37 guardians vs three words
Stable, horse, bolted.
HM Revenue and Customs has appointed 37 staff to protect information, since it lost personal records on 25 million people last November. Each of HM Revenue and Customs' (HMRC) business units has appointed a data guardian "to strengthen the management of the department's data assets", according to a parliamentary written answer …
A bit late for this isn't it? Besides which, simply having someone in the office as a "Data Guardian" won't change anything - just like having a Fire Safety Officer didn't stop Buncefield! If someone chooses to leave a valve open/send unsecurred data without asking permission, having someone sat in an office twiddling their taxpayer funded fingers won't matter one iota!
It's mild out so I'll leave me coat.....
Or, rather, I would feel better if it weren't for my suspicion that these 'Data Guardians' will be junior civil servants with IT qualifications that stopped at GCSE level. Or, more likely, PFYs recruited by poaching counter-staff from PC World stores.
The underlying problem IMO is that far too few people in the civil service have any substantial IT, computing and systems experience.
Another problem is that the majority of government-operated IT infrastructure runs un-adapted un-hardened Microsoft OSs and apps. I do not claim that open source (particularly 'nix-based) systems would in themselves solve security issues but they would facilitate those solutions as well as saving money in licenses.
...and about common sense. What's this person going to do exactly?
"Excuse me", say's office minion to new data guardian "can I please send this unencrypted, passwordless files containing the social security numbers of great britain's population in the post please?!"
"No" say's data guardian.
End of story.
These HMRC folk and all the others need to have a real hard look at their DLP strategy and implement the systems and processes in technology (and people to a certain extent, but not 37 of them!) to prevent this kind of thing happening. Has no one heard of SFTP or encrypted mail. It's not hard, you cannot really on humans not to make errors so you need the right technology to support them.
"maybe this was the idea from the beginning, lose some data a couple of times, no matter how unbelieveable it sounds and the Boys will get the jobs, no questions asked"
Was it ever confirmed that the discs actually contained the data as claimed? Or has this been a scam from the beginning?
If you want the government to lose less information then the only way to achieve that is to give them less information in the first place and to have less people in the government who can get at it.
Instead they hire MORE civil servants and are busily working to convince us that we can make our information safer if we give them MORE of it. This isn't about shutting the stable door after the horse has bolted, because government doesn't have a door to shut. This is about moving yet more horses into the stable and hiring yet more stablehands who bear an uncanny resemblance to those 'Wanted - horse thief' posters on the saloon wall.
Government is like Wonderland without the magic mushrooms - all sense is reversed to the extent that it forms an inverted logic of its own. Bring on the revolution.
There's always one who has to blame Microsoft !
The biggest security threat in any organisation is the people who work there.
I don't think replacing Microsoft with *nix systems would stop morons sending unsecured data through the post.
If anything it would be likely to increase the risk as these people would have even less understanding of the IT systems. You could try training them, but if they can't learn Microsoft they have no chance of learning a *nix system.
When I complained to the Information Commissioner about the blatant disregard of HMRC for my personal data.
The Information Commissioner agreed, and said that HMRC had been in breach of the DPA, but legally, there was nothing they could do.
Apparently the DPA can't be applied to HMRC.
Go back and read what I actually wrote.
I didn't criticise Redmond's products per se. With a bit of work by competent sysadmins and some basic staff training, XP and Office products can be made reasonably secure.
What I criticised was government institutions using "... un-adapted un-hardened Microsoft OSs and apps...." by which I meant Windows, Excel and the rest at the default settings which sacrifice security to so-called ease-of-use.
I also wrote: "I do not claim that open source (particularly 'nix-based) systems would in themselves solve security issues..."
I agree that poorly-trained trained users (and the resultsant misusage) are far more of a threat to security than the systems they use.
37 'data guardians' appointed in one fell swoop? Wonderful! Marvellous! Right-on!
Now that we're done with the meaningless window dressing, where's the story about this feeble civil service's information security policy and standards, the education of the entire civil service on the content of same, the management responsibility to enforce same and the consquences - for the poor bleedin' footsoldiers who sent out those discs - as prescribed in same?
Okay, okay, I was being facetious. How about a little education, for these sacrificial goats......................sorry, sorry, 'data guardians' on the principles of information security?
Still too much? Okay, I understand. Sound fiscal policy in trying financial times and all that. How about a book? One copy, they could read it over one-anothers' shoulders at staff meetings?
No? Ah, I see. Just the bullets for the firing squad then.
I read about the HMRC fiasco and wonder what is going on in the UK. I worked for a Government agency down here in OZ, and data transport between us and other Government agencies was done via FTP. Over a dedicated data-line. With a VPN on it. Encrypted. That was the rule - unless it was sent via the dedicated encrypted VPN lines, the data did not move without clearance the the Security section. Want to sent a data file via e-mail? Better get it vetoed first, otherwise the email firewall would bounce it to high heaven and you'd get a message asking you to report to ISS to get screamed at.
Yes, it sometimes made for tedious delays, but considering the data we were handling (*mucho* personal) we considered it an acceptable evil compared to the alternative - with the "open policy" 'round here, anybody leaked the data would have been handed over to the media, bound and gagged.
No, it would not have stopped someone from copying the data onto discs and sending them by mail... but the point of all this is: there was a *secure* alternative in place for data transfer. In OZ, where traveling 100km to work is considered simple commuting. So I still don't get it when the UK's goverment departments, which (comparatively speaking) live in each other's back pockets, still use unsecured methods to send data.
Personally, I think a Minister or two should lose their job over this one - might make the next think about putting decent policies in place.