research in local government by Public Sector Forums.The Cabinet Office report noted that Departments had different needs and capabilities and said:
‘..while similar criteria are considered, it is clear that departments are coming to different conclusions on access, suggesting they are taking different views of the degree of risk or benefit associated with these types of site. While most departments clearly feel that blocking access is necessary to some degree, they also emphasise that their ‘appropriate use’ policies or codes of conduct have a key role in governing individual behaviour in this area.
‘Most policies include a provision for allowing exceptional access to specific sites for individuals that can make a strong case on the basis of business need. In some cases where use is typically blocked or restricted, non-networked PCs are made available for staff to access social media or webmail sites.
‘Several departments noted that they are currently or will soon review their policy in this area, with some noting that they see the need for more help and guidance for staff beyond that available in the published guidelines for Civil Servants on online participation. Policy ownership resides in the majority of cases with IT (with input from HR, Finance, Communications), though in a few cases the reverse applies.
4 departments allow access to all of the sites above as standard across their network.
12 department block access to all of them as standard across their network (but several note they will make case-by-case exceptions).
14 departments allow access to some; block access to others’
In the modern world public servants need internet access to do their jobs, in particular to keep up with changing citizen customer behaviours. The Taskforce is concerned that access to narrowly defined ‘whitelists’ of acceptable websites can act to inhibit innovation. New systems, such as the Cabinet Office Flex system offers a secure browsing environment within which whitelist controls can be rolled back to a minimum. Public servants also need to have access to industry standard client capabilities such as modern browsers and plug ins.
The Taskforce recognises that there are tensions between: the ever changing IT security threat profile, a need to have room to innovate, different HR policies required for different types of organisation and the constantly changing opportunities offered by new web services. One of the biggest challenges is keeping policies in this area up to date and synchronised across an estate as large as the public sector. In order to manage the risks of internet access HR staff and the security authorities need to be in close contact with those who can articulate the benefits.
The Cabinet Office is leading work to examine the issues in this area, which the Taskforce supports. The least burdensome outcome would be a simple common internet access policy fit for the modern era and capable of evolving to cover as many public sector workers as possible. Given the widely differing operational environments of public sector workers (from intelligence analysts to nurses to contact centre workers) this may have to be a small but coherent family of policies.
The Cabinet Office should investigate the issues with staff involved in setting access rules and issue internal guidance. Where necessary Departments should work with CESG to accredit and deploy secure web browsing technology (already being used in Flex, a government shared ICT service) which would allow a full range of sites to be viewed at full functionality while protecting Government’s own systems against the introduction of rogue software (’malware’).