"UK Government Data Handling - Some Thoughts" - IT-Director.com

1 reply [Last post]

Thu, 02/07/2009 - 9:02am

John

John's picture

Offline

Last seen: 1 day 14 hours ago

Joined: 09/03/2008

From IT-Director.com & Bloor Research.

UK Government Data Handling - Some Thoughts

My data is very personal to me so, like many other people, I take great exception when it is lost or stolen by incompetent organisations. If data is lost by a private sector company I can vote with my feet and take my custom elsewhere. This doesn't solve the data loss issue but it makes me feel a bit better.

Contrast this with a government body that loses my data. I have nowhere else to go, short of maybe leaving the country. This issue, coupled with the fact that government in all its guises handles what is my most sensitive data, presents us as citizens with a challenge—how can we make our governments handle our data more securely?

In the UK, public confidence in government, of whatever description, is extremely low. Fuelled by expense claims that fail the "reasonableness" test by the man or woman in the street the view is that politicians, the government and the ruling classes are hopeless at best and criminal at worst. There is no sign that this confidence is returning.

Meanwhile government collects vast amounts of data that enables it to conduct its day to day business—licencing vehicles, paying benefits, running hospitals, tracking criminals and so on. Unfortunately it becomes a heady mix when one considers the amount of very personal, sensitive data that is being held in databases.

Even the most personal of personal data, our unique DNA code, is now, for many people, in the hands of the government. Data loss incidents raise the cry of "something must be done" but what is that something? What can we as IT professionals do to help solve the problem?

When thinking about the government use of citizen data it quite often shocks people when they realise the amount of data that is stored across government systems. The vast majority of these databases are perfectly legitimate and form a vital tool for the administration of a country.

Here is a sample of some government databases being used, or planned, in the UK.

According to the Joseph Rowntree Reform Trust the UK government spends £16bn a year on databases and plans to spend a further £105bn on projects over the next five years.

Ultimately government needs to be avoiding headlines such as one that appeared in March 2009 concerning the ContactPoint database. Security flaws halted work on the database after the Department for Children, Schools and Families (DCSF) admitted that it had uncovered problems in the system for shielding details of an estimated 55,000 vulnerable children.

These include children who are victims of domestic violence, those in difficult adoptions or witness protection programmes and the children of the rich and famous, whose whereabouts may need to be kept secret.

The shielding system for vulnerable children is supposed to withdraw everything but a child's name, sex and age from the computer record that will be available to 400,000 children's services workers with access to the database.

But local authority staff who had been uploading information on to ContactPoint discovered that the shielding did not always work.

The executive director of family and children's services for the borough of Kensington & Chelsea in West London said that "Some people are seeing this as an IT issue but, in reality, it is a child protection issue,"

In my view this really starts to focus ones mind on IT security issues.

The Inside Threat - Again
I believe that the biggest threat to government data actually comes from within. Despite exciting stories of hackers breaking into government databases the vast majority of data loss incidents have stemmed from the inside threat.

I use the term inside rather than insider as I believe it better articulates this problem, which breaks down into two areas.

The incompetent and non-malicious is by far and away the most prevalent actor in any data loss incident. We have all read the headlines and seen the news reports. I guess someone leaving an unencrypted laptop on a train isn't as exciting as a targeted hacking attack, but it is the reality when it comes to government data losses.

That said, of course there are competent and malicious data loss incidents where an attacker is in a position to steal data. Again I believe a lot of this is by users that already have privileged access to data in the first instance, and then go rogue. Espionage and break ins are far less common.

So what steps can government take today to help prevent data loss?

Data encryption is one of the more well established data security tools. Vendors have produced a number of easy to use encryption solutions that enable users to rapidly encrypt their data, be it at file level, folder level or the entire hard disk.

Alongside these many implementations comes the inevitable downside.

For encryption this has always been key management. Relying on users to remember their encryption passwords is a risky business and can result in corporate data being locked away, sometimes never to be seen again. Clearly this is an unacceptable state of affairs and needs to be addressed before encryption has been widely adopted. Unfortunately departments that have purchased an encryption solution as a tactical add on, rather than as a part of a strategic encryption roll out, quickly realise that their quick fix ends up causing horrendous problems later on.

The most appealing aspect of data encryption is the fact that if hardware that contains encrypted data is lost the associated dramas are far less exciting. After all, only some hardware has been lost which contains an incomprehensible bunch of gibberish. Bad that hardware has been lost but no where near as bad as if it had contained valuable government data.

Strategic data encryption is a must for any system that contains sensitive data. But great care needs to be taken in rolling it out. It is vital that implementers fully understand the environment in which they are working so that all relevant hardware is encrypted. Discovery is vital—forgetting about one single USB drive may invalidate an encryption solution that has been deployed across an entire government department.

Patch management, like data encryption, is one of those basic IT hygiene tasks we all need to undertake day in and day out.

The rampant success of the Conficker code late last year was attributed to neglected patching. This included 8,000 PCs on a hospital network in Sheffield that were infected after managers apparently told staff to turn off automatic security updates. A patch, released by Microsoft in October 2008 and 3 months before the Sheffield incident, would have prevented the problem. Likewise the Ministry of Defence was still subject to a Conficker infection early in 2009.

Patches need to be tested and deployed under a controlled environment, following advice from the software manufacturer as to its urgency. Testing has traditionally been a problem as an untested patch my end up affecting production systems, so IT managers need to take a view as to the time to complete appropriate testing and the need to deploy a patch to combat a known exploit.

