John Hemming's Web Log John's Reference Website
Friday, November 23, 2007
  Remove the HMRC CD Burners
I have been appointed by Vince Cable to head up the Lib Dem investigation into Government Data (in)Security.

My first call is a simple one. Remove the CD Burners from the HMRC computer room until they have sorted out security.

There is no sense allowing any more horses to depart through the same stable door.


Thanks due to b3ta for the image.
 
Comments:
Great Graphic!

But seriously, good luck!
 
Here are some other suggestions for your review. The Open Rights Group would be very happy to connect you with data security experts for further comment.

- Government should in future think seriously about the alternatives to amassing data centrally. You can use
procedures to manage the risk associated with allowing 5 people access to 10,000 records, whereas you cannot effectively manage the risk associated with allowing 300,000 people access to 50 million records.

- No single user should have privileges to access the entire database.

- To avoid the risks associated with shipping sensitive data, it simply should not leave the building. An external organisation with a valid reason to access data should instead come to the organisation holding the data.

- If personal information absolutely must leave the building, in a laptop, DVD, or any thing else it should be encrypted.

- Audit logs should be kept on who is accessing data, and importantly
someone needs to regularly check these logs (often this crucial second part does not happen)

- A basic idea in security in the real world and in computer is 'defence in depth' i.e. many layers of security. Which means that many security features must fail before a breach occurs. It seems at HMRC that a single failing compromised the entire system.
 
I beleive this information has gone to be used by the Authorities to start data collection information on all the children in the UK. I dont think it was lost, I think someone uncovered the copies did not arrive to where they were supposed to be going. The government as so sure that there is no need to worry or change bank accounts etc. Isnt it funny how they got everyone to have the money paid into their banks, and all of a sudden that info is lost, I would rather know a criminal has it than some government secret department. This is information sharing gone to far. I got a letter today saying sorry for letting my details get lost and not to worry etc but be more vigilant in what goes on in your account. Where were the copies meant to go but didn't arrive. I am going to request my payment in another way and not payed into my bank, I am then going to close my bank account and open another one.
 
I agree with Michael, get some expert help.

A big problem I see with modern government is that politicians tend to think they are experts at everything, your normal people like the rest of us, you know what you know, but you should also know that you DONT know everything and you cannot be expected to.

Example :- How many members of he house of commons are technically qualified in the area of IT security? I'll make a wild guess here at 0. But how many of those same people think they know how to solve this problem?

Sorry to say this John, but removing burners is not the best of answers.

In the case of the 25m records lost, the manager in charge was explicitly told by the NAO about not exporting sensitive data, so what does he do export it. He had two options a) not send it because of the cost involved b) spend the money. The manager involved should at the very minimum be sacked for gross negligence. And considering how sensitive the data was he should be facing criminal charges.

One question which has not been answered is, why does the standard for sending external data appear to be using a password protected zip file? Password protected zip files are not secure and have never been secure.

Also, one reason for the 'HMRC mistake' I have read about is that HMRC refused to filter the data exported because it would cost £5000. OK £5000 is peanuts considering the importance of data protection, but still why so high? £5000 for a VERY easy one weeks work sounds like a very nice earner to me. I'm an IT contractor can I get a job at HMRC ;-) Sounds like someone is getting ripped off by their outsourcing company.

Technically this is actually only a couple of hours work to code/test, but getting doc's written / approved it should still only take a week max.

I was just doing some fact checking before sending and came across this excellent article.
 
The point about removing the hardware is that then people cannot get around the management controls.

Before you comment on my CV, however, try looking it up.
 
Post a Comment

<< Home

Click Here for access to higher resolution versions of the photos The license for use allows use of the photos by media as long as they are attributed.

