Of course
Of course no one is to blame. The government is involved.
A culture of insecurity rather than mistakes by any single official has been blamed for the HMRC data loss debacle, an official inquiry is expected to report on Wednesday. The Poynter report will highlight poor security practices at the government agency leading up to the loss of discs contained child benefit information on 25 …
"The Independent Police Complaints Commission is due to report its take on the on the HMRC breach"
Hmm.. let me see into my crystal ball, that will be, no evidence of any named person doing anything wrong, but policies & procedures have changed....
Mines the coat that never changes its spots
It may be that there are issues with the security policies; in most cases, you can always find areas to improve.
However, the biggest single issue is not in the policies themselves, but in the implemention, management and monitoring. If senior managers do not enforce the polices that they have signed up to, then the policy is worthless. If they do not monitor to ensure that policies are known and adhered to, then the policy is of no value. (Don't tell the staff about the security policy for resasons of security - seen that happen before)
On an aside.....
Did anyone see the interview with Bill Gates at Redmond on the Beeb? He and Fiona Bruce left the building to walk around the gardens, then when they wanted to get back in, Bill found he had left his swipe card in his office. Whilst he stood there puzzling about what he could do, Fiona hit the button to open the disabled entrance, which opened to let them in without any security validation!
<joke)Look for terry to start recruiting amongst the disabled community</joke>
- aren't they the pieces of paper this government dutifully ignores?
This Labour government are pig ignorant when it comes to I.T. in any of its iterations, security or otherwise. I doubt that there will be anyone with enough nous to actually understand the contents of the Poynter report. But more likely it will be lost before it ever gets a chance to breach the doors at Number 10.
A government office proves incapable of handling basic information security.
In other news... Most snow found to be white, Pope suspected of being Catholic, and my cat's breath smells of catfood.
Of course it's down to the culture rather than one individual - the odd breach could be down to individuals breaking rules or not knowing better, but the frequency of these breaches in government department just tells me that the civil service as a whole doesn't have a clue about real security. There is simply no excuse for not having a rigorous infosec policy and enforcing it, when you are handling so much potentially sensitive information.
Until such a time as we have confidence in the policies and procedures, these government departments should be limited to handling the absolute minimum relevant information they require to do the job, which is a lot less than they currently have, and there's no question of ID cards being introduced. If you can't trust the people with the information, don't give them any!
Mine's the coat with the RFID guardian and no identifying papers in the pockets.
No, it means that everybody is to blame and that no-one from the top down in government understands or takes information security seriously or, if they do, they are largely or completely ignored or even stamped on from above.
Paris - because even she knows more about information security than the whole of government put together.
Imagine that, lambasted. And this following so closely after that vicious tongue-lashing. Are these make believe punishments reserved only for the government and its staff complement of incompetents? If you want to see real progress, start meting out penalties such as dismissals, fines and jail time - you know, the kind of things that ordinary folk have to deal with. Hell even the odd tar-and-feathering would go a long way in pushing up standards in the civil service.
Paris, because even she appreciates the value of a good spanking.
"or even stamped on from above".
How true - been there, been stamped on. Usual scenario is :
Boss - copy this onto a disc & put it in the out tray
Pleb - But that's completely against the rules
Boss - Just bloody do it
Pleb - rules say we need to send it courier
Boss - Nah that costs, which comes out of my budget
Pleb - But.....
Boss - DO WHAT I TELL YOU NOW!
Poor little pleb now has the choice of either breaking the rules, or having a really bad report written on them which means no pay rise for the next 10 years let alone any chance of progression. They can't insist they get the instructions in writing, same result. They can't report the boss, as that will give them a reputation that means they can't even get a transfer to another area. So they do what the boss says, and just pray no-one else further down the line loses the data.
AC for obvious reasons
Chancellor Alistair Darling told Parliament in November that a "junior official" had posted the encrypted discs to the National Audit Office, contrary to "strict security rules".
But the report says "A culture of insecurity" is resposible, so there aren't any STRICT security rules or ther would not be a culture of insecurity would there?
So the little tinker's been lying again, no change there then.
There are some real gems in the report :
'Last year, for instance, HMRC sent out around 300 million letters and mailings to its customers, an average of 8 per household and 68 per business. The media it uses for data transfer is similarly archaic. For example, the Magnetic Media Handling operation in Longbenton, Newcastle, accepts all media (reel to reel tape, cartridges, floppy discs, CDs etc.) on which employers submit their end of year returns and could be designated a museum if the criteria were variety of media no longer generally used (media, incidentally often associated with systems incapable of creating encrypted data)..'
Is there also a department for 'non-magnetic' media, where I could submit my tax return on paper tape ?
Have you ever worked in a government agency? I have.
They couldn't give a s**t about anything. You can't fire the staff, - it's extremely difficult - so people screw up and you can't get rid of them.
So, there's no real punishment that takes place so who cares if they mess up. Procrastination is the order of the day. They're not in competition with another company, so there's no pressure on them to deliver results.
As much as I loathe this Labour government, I don't think this security issue is really about them, it's about the kind of people that make-up civil servants that make up the agencies, the managers.
When the 999 data was lost, the people in charge started blaming the courier.
Things will get lost in the post, thats why you insure expensive items.
Anything sent should be encrypted.
If I posted my companies info without encryption and it was lost, I'd be out of a job for sending it unsecured.