There is a clear multi-level assurance regime in place for Census that follows up identified security risks and provides accurate visibility of the security situation. As well as the Census security controls in place, the review also assessed how comprehensive that assurance regime was, and how effective it was in improving the Census’ security posture.
External assurance is conducted by bodies including the UKSA and Infrastructure Projects Authority for methodology and delivery, and UK Census Committee (UKCC) for legislative compliance. The Census updates the UKSA board and shares details with the ONS Audit and Risk Assurance Committee. There has also been extensive interaction with NCSC, Centre for the Protection of National Infrastructure (CPNI) and Government Digital Service (GDS), as well as cyber security consultancies. Parts of the Northern Ireland Civil Service also assure NISRA.
Scope
The scope of this review was Census 2021, not all of ONS and NISRA. The National Records Service in Scotland has deferred the Scottish Census to 2022. The Census Programme is distinct from the Authorities’ Business As Usual. However some Census security is inherited from the wider enterprise and Census has dependencies on it. Review and findings therefore included enterprise-scale issues when necessary.
The following elements were in scope: systems, services and staff in ONS and NISRA supporting Census; Census suppliers; physical and digital security.
Executive Summary
The robust fundamentals of architecture, design and baselines that were deployed for the 2019 rehearsal remain in place and have continuously been assessed. The security maturity of Census solutions has continued to improve with further time, investment and attention.
There are 21 findings in the report and they are all of a Low or Informational level, indicating only sporadic deficiencies and areas for improvement, e.g. a small number of corporate security policies requiring review, rather than factors presenting a significant risk to Census security.
Overall, this assessment has concluded that both ONS and NISRA have comprehensive security programmes in place designed to reduce the risk of compromise to the delivery of the Census and citizen data. The assessment found that strong controls were also in place to detect and respond to threats that may impact the Census when it is in live operation. This 2020 assessment has found that security controls in place have built upon and enhanced those in place during the 2019 rehearsal.
Methodology
The Census 2021 Independent Information Assurance Review was broken up into several assessment phases to meet the assurance requirements for ONS and NISRA, ensuring that relevant activities were appropriately assessed. The three assessment phases were: Governance and Management; Operational Security, Processes and Design; and Security Assurance.
Once each assessment phase was completed, an interim report and preliminary findings were produced. This led into a fourth phase, Remediation, where phase findings were reviewed to validate whether recommended remedial action had been undertaken. Once the Remediation phase was complete, Bridewell Consulting drafted this final report.
Industry Alignment
The assessment criteria comprised a blend of key selected controls, outcomes and good practice from security industry recognised control frameworks, including ISO27001, the Cyber Security Framework, the Open Web Application Security Project Software Assurance Maturity Model, the UK Security Policy Framework, NCSC principles and other guidance. This ensured that the Census was being assessed against recognised good practice but the assessment was not constrained by one specific framework.
For the Governance and Management phase, key requirements were taken from the UK’s Security Policy Framework and ISO27001, which is an international standard for implementing an effective Information Security Management System, to assess whether there is effective security governance in place across the 2021 Census Programme.
For the Operational Security, Processes and Design phase, a tiered set of frameworks was selected to drive the assurance activity and these were:
National Institute of Standards and Technology Cyber Security Framework (NIST CSF) – A widely adopted holistic framework that covers the range of security controls and translates well to public sector services. Using the NIST CSF allows ONS and NISRA to understand the security controls in place within the multiple environments.
Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM) – an industry leading assurance framework for secure software development covering the processes used for Continuous Integration (CI), Continuous Development (CD) and live services. The OWASP SAMM provides an effective and measurable way for ONS and NISRA to understand their software security posture and development processes. It is particularly relevant because much of the Census is in a software-defined and DevOps environment.
Assessment Techniques
The assessments were conducted remotely using video conferencing and followed a blended approach of document review, screen sharing and interviews with key stakeholders. During the assessment window there were also further follow-up questions to validate understanding of specific areas and controls. The assessment lasted for three months so included point-in-time assessments as well as observing change.
The assessments employed an evidence-based approach to ensure a robust, repeatable and auditable approach for each phase of the assessment. Evidence sampled included documentation, screenshots and following up on findings from the 2019 rehearsal. More detail is available at Appendix A – Assessment Methodology in the full report that can be made available on request.
Collective Census Overview - Findings
The assessment did not identify any Critical findings. Any High or Medium findings that were identified during the assessment were remediated or reduced in severity over the course of the review.
The remaining Low severity and Informational findings are evenly split between people, process and technology, which indicates that Census has taken a holistic approach to security.
These findings are either observations of where there are unfinished security controls or where some potential risk could emerge. Most will be addressed by existing action plans before the Census; some are new and ONS and NISRA will have to triage and manage these as new risks.
The distilled findings are included in the report but the technical detail that supports these findings, which is in the full internal report, is not repeated here because of the length and level of detail that it would introduce.