Cybersecurity services company Bridewell Consulting enhanced the security of the upcoming 2021 Census programme after following a stringent review process.
Bridewell was enlisted by the Office for National Statistics (ONS) and the Northern Ireland Statistics and Research Agency (NISRA) to perform the Independent Information Assurance Review (IIAR) which took place between September 2020 and January 2021.
Securing the risks
The purpose of the assurance review was to identify any security risks to Census systems, services and information, and to present an independent view of security maturity to stakeholders.
Bridewell also produced a public report to assure the nation adequate measures are in place and encourage members of the public to complete the Census.
The Census is a nationwide survey that takes place every 10 years and must be completed by every household. The data collected in the survey builds a picture of all the people and households across the UK to help organisations make decisions on planning and funding public services including transport, education, and healthcare in each area. The 2021 Census survey will take place on 21st March.
Security assurance review
Bridewell previously delivered the assurance review for the Census rehearsal in 2019 and was selected to undertake the review of the 2021 Census following a formal tender process. Bridewell engaged with the ONS, NISRA, and their trusted partners over three months to ensure that a thorough and robust review into every aspect of the programme was completed effectively.
ONS has developed strong security measures to safeguard submissions but we did not want citizens just to take our word on this
The assurance review took a three-phase approach, covering governance and management, operational security, process and design, and security assurance.
Andy Wall, Chief Information Security Officer at the Office for National Statistics comments, “The protection of citizen information collected in the Census is critical. ONS has developed strong security measures to safeguard submissions but we did not want citizens just to take our word on this."
Security Assessment Criteria
"It was very important for us to test our approach and measures and so we wanted an independent view. A specialist organisation like Bridewell, which has the expertise to look under the bonnet of the Census and assess the detail of what we have built, was very valuable.”
The assessment criteria comprised of a range of selected controls, outcomes, and good practice from security industry recognised control frameworks to ensure the assessment was not confined by one singular framework.
This included ISO27001, the Cyber Security Framework, the Open Web Application Security Project Software Assurance Maturity Model, the UK Security Policy Framework, NCSC principles, and other guidance.
Implementation of assessment
In total, Bridewell shared 21 findings in review which were rapidly addressed before the assessment concluded
The scope of the review included systems, services, and staff in ONS and NISRA supporting the Census, the Census supply chain, and physical and digital security. Bridewell also assessed how comprehensive and effective the assurance review itself was in improving the programme’s security. In total, Bridewell shared 21 findings in review which were rapidly addressed before the assessment concluded.
Scott Nicholson, Co-CEO at Bridewell adds, “The Census is vital to informing how organisations and public authorities effectively plan and fund critical services we all require. Whilst completion of the assessment is a legal requirement, members of the public need confidence that the data they provide will be processed fairly and lawfully with adequate protection in place."
"We are proud to have played a key role in independently assessing the governance, design, implementation, and operation of controls to ensure they are providing an appropriate level of protection.”