Wednesday, 21 November 2007

Data security

Some questions that should be asked of the government and HMRC regarding the "missing CDs" are:

1. Do PCs in the HMRC have CD/DVD writers fitted, if so why? It is common practice in commercial organisations to have only CD/DVD readers on PCs so data cannot be copied by staff.

2. Have the USB ports on HMRC computers been disabled? It is common practice in commercial organisations to disable USB ports by disabling the USB system drivers.

3. How are HMRC computers protected from hacking?

4. What prevents staff from extracting data from HMRC databases? Not policies and regulations but physical preventative measures that stop someone from just ignoring the laid down procedures.

5. How are writable CDs and USB memory keys prevented from being brought into the HMRC?

6. Are ipods and similar devices allowed within the HMRC? Do the HMRC realise that these devices contain large stores of memory and can be used to copy data from PCs via a USB connector?

7. Are there wifi networks within HMRC buildings? How are they secured? Is it just password protected/encrypted or is MAC address security used as well?

8. Why was data sent by CD anyway? Is there no secure internal governmental network?

9. Why was the data of up to 25 million people entrusted to the post or a courier company? This was the personal data of 25 million people, couldn't a more secure method of transportation have been found?

10. Is a record kept of who burns data onto CDs at the HMRC?

11. Is a record kept of who carries out data extraction and when?

12. How many copies of all or part of the database have been made over the last 5 years? How do you know this figure and how can you be sure there haven't been any more?

These are just the questions that I can think need addressing after 10 minutes of thinking, I may add to this list...


Fidothedog said...

It just shows the contempt that they have for the public, lets just send the disc via internal mail and worry not about even paying for registered post.

Ben Batfastad said...

At the very least stick the data into a TrueCrypt container and encrypt, then burn. Then call that person up and give them the password.

Frankly I'm amazed there isn't a secure government network for direct data transfers of this type. What with all the money that seems to be thrown at government IT projects!