Whitehall and laptops..

An interesting news story from silicon.com, noting that government staff are to be banned from removing laptops containing personal information from their offices.

Is it just me, but should we not be asking why they have such data on their laptops in the first place ? Surely all such information should be held only in databases on the government secure network, where they use can be monitored and protected.. if this needs to be accessed from home or on the road then VPN into the network ?

For too long this has been reported as Government being careless losing laptops, the real story is a complete lack of information management. If this type of debate gets your interest, take a look a Cory Doctorow’s article in the Guardian last week.

Written and submitted from home, using my home 802.11 network.

11 comments

  1. Duncan Garratt

    Security what Security! Outside of the intelligence guys and a few in the MOD most civil servants have not got the first clue about security, let alone information security! It is easy to implement the Advanced Encryption Standard (AES) as the classes ship with the .Net Framework that is free, so there is really no excuse.

    Just for your own info the entire database of all cars registered in UK along with VIN/Engine numbers, MOT details, owner details and insurance details are being driven around in police cars and bailiffs vans that use automatic number plate recognition! (ANPR) The application runs on Windows XP and was written using VB6 with an access database unencrypted! So much for all the fine words on so many forms telling us about the data protection act and our rights and that our data is protected!

  2. Grumpo-phobe

    Meanwhile, the exceptionally aware private sector just dump bank statements in skips instead of shredding them, and pass on details to anyone who’ll pay.

    Take the blinkers off Duncan. There are shades of grey and even colours out there.

  3. Duncan Garratt

    The private sectors in many cases are equally bad and in some cases worse! But and it is a big but in the case of the private sector I have a choice, where with the public sector I do not, and the same applies to every man, women and child in the UK. Every person who deals with the UK government should expect that his or her personal data is kept safe and is only divulged to authorised people. The last few months has proved this not to be the case. The simple truth is that a tweak here and there with regard to computer systems would ensure that data is held securely. For a systems programmer how long does it take to implement the Rijndael cypher? Well the core code interfacing with the AES class libaries should take a resonable programer around a couple of hours only!

    Ed is right a VPN into the system would make a difference along with good encryption and a few procedures in the back office. As for being blinked about security no, I am only too well aware what has been going on in the public and private sectors, and much of what I have seen has appalled me.

    The only way government departments are going to wakeup to these security threats is to bounce them into thinking about security and unfortunately the only people they seem to listen to these days is the press. MI5 their own security experts have been banging on about information security for the last two years, yet government departments have taken no notice! Are government departments taking security seriously? No is the answer and what has hit the press is only the tip of the iceberg!

  4. Duncan Garratt

    Well Grumpo-phobe your comment is most interesting bearing in mind your identity is concealed. Perhaps you should declare who you are before you start being critical of others! As for generalisation; No you have it wrong as I was specific as well as being general which does reflect the current situation regarding lack of security of personal data and is in line with Ed Parsons original comment.

    If all you can do Grumpo-phobe is hide behind anonymity and have a go others well your views are pretty pathetic. Just because yours views are different from others doesnâ??t mean you are necessarily right or wrong! I note you have not suggested ways as to how this situation could be remedied, that is typical of an idiot who has nothing interesting to say and little or no contribution to make!

    Is this an Ed Parsons fan club website where the only views acceptable are those that pay homage to Ed Parsons views and Google or is it a website where serious comments can be posted based on topics that Ed Parson posts!

    All I ask in this respect is that if someone feels they wish to attack me personally then they should have the guts to identify themselves!

  5. Duncan Garratt

    Interesting that Grumpo-phobe name links to a news article! Is this Ed Parsons own comment? Perhaps Mr Parsons may wish to confirm this or not!

  6. The Axeman

    A note on anonymity – some people comment anonymously for reasons of discretion. Perhaps their professional position is a sensitive one where it’s not appropriate for them to go on record with personal opinions on particular issues. One might argue that they should exclude themselves from public debate if this is the case – I think that’s a call for each individual to make.

    Agreed aboslutely that one shouldn’t launch a personal attack under a veil of anonymity. But one shouldn’t launch personal attacks at all in this kind of forum. So, to engage in the debate, and without so much as a whiff of personal attack in the air:

    Duncan asks “For a systems programmer how long does it take to implement the Rijndael cypher?” and notes that “It is easy to implement the Advanced Encryption Standard (AES)”. There’s no arguing with this. You mention .NET examples, and it is equally straightforward to do in a Java environment (where my experience lies), and probably in numerous other environments too.

    The key thing about information security, though, is that it’s not just about IT. The issue is much bigger than that. It’s about processes and the way people work. IT is a double edged sword with respect to information – it opens up all sorts of new possibilities for managing and manipulating data which, depending on the context, may constitute either opportunities or vulnerabilities, or frequently both. You can have all the multi-factor authentication and encryption you like; if I rip the data to an unencrypted CD and lose it, or if I print a report and leave it lying around in public, then the clever technology counts for nothing. I wonder if perhaps an undue focus on technology solutions without looking at the bigger picture about how organisations operate is in fact part of the reason why gaping security holes such as those that have been so prominent in the news recently have persisted.

    That said, your point about encrypting sensitive data that is taken outside a secure environment is a valid one – it *is* straightforward to do, and there is no excuse not to do it. Better to ask first, though, why it’s being taken off site in the first place.

    Yours anonymously :o)

  7. Ed

    @Duncan,

    As a matter of principle I post all comments the blog receives, regardless if they agree with the points I make or not.

    The Axeman makes a good point about anonymity, however for me there is little point as the point of running a blog I believe is expressing your opinion openly. If I ever feel it is not appropriate to comment on something I just will not do so.

    So I’m not Grumpo-phobe or Fake Ed for that matter !

  8. Duncan Garratt

    Thank you Ed for confirming it is not you, I didn’t think it was but asked the question for the record.

    The Axeman makes some very good points, particularly about the wider issue regarding the culture of handling electronic data. I totally agree that there are serious question marks about why this data needs to be taken off site in the first place. The big question here is when these systems were designed what security was built into the system and who authorised them as being safe certainly as far as HMG is concerned. Having worked in past for HMG and more specific in intelligence I am only to well aware of the issues. In this respect BS7799 and ISO 27001 is a good starting point in ensuring a system is robust as far as security is concerned. Were these systems compliant with the standards or were these systems ever subjected to compliance in the first place? Had they been compliant and audited then these security breeches most probably would have been prevented.

    A very good software package designed by MI5 and produced by Siemens is CRAMM. Readers may wish to read more http://www.cramm.com/overview/history.htm

  9. Grumpo-phobe

    I’m not Ed, Fake Ed, Mr. Axeman or even fake SteveC. I choose to remain anonymous and will continue to do so. Blogs are full of people who, for whatever reason, do not want to have their name published. If you feel that anonymous comments are not worth responding to (like Axemans) then that is entirely your prerogative. I will nonetheless continue, as I have every right, to point out where I disagree with you and why.

    However, if you wish to point me in the direction of any personal attacks, as opposed to disagreements over your comments, then I will duly apologise.

  10. Tony Battle

    Anonymity: really interesting side debate that has sprung up here, that is naturally very sensitive and which ultimately underpins all blogs of this type which allow for opinionated and subjective comments. There is big value in blogs of this nature; particularly in industry sectors usch as ours where change is apparent and required. I feel that anonymity decreases the effect. Somehow the strength of a comment decreases when the mask of anonymity is applied. Just a thought.

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>