God (and security) is in the Detail of the Business Systems: Child Benefit Data Loss
I’ve been pointing out that - following on from the loss of Child Benefit Claimant data - there are questions that are deeper than short term politics:
How do we make sure that short term political priorities do not undermine the reliability and efficiency of the machinery of state that we all depend on?
There are two sides to this, the political and the organisational.
Let me add a third: the technical.
And Dizzy asks all the right questions in this area:
1: The disk was password protected but the data was not encrypted - this is sheer bloody insanity. How was the disc password protected for a start? Are we talking about a password protected zip file? Crackable in seconds and you can bet it’s a dictionary word too? If it’s not a zip file then what operating system dependencies are there on the protection? If the disc was entered into a machine running Linux or OSX then what happens?
…
It is not a thorough review of this incident that is needed, there needs to be an inquiry that looks at every single Government system - central, regional and local - that holds data about the public and ensuing legislation to restore any semblace of confidence in the systems.
This doesn’t mean an inquiry that asks some mandarin if something is secure. It means a full security review of architecture designs with added penetration testing. Any legislation should include a requirement for security reviews throughout new system design phases as well as regular penetration testing through the lifcycle of a project. These reviews and testing should become a part of standard operating practice. Any legacy systems found to be failing should be taken offline immediately.
Spot on. Read the rest.
You cannot build a Secure Organisation overnight
Managing all of this effectively throughout an organisation is a matter of spending years inculcating the right values into all staff, putting the right procedures / systems in place, and making sure that it works as it should.
That is why I am suggesting that the possible organisational rate of change is determined by the need to maintain such a culture, and that we need our politicians (and ultimately ourselves as their “customers”) to accept that they cannot reconfigure the State at short notice without consequences.
Tags: alistair darling, loss of child benefit data, data security, data protcection, hmrc, her majesty revenue and customs, inland revenue
[tags]alistair darling, loss of child benefit data, data security, data protcection, hmrc, her majesty revenue and customs, inland revenue[/tags]
Article Series - HMRC - Child Benefit Data Lost
- FIFTEEN MILLION Child Benefit Records lost by Inland Revenue and Customs
- Revenue-Gate, or Revenue Cultural Problem?
- Audio of Statement about Loss of Child Benefit Data by Revenue and Customs: Alistair Darling MP’
- God (and security) is in the Detail of the Business Systems: Child Benefit Data Loss
- Statement to the House of Commons by Chancellor of the Exchequer, Alistair Darling, MP, on HMRC
- Systematic or Incidental Failure?: Hot Issue of the Day: Child Benefit Data Loss
- Numbercrunching the Child Benefit Data Loss: Request for Clarification
- A week is a long time in the Inland Revenue … : Hot Issue of the Week
Categories: News - Current Affairs, Politics
Leave a Reply