Posts by Anthony W. Brooks

Uninformed ranting

Don' t you find all this uninformed vitriol depressing?

The MoD has produced new guidelines for all portable CIS. Hard disks in laptops are to be fully encrypted, as are CD/ DVD optical disks and USB storage devices. If they are not fully encrypted, they are not to be removed from MoD premises. The MoD has also provided recommendations on what software and hardware solutions to use to accomplish this, the most recognisable being the package formerly known as Reflex Magnetics DiskNet Pro. The first problem is that it is now down to individual units to implement the new policy, which takes time and costs money, which in the currently climate of overspend and cost-cutting, including staff retasking and redundancy, will be a bit of a struggle for most units. The second problem is that the MoDs DII C and DII F systems, which are owned and managed by the ATLAS consortium, were implemented without any thought to the encryption of removable media and so the ATLAS consortium suddenly finds itself endeavouring to find a solution to a new customer requirement, across globally deployed systems. Of course, being designed from the ground up as a centrally managed infrastructure, this will be a fairly simple and straightforward task, as all of you experienced sys admins will be aware.

I guess that the big problem is that all this is pain in the arse for the end user who is not in the slightest bit interested in security and just wants to be able to use his memory stick on his computer. But I don' t think that issue is unique to the MoD or government.

Govenrment Data Protection Standards

There are standards within UK Government covering this area. As you mention CESG does develop guidance in this area and does make an effort to distribute it, for instance HMG InfoSec Standard No. 5 (Secure Sanitisation of Protectively Marked or Sensitive Information). This publication aims to provide guidance on the management of these issues and includes useful information on some of the technical pitfalls of devices such as solidstate data storage media, for instance data leveling and downgrading of storage circuitry during manufacture, e.g. classing a defecive 1GByte chip as a 512MByte device, making data held on the device invisible to the operating system and standard file deletion applications. These publications tend to be exempt from Freedom of Information legislation, but are available to UK Government bodies. The trouble is, there is an awful lot of information available, not all of it is easy to find and not everyone thinks to look for it. Disclosure requests from non-UK Government bodies should be directed to infoleg@gchq.gsi.gov.uk