three blocks
Datacore Software

Irreverence

'Generally' does not cut it

posted on 19 July 2008 10:03

Unfit for purpose: UK's MoD laptop and USB security policy

The UK government's Ministry of Defence has lost 121 USB memory sticks since 2004, and 6747 laptop computers, 89 of which are known to have been stolen. Yet the MoD insists its security policies are generally 'fit for purpose'. This is bilge; they are not fit for purpose.

A Mod statement said: "Any loss of data is investigated fully. ... The recent report (in 2008) on data losses by Sir Edmund Burton found that MoD policies and procedures are generally fit for purpose, but also identified a number of areas where MoD needs to do better in protecting personal data. ... MoD has developed, and is now working through, an action plan to address all of the report's recommendations and bring the department's handling of personal data to an acceptable state."

So, what is the MoD doing?

It has revised its reporting processes to give it a more accurate picture of what is happening. Its 1 out of 10 security policy rating just went up to 2 out of 10.

It is fitting encryption to its 20,000 laptop estate and half have been so retro-fitted. Some 2,000 laptops that can't have encryption added have been disposed of. Three out of ten.

But there is something it is not doing and that is disposing of every single USB stick unless sensitive data on it is encrypted as well. USB sticks get lost. Anything the size of a lipstick will get lost; guaranteed. They are inherently insecure unless forcibly encrypted. Back to two out of ten.

Insisting that security policies are generally fit for purpose in such circumstances as those the MoD reveals is ludicrous. An airline that suufers a Jumbo jet crash killing 350 people due to a maintenance malfunction can claim its maintenance policies are generally fit for purpose.

A householder leaving an unlocked door who subsequently suffers a burglary will find his insurance company unsympathetic to pleas that his household security was generally fit for purpose.

Generally does not cut it. An insistence that anything is 'generally' fit for purpose means that it is not fit for purpose in the areas where it matters.

The brain of a person making such excuses is not even fit for purpose.

Lessons in owning up:-

1. Admit the fault.

2. Apologise.

3. Say you will do better.

4. Do not, under any circumstance whatsoever, seek or point out supposedly excusing factors. Your listeners do not want to hear and will judge you are trying to avoid blame because the situation is worse than you have admitted.

5. SHUT UP!!!! 

 [Chris Mellor.]








Related Articles