BLOG: Policing and The Need for Information Management
News and information from the Advent IM team.
I write this as someone with first-hand experience in information security and its management and also experience in Policing, having served part of my career as a frontline Police Constable; this combination allows me to clearly observe the lack of information management within policing.
In 2007, the movie Hot Fuzz starring Simon Pegg and Nick Frost was released; with Pegg as a highly motivated and crime-tackling, focused Police Constable and Frost as a sort of eager to please but bored in a small village, Constable. This is a movie I have watched several times over the years and there is one scene in particular where I say to myself ‘that actually happens’. When I became a Police Constable myself, I re-visited the movie as it is a personal favourite of mine, one thing in particular stood out to me that mirrored my own Police working environment, it is when Frost’s character is arrested for drink-driving and put in the cell to sleep off his hangover and to be dealt with the following morning by Pegg character ‘Nicholas Angel’. The following morning, he arrives at the Police Station to do just that only to find that Frost is there in uniform eating a desert dish with the rest of his colleagues. The reason for this is that when an indiscretion is made within the Sandford Police Station, the fictional town, the offending person must bring in a desert dish as punishment and the severity of the offence dictates the desert dish that is purchased for the Station. It is what we called it in my own Police Force a ‘Cake Fine’. More on this later…
When I began my Police training, a course that spanned over nearly 6 months, one thing that stood out to me was what we didn’t cover. How do we protect and manage information (personal and otherwise) that we would gather on a daily basis as an operational Police Constable and what it meant to not only us, but to the person (who may be a victim, witness or suspect) if it was not secured properly and lost or worse, fell into the wrong hands or even not used in the right way to help that individual.
The lack of education and understanding around information management and most certainly the security of that information, amongst Police Constables, became obvious when a colleague was updating me on the various shifts, departments and other colleagues, where he noted that a member of the CID office had lost an investigation file, which resulted in the offending officer having to bring in “more expensive cakes” as punishment. I cannot comment on if the file was ever recovered or what actions were carried out when such an incident occurred as my colleague did not know but it certainly confirmed to me that the ‘Cake Fine’ scene in Hot Fuzz was true.
One other observation / concern that stood out to me, one that seemed to happen more regularly than others and one that could be resolved with ease, is one involving the Station cleaner. This person was employed by the Train Station, as our own office formed part of the structure, was only allowed access when given entry to the Police Station by either the Office Manager or one of the Police Officers. During my time as a Police Constable, more often than not I would need to work the night shift, which meant being in work 15 to 20 minutes before my shift started at 10pm and I would walk into the Station and find investigation paperwork strewn across desks, computers unlocked and no Police Constable in sight with them having been called to attend an incident. There were times where the Station initially appeared to be empty when the cleaner, unescorted, would appear from one of the back offices. One of the questions that needs to be asked here, is how this happened and what could have been done to have prevented this from happening.
Time would have been critical for the Police Constables to get to the incident;
Would they have allowed the cleaner to carry on with their tasks because they had been vetted, ultimately providing unmitigated access to some investigation case files should the cleaner had malicious intent or should they have escorted the cleaner out of the building with instructions to return when the Station on their return or when populated?
Or was there another solution?
What about implementing authorised timings for the cleaner to attend, when it is known that there would be members of staff available to escort / observe the cleaner when in the Station, such as day time hours only and should there be no person available to escort or observe the cleaner, then no access will be granted and to return at another time and date when there is?
Another question to be asked is how did this happen? Lack of awareness around Information Management and Security? Lack of training? Or if they none of the former is an issue, why do they allow this to happen continuously?
The answer keeps coming back to the same thing. Training and Education. There was certainly a lack of the former during my formal training to be a Police Constable with a focus on learning verbatim the points to prove on Policing definitions as well as conducting practical scenarios of Policing incidents but why not any training on protecting the information we, as Police Constables obtain from a variety of people that has an incredible amount of personal identifiable information that could put them at risk of harm?
Although to my knowledge, no incident has occurred involving the cleaner at this location BUT who’s to say that it won’t happen in the future here or at another location due to the poor understanding of Information Security and we have seen over the last few years of data breaches in Gloucestershire and Northern Ireland within the Police and only time will tell if we see an incident occur through the insider threat with someone like the cleaner exploiting a vulnerability due to the lack of understanding around information security and the fine will be more substantial than just cakes.
-Leighton Hughes, Security Consultant, Advent IM