Released on: November 27, 2007, 10:51 pm

Press Release Author: Alexandra Lewis

Industry:

Press Release Summary: "It's a naïve attitude to blame junior officials for the HMRC
data leak, rather than organisational failure. The human element is often the
weakest link in data management but staff education is usually low priority. An
assumption prevails that "people will do the right thing" but this is a dangerous
approach - what training did the "junior staff" receive that would enable them to
recognise the dangers of their actions?

Press Release Body: "It's a naïve attitude to blame junior officials for the HMRC
data leak, rather than organisational failure. The human element is often the
weakest link in data management but staff education is usually low priority. An
assumption prevails that "people will do the right thing" but this is a dangerous
approach - what training did the "junior staff" receive that would enable them to
recognise the dangers of their actions?

Too many organisations have information security policies that concentrate on the
infrastructure that holds the data rather than the data itself. Encryption
techniques today are low cost and still effective if coupled with other processes.
Even if the HMRC has the best security practices, you have to ask when the policies
were last tested.

This incident must finally trigger the wake up call for those with responsibility
for the security of personal information, whether in the public or private sector.
The fact that banks were told before the data holders and given time to prepare
suggests that the incident response procedures were also not effective."

What should have happened

* the most basic security measures dictate that data should be separated so that
if one part of it goes missing, it would be of no intrinsic value to the person
in possession;
* each data set should have been separately encrypted - simple password
protection where data is left in clear text form is a very weak form of
security;
* use of secure encrypted data transfer systems to connect government
departments without the need for transferring data using disks.

Is this incident indicative of the public sector approach to technology?

Public sector organisations are being encouraged by central government to adopt "E"
solutions, driven by cost savings. But not enough of these savings are being applied
to proper data management, information security measures and educating staff on the
use of the technology and the risks it carries. Too often electronic systems have
replaced paper based procedures without effective training of staff. Many public
sector organisations now have IT risk as a priority in their risk registers but few
have taken action to mitigate the new risks they have identified.

What can public sector do to mitigate risks in this area?

* public sector bodies must recognise their responsibility for data as failure
to do so will lead to a loss of confidence in online transactions;
* conduct a review of data management systems for compliance, legal and disaster
recovery;
* implement IT security and data management policies and procedures, educating
staff;
* avoid separating IT security from traditional business planning and disaster
recovery;
* have effective procedures to test these policies against emerging threats and
implement the findings of these tests.

Aon UK is ranked by A.M. Best as the number one global insurance brokerage based on
brokerage revenues and voted best insurance intermediary, offering classic car
insurance, high value home insurance, entertainment and media liability insurance
and href=\"http://www.commercialservices.aon.co.uk/commercialservices/microsites/construction/\">builder\'s
insurance.


Web Site:
http://www.commercialservices.aon.co.uk/commercialservices/microsites/construction/


Contact Details: directory@vandelay.co.uk