SFO employs security advisor

The Serious Fraud Office (SFO) has appointed a third party consultant to help it carry out computer forensic work and inspect its security systems.

In carrying out its investigations, the SFO's digital forensics unit is often required to examine and analyse data held on, or retrieved from, computer storage media for the purpose of presentation as evidence in court.

It's not unusual for the department to use consultancy support to bolster its existing facilities or to provide additional bodies in peak times when urgent deadlines are to be met.

After initially hiring information security advisor Sapphire to work on site the SFO later agreed to utilise its laboratories based outside of London.

The move comes at a time when the spotlight of scrutiny shines brightly on several UK government departments following catastrophic data security blunders.

The most disastrous, and high profile, of these occurred when an employee of HM Revenue and Customs’ was blamed for losing the personal details of 25m UK citizens.

“I decided to bring on board a consultancy to help with this because it provided me with an independent assessment of the key risks to my network.

Keith Foggon, head of the SFO's digital forensics unit

Weeks later and it was the Department of Defense with egg on its face, when a laptop belonging to a Royal Navy officer containing the details of 600,000 people was reported stolen.

That breach came just three weeks after a review of data security by the Justice Select Committee went as far as recommending criminal sentencing for reckless data leakage.

Keith Foggon, head of the SFO’s digital forensics unit, admitted that engaging with another organisation and contracting work to another premises brought with it added risk that sensitive data could be compromised. But, he said he is satisfied that the consultant, having reached ISO27001 certification, has the management procedures and technical skills to deal with the data securely.

In addition to the forensic projects, the SFO, lacking the skills internally to carry out penetration testing, also appointed Sapphire to carry out an assessment of its digital forensics unit’s local area network.

The objective of the project was to ensure that the confidentiality and integrity of the network was maintained at all times and that there was no potential for information leaks, or for individuals to traverse networks.

Foggon explained: ‘I decided to bring on board a consultancy to help with this because it provided me with an independent assessment of the key risks to my network.’