There is no reason at all why you need live data to test software.

The whole point of having a test environment and a user acceptance environment is that you can use any data size you want and anaonymise (is that a real word?). Its a laughably trivial task to do

Information Security as a discipline is not a load of shite as someone mentioned above but if organisations don't actually do it then this is what happens so it appears to be, thats the difference

The world, business, the civil service, MoD etc aren't short of guidance and people who know what they are doing with regards to information security, there is mature standards and best practice coming out of our ears that work if implemented but there in lies the problem.

To do it right takes resources, committment, money and sanctions

Without these we might as well not bother

Apparently it was a TAFMIS 1 TERABYTE drive. Glad I am not in the TA!

uqfegd

pp

Originally Posted by pensionpointer

Apparently it was a TAFMIS 1 TERABYTE drive. Glad I am not in the TA!

uqfegd

pp

TAFMIS is the recruiting system and is not just TA.

If I took a Protectively Marked document home and then lost it, depending on it's Marking, I would potentially say goodbye to my career. I thought I had lost some crypto years ago and spent an hour absolutely bricking it as I thought I would be packing my bags that night, after a stint in pokey.

In the army, losing PM material is seen as one of the worst things you can do, with what could be interpreted as paranoia and seemingly OTT procedures guarding they storage, transport, etc. I see this as no bad thing and wondered if it would benefit those members the MOD who are on contact with sensitive material to do the same.

Alternatively, we could just publish all the sensitive details of those involved in losing our details on a website. Maybe they would take extra time in ensuring didn't lose stuff in future.

Originally Posted by Bat_Crab

EDS are still in the running for many future IT projects despite having proven on many occasions that they couldn't organise a nun shoot in a nunnery. Just another example of a company treated as a preferential bidder by government regardless of actual performance.

I'm not worried about this or the loss from Innsworth a couple of weeks ago. If my career to date has taught me anything, it is that information held about me by the MOD is almost always incorrect.

This is because the govt allows companies to bid for contracts regardless of their past performance and they must be considered, and if they present 'best value' accepted. Its a bit like a scumbag appearing in court and his previous not being revealed to the jury.

It was announced this morning at which site the missing disc was found to be missing, it is a secure site where you either have to swipe in or sign in so to check who may or may not have removed the drive should simply be a case of checking all those who had access to the equipment since it arrived in the building. Would also like to know it the kit was built at said site or built elsewhere and shipped with or without hard drive


Oh and the laptops I have are all encrypted and if you try to use removable media, it encrypts those too.

Originally Posted by CDT_Dodger

Originally Posted by Blogg

The most worrying aspect of this and other cases of Government data loss is how such a mass of sensitive data comes to be on a portable mass storage device in the first place. How many other copies of databases are knocking around on portable drives, laptops or DVD ROM? Why?

The answer in large part is that none of it matters to the people concerned. Just data they play with.

It has to be made to matter and matter a lot, which means personal sanctions against the muppets concerned and the management chain. Far too easy for contract staff to drift into a badly managed environment and when it all goes tits up drift off again and all the remaining parties can carry on as usual because they can point to "action" having been taken.

I am an IT contractor and have worked on MOD, Police & Government sites on various projects. Data handling procedures are laughable within these organisations and from what I have witnessed the majority of lost data cases come from their own staff which are then brushed under the carpet. Civil Servants appear to have a different work mentality than personnel from the private sector.

Yes, contractors do seem to take all the hits these days but part of the blame can down to project deadlines. Many a time I have taken data off site to continue the work at my hotel or over the weekend in order to get the project cracked within the require timeframe. It would be so easy to misplace an 8gb flash drive with the likes of a UK ANPR database on sitting on it. Yes, we all talk of encryption but this is very rarely implemented due to adding an extra amount of mouseclicks to the task at hand. As all IT bods will know, the less mouseclicks the better.

The data could be signed over from a civil servant but this never happens either. Contractors will always have root access to any system they are working on and then its just a case of insert flash drive, right click, copy, paste - bam > nice big database to take home with me.

I entirely agree. Far too easy to blame it all on the Contractors leaving the real core of the problem (sh1te management and data handling procedures within the client) untouched.

There is a story going round about one of episodes of "lost" HMRC data. Tale is it was never lost because it never existed: the discs were never produced and thus never sent. Someone lied to their boss (twice) about having done so and then could not back out.

Truth or IT Industry Myth? Who knows, but sounds dangerously credible given the behaviours of some HMRC mongs I have dealt with.

Is there not a case for a group action against EDS and its buyer, HP, given the grave security situation and the chances of identity theft.

If there was a group action please sign me up

Originally Posted by meridian

Information Security as a discipline is not a load of shite as someone mentioned above but if organisations don't actually do it then this is what happens so it appears to be, thats the difference

Sorry mate that is the problem with Information Security where people such as yourself quote the 'discipline' and then blame naughty people for not following it.

The organisations that you refer to are everybody, public and private sector. No-body follows the theory' which, I agree is irrefutable but unworkable.

If you choose to dispute this please come back with some examples.