[Gllug] Secure filing system?

James Courtier-Dutton james.dutton at gmail.com
Sun Feb 13 21:04:52 UTC 2011 

On 13 February 2011 20:09, Chris Bell <chrisbell at chrisbell.org.uk> wrote:
> On Sun 13 Feb, James Courtier-Dutton wrote:
>>
>
>>
>> As "local council" is a part of government, the data it holds and how
>> it secures it should probably be controlled by government policy.
>> I think the "data on residents" should be classified to at least "PROTECT"
>>
>> Info on classifications
>> http://en.wikipedia.org/wiki/Classified_information_in_the_United_Kingdom
>>
>> It sounds to me that the council has not done a proper threat and risk
>> assessment on themselves.
>>
>
>   I gather that IT services are contracted out, possibly to Serco, so I
> would not like to guess who is actually responsible.
>

Serco are unlikely to be responsible.
Proper threat and risk assessment is a governance issue. Directors, or
in this case councillors should have made decisions regarding threat
and risk, and then developed a policy from this. The policy is not
just an IT policy, it is a policy that results for everything taken
into consideration.
1) Identify what the threats are and the associated risk.
2) Identify what needs protecting.
3) Put a policy in place that covers all aspects of life of the
employees and the data they process.
The policy is then applied to the IT services company so that the IT
services company follow the policy.

This normally consists of a combination of:
1) checks on employees (e.g. Verifying IDs, Entry card systems)
2) Physical security of the building containing the data etc.
3) If employees leave the building with data, protections on the data
while out of the building.

I think the council got away with it this time with only a 80k fine.
If the councillors fail to now put a proper policy in place, it might
reach a point where they will not get voted in next time.
Being lax with the private data of residents will probably result in
the residents not voting for them next time.

I do work on multiple government projects.
On all of them, even ones that do not need to be classified in any
way, still all use full disk encryption.
It is due the the policy they have in place as a result of a proper
threat and risk assessment.

Kind Regards

James
--
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list