By Nick Heath, 1 December 2008 10:44
NEWS
The government has come clean about how it will avoid future security breaches similar to the HMRC's loss of 25 million people's details.
Brian Collins, chief scientific adviser to the Department for Transport and the Department for Business, Enterprise and Regulatory Reform described how monitoring technologies would protect the public's data.
Speaking at the A Fine Balance privacy conference Collins described future government computer systems that could ask users if they were sure they wanted to transfer sensitive or large amounts of data, and systems that would also warn users that the transfers would be logged and immediately flagged up with their superiors.
He said: "The system design should never had allowed the transfer of data of 25 million people's records to happen."
silicon.com Public Sector
Get the latest public sector news straight to your inbox. Sign up for the PS newsletter today!
Collins said security will take this step forward as government departments upgrade their computer systems and demand suppliers build in checks and balances.
He also described the other work being done by government departments to better protect public information in the wake of the Poynter and Independent Police Complaints Commission reviews, the Data Sharing Review and the Cabinet Office data movement lockdown.
Collins said specialist "information asset owners" had been appointed in departments to ensure data was kept secure, more information security training and education was being carried out and there were regular information security compliance checks.
An ID management and information assurance group has also been set up and is developing cross-departmental policies on information sharing and handling.
He added that the Department for Transport had encrypted 2,500 laptops used by staff in just two weeks after the Cabinet Office data lockdown.
Comments
There are 5 comments. Join the discussion
1. Charles Smith
This is not a case of shutting the stable door after the horse has bolted. It is more like wondering why you can't stroke your horse after property developers have redeveloped the stables.
Have the Government announced a deadline by when this work will be done?
It is not a new development. This was implied when the 10 Younger Principles were pronounced in the 80's.
2. Karen Challinor
"Jenkins we've had a request for some records from the johnnies down the hall so want you to transfer a few records to them, get on it will you, there's a good chap"
"yes sir" .. furtle furtle tap tap
"Jenkins, it's the damndest thing, my computer thingimajig has one of those pop up things on it saying you are trying to download 25 million records, that can't be right can it ?"
"absolutely sir, the records you want transferring are a part of them and it means we don't have to do this every time the other department want records transferring after all you have your own very important work to do rather that be at their beck and call sir, just press the OK button and it will go away sir"
"Ah it's gone!, jolly good idea that Jenkins, carry on, just pop it in the post when you're finished"
"very good sir"
yep I can see this solving the governments inability to keep information secure
3. Roger Huffadine
This technique will foster more leaks - I have first hand experience of systems that report the movement of data to more senior managers & I know how they deal with such messages. They ignore them - because if the system is tight then there are dozens or hundreds of messages per day and the managers get overwhelmed. Conversely, as with all such systems, if you make it loose enough to only flag transfers of, say, over 1 million records then all of the 1000 record transfers are ignored.
This problem of leaks will never be fixed by Whitehall or government because they don't have the culture or structure to deal with the discipline required for secure systems.
4. NL
Using technology to solve the problem is known as, "sticking ones head in the sand."
Technical folk know what they can achieve given time and budgets. However, it is not they who use the technology to run the business; its the "other" folk who do that.
People are the problem - sort that one out then add some technology and we might just be there;maybe.
5. anonymous
So - Every copy (backup) of data will need the managers OK.
Hope they like being called up several times each hour of the night as well as the day and evening.
Then again, my capture of data sent to my screen as prove that the data browse facility is OK isn't it?
It'll be back to the 'Secure' system run at at least one council -
System support staff are not allowed to do security administration - the highly paid consultants said they shouldn't be allowed that much control.
System support staff have to have sufficient access to install, maintain and backup the security facility ( that includes creating the security managers id, assigning 'rights' to that id, and managing the logs of what was done under that id, as well as being ablke to change, and reset that id's login password.
So .. the newly appointed security manager gets a weeks training and is told get on with it.
The only source of help - the 'techies'! So he/she logs in at a screen and asks them to fix whatever while he/she goes and gets a coffee.
He/she knows enough to know that they can monitor whats being done, as well as the login details in the communications data packets as well as change things anyhow, so it's no security breach at all.
Is'nt it?