA). This was to identify risks to Census systems, services and information for attention before the Census, and to present an independent view of security maturity to stakeholders including the public.
ONS and NISRA security findings
There is a clear multi-level assurance regime in place for the Census that follows up identified security risks and provides accurate visibility of the security situation. As well as the Census security controls in place, the review also assessed how comprehensive that assurance regime was, and how effectively it was in improving the Census’ security posture.
External assurance is conducted by bodies including the UK Statistics Authority and Infrastructure Projects Authority for methodology and delivery, and UK Census Committee (UKCC) for legislative compliance. The Census updates the UKSA board and shares details with the ONS Audit and Risk Assurance Committee. There has also been extensive interaction with NCSC, the Centre for the Protection of National Infrastructure (CPNI) and the Government Digital Service (GDS), as well as cyber security consultancies. Parts of the Northern Ireland Civil Service also assure NISRA.
Scope
The scope of this review was Census 2021, not all of the ONS and NISRA. The National Records Service in Scotland has deferred the Scottish Census to 2022. The Census Programme is distinct from the Authorities’ Business As Usual. However, some Census security is inherited from the wider enterprise and the Census has dependencies on it. Review and findings therefore included enterprise-scale issues when necessary.
The following elements were in scope:
- systems, services and staff in ONS and NISRA supporting the Census
- Census suppliers
- physical and digital security
Overview of assessment
The robust fundamentals of architecture, design and baselines that were deployed for the 2019 rehearsal remain in place and have continuously been assessed. The security maturity of Census solutions has continued to improve with further time, investment and attention.
There are 21 findings in the report and they are all of a low or informational level, indicating only sporadic deficiencies and areas for improvement, for example, a small number of corporate security policies requiring review, rather than factors presenting a significant risk to Census security.
Overall, this assessment has concluded that both the ONS and NISRA have comprehensive security programmes in place designed to reduce the risk of compromise to the delivery of the Census and citizen data. The assessment found that strong controls were also in place to detect and respond to threats that may impact the Census when it is in live operation. This 2020 assessment has found that security controls in place have built upon and enhanced those in place during the 2019 rehearsal.
Methodology
Phased approach
The Census 2021 Independent Information Assurance Review was broken up into several assessment phases to meet the assurance requirements for the ONS and NISRA, ensuring that relevant activities were appropriately assessed. The three assessment phases were:
- Governance and Management
- Operational Security, Processes and Design
- Security Assurance
Once each assessment phase was completed, an interim report and preliminary findings were produced. This led into a fourth phase, Remediation, where phase findings were reviewed to validate whether recommended remedial action had been undertaken. Once the Remediation phase was complete, Bridewell Consulting drafted this final report.
Industry alignment
The assessment criteria comprised a blend of important selected controls, outcomes and good practice from security industry recognised control frameworks, including ISO27001, the Cyber Security Framework, the Open Web Application Security Project Software Assurance Maturity Model, the UK Security Policy Framework, NCSC principles and other guidance. This ensured that the Census was being assessed against recognised good practice and the assessment was not constrained by one specific framework.
For the Governance and Management phase, important requirements were taken from the UK’s Security Policy Framework and ISO27001, the latter being an international standard for implementing an effective Information Security Management System, to assess whether there is effective security governance in place across the 2021 Census Programme.
For the Operational Security, Processes and Design phase, a tiered set of frameworks was selected to drive the assurance activity, and these were as follows.
National Institute of Standards and Technology Cyber Security Framework (NIST CSF)
This is a widely adopted holistic framework that covers the range of security controls and translates well to public sector services. Using the NIST CSF allows the ONS and NISRA to understand the security controls in place within the multiple environments.
Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM)
This is an industry leading assurance framework for secure software development covering the processes used for Continuous Integration (CI), Continuous Development (CD) and live services. The OWASP SAMM provides an effective and measurable way for the ONS and NISRA to understand their software security posture and development processes. It is particularly relevant because much of the Census is in a software-defined and DevOps environment.
A full copy of this report is available on request, if you would like a copy, please send an email to: chiefsecurityofficer@ons.gov.uk