StatCounter

Wednesday, 21 November 2007

Some thoughts on the data security issue and on Newsnight last night

On Newsnight last night a hapless Treasury Minister (Jane Kennedy?) was put forward to argue that all would be well and that all that currently wasn't well, wasn't really that bad.

This minister just couldn't understand how this data security lapse had happened. I paraphrase - There were rules and procedures in place and they weren't followed, so it isn't our fault.

When it comes to data security you need more than just rules and procedures, you need to prevent people from ignoring the rules and procedures. Stealing is against the rules of the UK (laws) but if I left my front door open and someone came in and stole my television, then I don't think my telling the insurance company "There were rules and regulations in place and this person ignored them" would help my insurance claim.


Another phrase that this minister kept saying was "We must learn the lessons and put in place safeguards that will ensure this will never happen again". Too late, too late; 25 million people's data has gone astray because of your lack of safeguards, why should we trust you to get it right this time. You and your management team clearly were not on top of the job in the past why should you be given a second chance?


Yet another phrase that this minister kept bleating out was along the lines of "I want to learn how to deal with data security issues." Might it not be better to listen to the experts and follow their recommendations rather than try and become an expert yourself? From what the security expert on the programme, Professor Anderson, was saying, the government have ignored previous recommendations from experts on such issues in the past.


This same minister claimed that things would be better in future, because more modern systems are being introduced by the government. Does this minister not realise that it wasn't the hardware or software that was an issue in this security lapse; it was a system failure in that there were no proper security precautions in place. If a junior IT worker could extract 25 million records and copy them onto a CD then the security processes were not worthy of the name. I would assume that the senior management at the HMRC and the department heads at the Tyne and Wear offices know less about IT than their junior staff and that is why the security was inadequate, the "bosses" just didn't understand what the possibilities for data theft were.

The government minister then went on to reassure us several times that the government has asked for reports from the Metropolitan Police and Price Waterhouse. Why not Gartner or another data security company? The Police are not experts in this field and PWC are hardly experts either, this smacks of putting the work out to people who can be guided to give the "correct" answer.


The other point that this minister kept making was that nobody would lose money as a result of this data loss. Does this Labour minister not realise that if the banks have to repay any lost money then they will pass this cost onto their account holders and that if the government refund the monies then it doesn't come from a magic money tree, it comes from the tax payers.

Maybe, as I have heard suggested elsewhere, it is ministers including the Prime Minister, to take personal responsibility for such debacles. maybe we should be able to sue them, personally, for their blatant uncaring failures. If so, Gordon Brown and Alistair Darling would be bankrupted by the end of the year; what a shame. Why cannot government ministers be made to take out "Professional Liability Insurance" like accountants, solicitors, IT consultants etc. etc. etc. Obviously I use the word "professional" in its incorrect sense.

I wold also like Professor Anderson to be given a one hour special interview during which he can explain to us about all the data security advice that this government has ignored over the last few years and how their systems are fallible.

No comments: