A security review by Deloitte of one of the UK government's child databases - ContactPoint, which will contain an entry for every English child under 18 - has found it is generally secure. With some provisos. Deloitte makes a timely reminder to a government convinced that securing databases is simply a technical problem: "Risk …
So that's no CD/DVD glued up USB and FireWire slots, no floppies no card reader/writer, no insecure OS' and competent civil servants.
Yeah I can just see that happening :(
No no, Deloitte has it wrong. I distinctly remember Blunkett's pronouncement that the government's ID database would be impregnable because of "biometrics". Oh yes. No worries there.
I don't believe it.
"More positively, the review found information security had "been ingrained" within people, processes, policy development, requirements definition and architecture."
So this *particular* Government department has security "ingrained" while the rest (and HMRC in particular) appear to be clueless.
What you forgot to mention...
...is that the government is refusing to publish the detailed findings of the Deloitte report on the grounds that if they did so people might use that information to target the database.
Clearly someone in Whitehall thinks that security through obscurity is still a reasonable argument.
Surely children have nothing to hide?
So they've nothing to fear?
@ Mike Richards
More to the point, their refusal to publish the detailed findings on those grounds is a tacit admission that security is far from being "ingrained".
@security through obscurity is still a reasonable argument.
I can't believe you rehashed that old argument. It's been proven that Open Source products are just as vulnerable as anything else. Some people just won't let it go,
Numpties with the keys to the door
It doesn't matter how secure the database is, the data centre it's lccated in is or the network it's connected to is, if they give every numpty Tom, Dick or Harriet the keys to the door and the last I heard, they pretty much are.
Paris 'cos even she's likely to get access to the data.
@ Solomon Grundy
Haha. Nice one. You're joking, right? Friday afternoon, have a laugh... no?
"It's been proven". Oh well that's alright then.
Speaking as one who works in the children's services arena, I was hoping Deloitte would kill Contact Point. The concept is good and beneficial, but I fear the execution will lead to a major disaster.
Of course that's supposing Deliotte were totally impartial!
On how many CDs does this DB fit?
I can see clearly now, the brain has gone..
Now, let's just imagine the National Audit Office asks for an extract. I know it's fanciful as a scenario, but just imagine some git decides that's too much like hard work and sends the whole database.
Could be quite hot property for your average pedophile, no?
WHich reminds me, I heard this rumour about another couple of CDs. If I recall correctly this was identifying addresse where children reside. Nothing to worry about then, I guess. It will just take one hell of a good day to bury that bad news..
/// P ///
Compare It To The Paper
What Deloitte's should be comparing the system to is the current paper and unconnected databases that cover children's details. What are the controls on access to paper files in SW offices like? Does every access get logged and monitored and could it be controlled? Who has access to the relevant SW, police, education databases and can do searches across them for proper data matches to identify risks to children from the sort of patterns that professionals recognise? Do the benefits of that in catching abuse and risks to young people outweigh the downsides which presumably Deloitte's did identify (unauthorised use or access, elevated access, fishing exercises) that can't happen at the moment, or was this just a White Hat penetration test
What's the problem?
Of course it's perfectly secure. Deliotte has firmly assured us that it is entirely safe for the government to pay lots and lots of money to implement the system. Most of the money going to consultants such as ... oh look, guess who.