Colin’s IT, Security and Working Life blog

June 12, 2009

Security does NOT mean firewalls!

Filed under: Government IT Security — chaplic @ 1:00 pm


I was in the unusual position of being part of an  interviewing panel who were evaluating tenders from the big consultancies firms for a piece of work.

The work was to provide a requirements definition for a fairly meaty government IT contract.

Of the four bidders, two of them didn’t refer to security once in their tender, one made me apoplectic as they discussed security as an optional extra in “phase 3”. WRONG.

One of my set questions during the interview was along the lines of asking what security challenges we might face.

All gave similar answers – making noises about firewalls, public access and so on. All very good but not exactly insightful.

What I was looking for is consideration of wider aspects – the old favourites of Confidentiality, Integrity and Availability, thinking about data aggregation issues and discussing risk, acceptable risk and mitigations/ controls to reduce risk.

If good security needs are not baked into requirements of projects, retro-fitting it is extremely expensive and difficult.

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: