Thread: Another MoD harddrive missing

There is no reason at all why you need live data to test software.

The whole point of having a test environment and a user acceptance environment is that you can use any data size you want and anaonymise (is that a real word?). Its a laughably trivial task to do

Information Security as a discipline is not a load of shite as someone mentioned above but if organisations don't actually do it then this is what happens so it appears to be, thats the difference

The world, business, the civil service, MoD etc aren't short of guidance and people who know what they are doing with regards to information security, there is mature standards and best practice coming out of our ears that work if implemented but there in lies the problem.

To do it right takes resources, committment, money and sanctions

Without these we might as well not bother

Apparently it was a TAFMIS 1 TERABYTE drive. Glad I am not in the TA!

uqfegd

pp

Originally Posted by pensionpointer

Apparently it was a TAFMIS 1 TERABYTE drive. Glad I am not in the TA!

uqfegd

pp

TAFMIS is the recruiting system and is not just TA.

If I took a Protectively Marked document home and then lost it, depending on it's Marking, I would potentially say goodbye to my career. I thought I had lost some crypto years ago and spent an hour absolutely bricking it as I thought I would be packing my bags that night, after a stint in pokey.

In the army, losing PM material is seen as one of the worst things you can do, with what could be interpreted as paranoia and seemingly OTT procedures guarding they storage, transport, etc. I see this as no bad thing and wondered if it would benefit those members the MOD who are on contact with sensitive material to do the same.

Alternatively, we could just publish all the sensitive details of those involved in losing our details on a website. Maybe they would take extra time in ensuring didn't lose stuff in future.

Originally Posted by Bat_Crab

EDS are still in the running for many future IT projects despite having proven on many occasions that they couldn't organise a nun shoot in a nunnery. Just another example of a company treated as a preferential bidder by government regardless of actual performance.

I'm not worried about this or the loss from Innsworth a couple of weeks ago. If my career to date has taught me anything, it is that information held about me by the MOD is almost always incorrect.

This is because the govt allows companies to bid for contracts regardless of their past performance and they must be considered, and if they present 'best value' accepted. Its a bit like a scumbag appearing in court and his previous not being revealed to the jury.

It was announced this morning at which site the missing disc was found to be missing, it is a secure site where you either have to swipe in or sign in so to check who may or may not have removed the drive should simply be a case of checking all those who had access to the equipment since it arrived in the building. Would also like to know it the kit was built at said site or built elsewhere and shipped with or without hard drive


Oh and the laptops I have are all encrypted and if you try to use removable media, it encrypts those too.

Originally Posted by CDT_Dodger

Originally Posted by Blogg

The most worrying aspect of this and other cases of Government data loss is how such a mass of sensitive data comes to be on a portable mass storage device in the first place. How many other copies of databases are knocking around on portable drives, laptops or DVD ROM? Why?

The answer in large part is that none of it matters to the people concerned. Just data they play with.

It has to be made to matter and matter a lot, which means personal sanctions against the muppets concerned and the management chain. Far too easy for contract staff to drift into a badly managed environment and when it all goes tits up drift off again and all the remaining parties can carry on as usual because they can point to "action" having been taken.

I am an IT contractor and have worked on MOD, Police & Government sites on various projects. Data handling procedures are laughable within these organisations and from what I have witnessed the majority of lost data cases come from their own staff which are then brushed under the carpet. Civil Servants appear to have a different work mentality than personnel from the private sector.

Yes, contractors do seem to take all the hits these days but part of the blame can down to project deadlines. Many a time I have taken data off site to continue the work at my hotel or over the weekend in order to get the project cracked within the require timeframe. It would be so easy to misplace an 8gb flash drive with the likes of a UK ANPR database on sitting on it. Yes, we all talk of encryption but this is very rarely implemented due to adding an extra amount of mouseclicks to the task at hand. As all IT bods will know, the less mouseclicks the better.

The data could be signed over from a civil servant but this never happens either. Contractors will always have root access to any system they are working on and then its just a case of insert flash drive, right click, copy, paste - bam > nice big database to take home with me.

I entirely agree. Far too easy to blame it all on the Contractors leaving the real core of the problem (sh1te management and data handling procedures within the client) untouched.

There is a story going round about one of episodes of "lost" HMRC data. Tale is it was never lost because it never existed: the discs were never produced and thus never sent. Someone lied to their boss (twice) about having done so and then could not back out.

Truth or IT Industry Myth? Who knows, but sounds dangerously credible given the behaviours of some HMRC mongs I have dealt with.

Is there not a case for a group action against EDS and its buyer, HP, given the grave security situation and the chances of identity theft.

If there was a group action please sign me up

Originally Posted by meridian

Information Security as a discipline is not a load of shite as someone mentioned above but if organisations don't actually do it then this is what happens so it appears to be, thats the difference

Sorry mate that is the problem with Information Security where people such as yourself quote the 'discipline' and then blame naughty people for not following it.

The organisations that you refer to are everybody, public and private sector. No-body follows the theory' which, I agree is irrefutable but unworkable.

If you choose to dispute this please come back with some examples.

Originally Posted by Blogg

Originally Posted by CDT_Dodger

Originally Posted by Blogg

The most worrying aspect of this and other cases of Government data loss is how such a mass of sensitive data comes to be on a portable mass storage device in the first place. How many other copies of databases are knocking around on portable drives, laptops or DVD ROM? Why?

The answer in large part is that none of it matters to the people concerned. Just data they play with.

It has to be made to matter and matter a lot, which means personal sanctions against the muppets concerned and the management chain. Far too easy for contract staff to drift into a badly managed environment and when it all goes tits up drift off again and all the remaining parties can carry on as usual because they can point to "action" having been taken.

I am an IT contractor and have worked on MOD, Police & Government sites on various projects. Data handling procedures are laughable within these organisations and from what I have witnessed the majority of lost data cases come from their own staff which are then brushed under the carpet. Civil Servants appear to have a different work mentality than personnel from the private sector.

Yes, contractors do seem to take all the hits these days but part of the blame can down to project deadlines. Many a time I have taken data off site to continue the work at my hotel or over the weekend in order to get the project cracked within the require timeframe. It would be so easy to misplace an 8gb flash drive with the likes of a UK ANPR database on sitting on it. Yes, we all talk of encryption but this is very rarely implemented due to adding an extra amount of mouseclicks to the task at hand. As all IT bods will know, the less mouseclicks the better.

The data could be signed over from a civil servant but this never happens either. Contractors will always have root access to any system they are working on and then its just a case of insert flash drive, right click, copy, paste - bam > nice big database to take home with me.

I entirely agree. Far too easy to blame it all on the Contractors leaving the real core of the problem (sh1te management and data handling procedures within the client) untouched.

There is a story going round about one of episodes of "lost" HMRC data. Tale is it was never lost because it never existed: the discs were never produced and thus never sent. Someone lied to their boss (twice) about having done so and then could not back out.

Truth or IT Industry Myth? Who knows, but sounds dangerously credible given the behaviours of some HMRC mongs I have dealt with.

While i agree blogg, that there does seem to be a new breed within some Dept's who do not take data tracking, security procedures and responsibility seriously enough from the top down.

however! How many contractors properly vet and maintain all those in the the data chain. How many times are temps or agencies subcontracted in thus compromising both data and as importantly the level of adherence to maintaining procedure with the weight of the Official secrets act being signed?

We all know the lack in many cases of maintaining just a simple clear desk policy is just the first indicator in the failure of a secure system.

I have practical experience of seeing this laxness being swept under the carpet in relations to contractors in MOD establishments...when its brought to light there is much hurmpping and Oh wells but zero action taken.

Originally Posted by DigitalGeek

Originally Posted by Daxx

One would think that an IT provider would be bright enough to have encrypted its' laptop harddrives, anticipating one may go 'missing'.

Regrettably some people are just plain stupid.

Err....Thats why I have spent the last few weeks fitting encrypted drives into laptops.

Slamming the stable store is commendable for the next loss, but doesn't resolve the current one

Originally Posted by Daxx

Originally Posted by DigitalGeek

Originally Posted by Daxx

One would think that an IT provider would be bright enough to have encrypted its' laptop harddrives, anticipating one may go 'missing'.

Regrettably some people are just plain stupid.

Err....Thats why I have spent the last few weeks fitting encrypted drives into laptops.

Slamming the stable store is commendable for the next loss, but doesn't resolve the current one

Stable door policy is gubiment policy it would seem not just in data handling though, dam i knew i should have sunk some money into it...

Hi Western

I can see where you are coming from because much like risk management at the banks it patently hasn't worked and is therefore a load of pish.

But thats not the full story is it.

The risk management people would have been going blue in the face shouting about risk but then the decision makers would simply say bollox to that, lets go for the big numbers. They risked and lost but that doesnt mean risk management is an exercise in futility.

The same could be said of almost any management or competence discipline from safety to quality to service management to information security to soldiering. None of these are panaceas to an organisations problems but they lay down a framework and a set of guidelines. If they are not followed then the consequences are obvious.

Bringing it back to basics, on a patrol you don't bunch up. Basic good drills or best practice honed over a long period of time. You follow those rules, you minimise casualties, you don't follow those rules then be prepared for the consequences.

Its not rocket science is it

Eaxactly the same as any other set of rules and guidance for any other subject

The point I am making is that there is no shortage of 'good drills' out there but if organisations and yes individuals within them fail to make use then this is what happens. No point in saying we are all doomed, it is all shite, you are just blaming individuals.

Its just not that simple.

Originally Posted by Gunner_REMF

EDS are losing the contract to Hewlett Packard so the beat of Jungle Drums tell me. Funny how it's come to light now.....

Ubique

The signal from your jungle drums are a little distorted. EDS has been taken over by Hewlett Packard. Apart from the 3800 redundancies, service will continue as before.

I have the misfortune to work for said company, and cannot stress how often in the last three years we have been threatened with dismissal if our p.c.s and laptops are not encrypted.

Not that I with to defend the indefensible, but as I said on another thread, it was a civil serpent who asked me to mail passwords and user ids to them, and was quite snotty when I suggested that might not be a good plan.