Independent information assurance review

Ahead of Scotland’s Census 2022, National Records of Scotland asked Bridewell Consulting to undertake an independent review of the strength of our security measures.

Bridewell Consulting are a specialist cyber security and data privacy consultancy and are certified by the National Cyber Security Centre (NCSC).

The aim of the review was to identify any risks to census systems, services and information. We also wanted to provide an independent view of our security for stakeholders.

The review looked at several parts of our system and how it will be delivered, including:

the people involved
processes and technology used
our supply chain

Conclusions

Security

The review concluded that overall National Records of Scotland has a comprehensive security programme in place.

It has been designed to reduce the risk of compromise to the delivery of the census, and to citizen data.

The review found that strong controls were also in place to detect and respond to threats that may impact the census when it is in live operation.

Additionally, it found that security controls in place have built upon and improved on those in place during the 2019 census rehearsal.

Assurance

As well as assessing the security controls in place, the review also considered:

how comprehensive the census assurance model is
how effective the census assurance model is in improving the census programme’s security

The review found that Scotland’s Census 2022 has a clear and multi-level assurance model.

This model enables the census programme to follow-up on security risks and provides good visibility of the security situation.

The review also found that:

bodies, including the UK Statistics Authority and the Scottish Government Digital Assurance Office, provide external assurance
the census programme updates the National Records of Scotland Strategic Board, Executive Management Board and the Audit and Risk Committee
there has also been extensive interaction with the Office of National Statistics, Scottish Government, National Cyber Security Centre (NCSC) and the Centre for the Protection of National Infrastructure, as well as cyber security consultancies

Findings

The review made 4 findings, all of a low or informational level.

This indicates only minor issues and areas for improvement, rather than problems presenting a significant risk to census security.

The review made recommendations for each finding and these will be implemented before census operations go live.

Methodology

The review was broken up into several assessment phases. This made sure relevant activities were assessed. The 3 assessment phases were:

governance and management
operational security, processes and design
security assurance

The review assessed census security against a mix of standards and good practice from security industry-recognised frameworks, including:

ISO27001, the international standard for information security
the US National Institute of Standards and Technology Cyber Security Framework
the Open Web Application Security Project Software Assurance Maturity Model
the UK Government Security Policy Framework
NCSC principles and other guidance

This approach strengthened the evaluation as it measured the census against criteria drawn from a number of different frameworks.

Please contact us if you have any questions about the security of Scotland’s Census 2022.

Overall, how satisfied are you with this page?

Very satisfied

Satisfied

Neither satisfied or dissatisfied

Dissatisfied

Very dissatisfied

How could we improve this page?

Limit is 1200 characters

Your feedback will help us improve this website. We will not respond directly to comments left here, so please do not include any personal information in your feedback. If you would like a response, use our contact form instead.