better brent chart

ARCHIVES
12/01/2003 - 01/01/2004 / 07/01/2004 - 08/01/2004 / 12/01/2004 - 01/01/2005 / 01/01/2005 - 02/01/2005 / 02/01/2005 - 03/01/2005 / 03/01/2005 - 04/01/2005 / 04/01/2005 - 05/01/2005 / 05/01/2005 - 06/01/2005 / 06/01/2005 - 07/01/2005 / 07/01/2005 - 08/01/2005 / 08/01/2005 - 09/01/2005 / 09/01/2005 - 10/01/2005 / 10/01/2005 - 11/01/2005 / 11/01/2005 - 12/01/2005 / 12/01/2005 - 01/01/2006 / 01/01/2006 - 02/01/2006 / 02/01/2006 - 03/01/2006 / 03/01/2006 - 04/01/2006 / 04/01/2006 - 05/01/2006 / 05/01/2006 - 06/01/2006 / 06/01/2006 - 07/01/2006 / 07/01/2006 - 08/01/2006 / 08/01/2006 - 09/01/2006 / 09/01/2006 - 10/01/2006 / 10/01/2006 - 11/01/2006 / 11/01/2006 - 12/01/2006 / 12/01/2006 - 01/01/2007 / 01/01/2007 - 02/01/2007 / 02/01/2007 - 03/01/2007 / 03/01/2007 - 04/01/2007 / 04/01/2007 - 05/01/2007 / 05/01/2007 - 06/01/2007 / 06/01/2007 - 07/01/2007 / 07/01/2007 - 08/01/2007 / 08/01/2007 - 09/01/2007 / 09/01/2007 - 10/01/2007 / 10/01/2007 - 11/01/2007 / 11/01/2007 - 12/01/2007 / 12/01/2007 - 01/01/2008 / 01/01/2008 - 02/01/2008 / 02/01/2008 - 03/01/2008 / 03/01/2008 - 04/01/2008 / 04/01/2008 - 05/01/2008 / 05/01/2008 - 06/01/2008 / 06/01/2008 - 07/01/2008 / 07/01/2008 - 08/01/2008 / 08/01/2008 - 09/01/2008 / 09/01/2008 - 10/01/2008 / 10/01/2008 - 11/01/2008 / 11/01/2008 - 12/01/2008 / 12/01/2008 - 01/01/2009 / 01/01/2009 - 02/01/2009 / 02/01/2009 - 03/01/2009 / 03/01/2009 - 04/01/2009 / 04/01/2009 - 05/01/2009 / 05/01/2009 - 06/01/2009 / 06/01/2009 - 07/01/2009 / 07/01/2009 - 08/01/2009 / 08/01/2009 - 09/01/2009 / 09/01/2009 - 10/01/2009 / 10/01/2009 - 11/01/2009 / 11/01/2009 - 12/01/2009 / 12/01/2009 - 01/01/2010 / 01/01/2010 - 02/01/2010 / 02/01/2010 - 03/01/2010 / 03/01/2010 - 04/01/2010 / 04/01/2010 - 05/01/2010 / 05/01/2010 - 06/01/2010 / 06/01/2010 - 07/01/2010 / 07/01/2010 - 08/01/2010 / 08/01/2010 - 09/01/2010 / 09/01/2010 - 10/01/2010 / 10/01/2010 - 11/01/2010 / 11/01/2010 - 12/01/2010 / 12/01/2010 - 01/01/2011 / 01/01/2011 - 02/01/2011 / 02/01/2011 - 03/01/2011 / 03/01/2011 - 04/01/2011 / 04/01/2011 - 05/01/2011 / 05/01/2011 - 06/01/2011 / 06/01/2011 - 07/01/2011 / 07/01/2011 - 08/01/2011 / 08/01/2011 - 09/01/2011 / 09/01/2011 - 10/01/2011 / 10/01/2011 - 11/01/2011 / 11/01/2011 - 12/01/2011 / 12/01/2011 - 01/01/2012 / 01/01/2012 - 02/01/2012 / 02/01/2012 - 03/01/2012 / 03/01/2012 - 04/01/2012 / 04/01/2012 - 05/01/2012 / 05/01/2012 - 06/01/2012 / 06/01/2012 - 07/01/2012 / 07/01/2012 - 08/01/2012 / 08/01/2012 - 09/01/2012 / 09/01/2012 - 10/01/2012 / 10/01/2012 - 11/01/2012 / 11/01/2012 - 12/01/2012 / 12/01/2012 - 01/01/2013 / 01/01/2013 - 02/01/2013 / 02/01/2013 - 03/01/2013 / 03/01/2013 - 04/01/2013 / 04/01/2013 - 05/01/2013 / 05/01/2013 - 06/01/2013 / 06/01/2013 - 07/01/2013 / 07/01/2013 - 08/01/2013 / 08/01/2013 - 09/01/2013 / 09/01/2013 - 10/01/2013 / 10/01/2013 - 11/01/2013 / 11/01/2013 - 12/01/2013 / 12/01/2013 - 01/01/2014 / 01/01/2014 - 02/01/2014 / 02/01/2014 - 03/01/2014 / 03/01/2014 - 04/01/2014 / 04/01/2014 - 05/01/2014 / 05/01/2014 - 06/01/2014 / 06/01/2014 - 07/01/2014 / 07/01/2014 - 08/01/2014 /


Powered by Blogger

Published, promoted, and printed (well not really printed I suppose, more like typed) by John Hemming, 1772 Coventry Road, Birmingham B26 1PB. Hosted by blogspot.com part of Google.com 1600 Amphitheatre Parkway Mountain View, CA 94043, United States of America. This blog is posted by John Hemming in his personal capacity as an individual.

Site Feed

If you want me to respond to any comment please either comment only on the past few entries or put something in your comment to make it clear what you are commenting on (the URL would help). Otherwise I will not be able to find the comment quickly and will not respond.

Links
Links (c) Peter Black (mainly Lib Dem)
Site
Meter eXTReMe Tracker