Missing child records beg some obvious
questions
Name and address withheld
In response to Tony Collins' blog on the
missing child
benefit CDs, some obvious and fairly simple questions need to
be answered by the HMRC:
● The ability to write a CD on any PC connected to a civil
service network is a security weakness, and only certain authorised
individuals should have CD writing enabled in their login security
profile. Why was a junior official able to download this
information onto CDs and who authorised the creation of the user
profile with the relevant security privileges?
● The child benefit database presumably has a quite complex
structure. So why did the National Audit Office need to
access/analyse this material on its own mainframe - would it not
have been better to audit the information in-situ? If it is not
possible to do so this identifies a major failure in systems
design.
● Over the past decade the government has invested heavily in
the creation of a secure national infrastructure - the GSI. Why was
the data not securely transferred via FTP over the GSI?
● Given that sensitive financial and personal data was required
by the National Audit Office, what procedures are in place to
ensure its secure handling and destruction once the audit is
complete?
HSBC offers lessons for other banks on
fraud
Colin Rickard, managing director EMEA, DataFlux
Your analysis
"Banks need single
view for Basel 2", gave a good account of the scenario
currently facing HSBC.
Realising a single view, in real time, in fraud detection is
essential and long overdue. Many industries are having to face the
fact that their data requires urgent attention to provide a single,
reliable view of the "truth" due to increasing levels of
legislation.
Reassuringly, the technologies to deliver this information have
been available for a long time now and are well tested.
Companies that move fast to gain full control of their data will
ensure they are compliant, but will also realise significant
competitive advantage. Offering a coherent fraud detection policy,
for example, is a great way to differentiate in industries that are
becoming commoditised. Barclays, for example, makes fraud
protection a central theme of its Barclaycard offering and manages
data as a strategic asset.
Thanks to this IT initiative HSBC is now positioned to compete
more effectively by providing peace of mind. Bravo.
Evidence that Abbey is struggling with
systems
Colin Beveridge
I was very interested to see your
piece about the problems at
Abbey.
I am an Abbey customer and have observed some of its problems
first hand. Over the past few weeks the Harrogate branch systems
appear to have been down (or curtailed) on a fairly frequent basis.
On one occasion the branch was operating on a completely manual
basis for counter operations, although the ATMs were working.
On other occasions, I have observed branch staff exchanging
views to the effect that they could not get into the system at all.
Likewise, the central helpdesk staff have told me their systems are
down when I have called. I seem to recall that the electronic
banking service has also been disrupted when I have tried to log
in.
As a customer and a systems professional, I can see a bank that
is very much struggling with its systems.
Encourage people to value and protect data
Andrea Simmons
Regarding David Lacey's blog post
"Security
culture and social engineering", so what kind of culture do
they have at central government? Every week there are crass and
simple errors taking place, to wit the news about child benefit
data going "missing".
The key here seems to be the ongoing requirement to encourage
people to appreciate the value of information and thus to protect
it.
In defence of the Data Protection Act, the compliance
requirement is there - to provide "appropriate organisational and
technical security measures". Why aren't people doing this yet?
Someone, somewhere is not providing appropriate advice, guidance or
training.