With good, well managed data encryption and a robust patch testing and deployment strategy an organisation will be a long way down the road of establishing a safe, secure and compliant IT infrastructure...

Compliance is something that all those working in IT need to get their heads around. If anything is guaranteed for the future it is the realisation of more and more rules and regulations for both the public and private sector as governments look at preventing a repeat of the current financial situation.

Even now, before any more draconian legislation is introduced, there is an awful lot that needs to be considered by organisations working in the EU. Not all of them apply to every sector, industry or geography, which makes things even more complicated when trying to unearth which acts you should be worrying about.

IT compliance in both the public and private sector is normally a good thing as it often instils good practices and procedures. On the other hand over compliance can be detrimental as the organisation can be bogged down in achieving a goal that delivers little direct business benefit. Medium sized businesses often have a real struggle ensuring their systems are compliant.

Compliance failure may escape regulatory attention for a while, that is until something goes wrong and then IT systems will be explored in fine detail. This also applies when a company is being sold or floated, with newly discovered compliance failures having a direct negative impact on a businesses valuation.

Ultimately compliance is a balance that legislators need to achieve, with our assistance.

As organisations switch onto the world of compliance they realise that it is far more cost effective to run compliant systems 24/7 rather than hastily scrabble to clean up prior to an audit. Those days should be long gone and organisations should ideally be "audit ready" at all times, or at least strive to be.

The public sector is often revealed as having poor data security practices, and the vast majority of headlines relate to public sector organisations failing in their data protection duty. The private sector appears to have been able to hide their mistakes away from public eyes unless a data breach attracts a prosecution or the company owns up of their own accord.

Regulators are getting more intrusive and aggressive. The UK government is now actively dealing with data protection issues with the Data Handling Procedures in Government report published in June 2008 that set out clear and mandatory procedures to be followed by all government employees that have access to and responsibility for citizen data.

The report was drafted in response to HMRC's loss of 25 million child benefit records in November 2007. As a result of this data loss and to thwart future episodes related to this type of preventable loss, all departments placed immediate restrictions on their use of removable media and subsequently all departments have initiated programmes to encrypt laptops and USB memory sticks.

All organisations—public and private—need to avoid being caught up in the headlines for the wrong reason. In the past a good flogging by the media appeared to shake a response from the public sector, but should we really rely on the fourth estate to be the ultimate sanction for data loss offenders?

It is vital that we as IT security professionals remain aware of the acts and regulations that apply to our specific geography, market place or industry sector. Government departments face increased scrutiny, quite rightly, as they store more and more data on citizens.

With the current turmoil in the worldwide finance sector there is no doubt that legislation, oversight and regulation will be under more scrutiny than ever before. The risk is that politicians will see heavier compliance requirements as a quick fix to managing far more complex and difficult issues, and that will have a knock on effect to the IT security community.

In the meantime all we can do is keep our own house in order and make sure we are able to deliver compliant and well managed systems to the business. To achieve this we all need to understand our IT environments, manage our known risk, protect against unknown risks, prevent device misuse and secure mobile devices.

Thu, 02/07/2009 - 9:11am

#1

John

John's picture

Offline

Last seen: 1 day 14 hours ago

Joined: 09/03/2008

UK data handling.

I found this interesting as of course the DWP have on occasion told GP's about claimants status by virtue of requesting medical request even when the claimant has specifically asked them not to disclose or write to the GP.

Post new comment

Your name:

E-mail:

The content of this field is kept private and will not be shown publicly.

Homepage:

Subject:

Comment: *

Input format

Filtered HTML

Web page addresses and e-mail addresses turn into links automatically.
Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em><b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote><pre> <address> <code> <cite> <embed> <object> <strike> <caption>
Lines and paragraphs break automatically.
Glossary terms will be automatically marked with links to their descriptions. If there are certain phrases or sections of text that should be excluded from glossary marking and linking, use the special markup, [no-glossary] ... [/no-glossary]. Additionally, these HTML elements will not be scanned: a, acronym,, code, div, h1,, h2,, h3,, h4,, h5,, h6,, li,, pre, span,, ul,.

Full HTML

Web page addresses and e-mail addresses turn into links automatically.
Lines and paragraphs break automatically.
Glossary terms will be automatically marked with links to their descriptions. If there are certain phrases or sections of text that should be excluded from glossary marking and linking, use the special markup, [no-glossary] ... [/no-glossary]. Additionally, these HTML elements will not be scanned: a, acronym,, code, div, h1,, h2,, h3,, h4,, h5,, h6,, li,, pre, span,, ul,.
You may post PHP code. You should include <?php ?> tags.

More information about formatting options

CAPTCHA

This question is for testing whether you are a human visitor and to prevent automated spam submissions.

Our Campaign's

User login

Login

HELP US DO MORE

Vocabularies

RSS News Feed

Who's online

There are currently 0 users and 7 guests online.

Everyone's experience is different. There are no "hard & fast" rules here. Someone you know may have had an adverse decision/ experience but yours will be different and maybe have a more positive outcome. The information on this site and externally linked sites & information does not constitute legal advice. You should always, if you have difficulty with any BENEFIT and require PROPER LEGAL ADVICE. Engage a suitably Qualified Solicitor / Social Worker / Welfare Rights Worker or the CAB - Citizens Advice Bureau

Copyright © 2008, 2009, 2010

Request new password