Tuesday, August 19, 2008

Department of Transport admits to breaking security standards?

According to information published under the Freedom of Information Act, the Department of Transport has had a total of 7 laptop stolen or lost in the last 12 months (4 stolen, 3 lost). What is interesting in the DfT's response though is that it says,
Since January 2008, all laptops have been encrypted to HMG standard.
The implication being that prior to January 2008 no laptops were encrypted to HMG standard even though the standard was in place. A rare admission that they broke the rules surely?

Amusingly they also responded to requests about the use of iPods and removable media devices on DfT equipment. Apparently users are free to plugin their iPods because installing iTunes is blocked making it all rather pointless. However, when also asked if staff were banned from using USB removable media the response was,
No. Staff can use USB storage devices (such as memory sticks) connected to a workplace computer but only in circumstances where no protected personal data, as defined in the Cabinet Office Data Handling review is involved.
So it's only when "protected personal data" is involved that they can't. If it's circusmtances where classified material exists it's OK to use a USB drive is it?

5 comments:

Obnoxio The Clown said...

Since January 2008, all laptops have been encrypted to HMG standard.

The implication being that prior to January 2008 no laptops were encrypted to HMG standard even though the standard was in place.


Now, now, Dizzy, you're thinking like a Java programmer. All it actually means is that there was at least one laptop that was not up to spec.

(But in this case, you're probably right!)

Andy said...

"Since January 2008, all laptops have been encrypted to HMG standard."

"The implication being that prior to January 2008 no laptops were encrypted to HMG standard even though the standard was in place. A rare admission that they broke the rules surely?"

Not surely.

Firstly, a standard must be in place before anybody can comply with it. One cannot comply with a standard before it is issued since one doesn't know what it says, and often government departments have thousands of users and computers, so planning can take time.

Secondly, you cannot infer that "prior to January 2008, no laptops were encrypted", since the message just reads that all laptops are encrypted since January 2008. It is possible that 99% of laptops were encrypted in December 2007.

Thirdly, you cannot assert that they broke the rules if you don't know what the rules are. Perhaps the rules are that all laptops must be encrypted from January 2008, in which case they broke no rules.

I'm all in favour of the government being held to account, god knows they're far too sloppy in every way, but please be careful with your logic!

Apart from that, please keep up the great work!

dizzy said...

Andy, the standard was in place prior to January 2008, but yes, not all, although as Obnoxio said, probably right. Note also that I was asking a question, not making an assertion.

Letters From A Tory said...

How the hell do you lose so many laptops? The encryption is a minor saving grace but doesn't devolve them of responsibility for losing them in the first place.

dizzy said...

It;s easy, you get pissed, get on the wrong train and pas out then wake up in ramsgate at 3am. Not that I'm saying that has ever happened to me or that I had a camera in the bag too.