§ Mr. ColvinTo ask the Secretary of State for Trade and Industry what action his Department is taking to encourage greater computer security(a) in government and (b) in the private sector; and if he will make a statement.
§ Mr. Leigh[holding answer 15 July 1991]: The DTI is supporting a three-year programme, directed mainly at smaller and medium-sized enterprises, which aims to raise awareness of the importance of security in all aspects of information technology. A major purpose of the awareness programme is to stimulate business users of computer systems into examining their security requirements and to help them adopt appropriate practical solutions that meet their needs effectively.
373WThe campaign, now in its second year, provides advice and guidance on the measures which businesses can take to combat both deliberate and accidental threats to their computer systems. A key message of the campaign is that action taken to prevent such threats is more effective than dealing with breaches of security after they have occurred.
The DTI is also involved in promoting greater awareness of the Computer Misuse Act 1990, and of its implications for business.
In a further initiative, launched on 1 May 1991, DTI has introduced a national scheme for the evaluation and certification of the security of IT systems and products. The purpose of the scheme is to promote an efficient and effective market in IT security, offering benefits to users and vendors alike. The scheme provides for independent security evaluation services to be made available to all sectors of industry, commerce and government. These services are backed by a certification scheme whereby evaluations performed by commercial bodies licensed as commercial licensed evaluation facilities (CLEFs), are certified as meeting the necessary standard.
A primary objective of the scheme is to provide for international mutual recognition of evaluation certificates and by such means to make the market place an international one, with a wider choice of certified products available.
The DTI, in consultation with other Government Departments, is now promoting co-ordination of IT security studies, and research and development activities across European Community programmes. It is thus seeking to ensure that the security needs of business within the soon to be completed internal market can be met.
Within government, a range of security measures has been developed to protect computers and the data that they process according to an assessment of the threats they face. It is the responsibility of individual Departments to apply these measures to their own systems, taking account of interdepartmentally agreed guidance. This guidance is kept under constant review.