Tony Collins's IT Projects Blog

Delegates at the City IT and IT Security Forum on the Aurora cruise ship last week discussed, among other things, whether too much security can be onerous for their companies.

These are some of the top IT security concerns as mentioned by users at an informal discussion at the City IT and IT Security Forum aboard the Aurora cruise ship last week:

Ian Pearson , a graduate in theoretical physics, who worked for BT as a "futurologist", gave a well-received talk on gadgets and technologies of the future to hundreds of IT, security and finance delegates on the Aurora cruise ship recently.   

He spoke of IT security threats from smart bacteria, gadgets which are installed in the skin, soaring tax rates which precipitate the emigration of graduates to low-tax economies, oil at $30 a barrel, and the reversal of globalization.

And he doesn't take himself too seriously. He told delegates to the City IT, IT Security and Finance Directors' Forum on board the Aurora:

"I study the future but I don't try to predict it with 100% accuracy. I am not like Mystic Meg. I am an engineer. I keep abreast with what's happening in engineering. I know what Sony, Nokia or BT will be bringing out in two to three years time.

"I look at the engineering basis for what happening and extrapolate from that, and try to figure out what gadgets you'll have in your pockets, briefcases and desktop in 10-15 years.  And how you'll use technology to knock socks off the competition.

"Once you figure out how people will use technologies in their businesses and everyday lives, you get a pretty good view of what the future holds. Studying technology, you can get 85% accuracy over 10 years. I hope that sounds impressive. As a reality check 85% accuracy means that 15% of the following presentation is complete and utter crap."

After the numerous incidents over the past months of data loss, Colin Beveridge has made available a free download - "data leakage, practical measures to improve Information Governance".

He says:

"Everyone agrees that data loss is a serious problem, for the private sector as well as government. All this, despite huge investments in so-called information security.

"Companies and government have information handling policies coming out of their ears but don't seem to have any means of measuring their effectiveness in the sphere of Information Governance.

"I have put together a quite brief outline of some practical measures that could be adopted, easily, by any organisation."

The download is on http://tinyurl.com/5dmzap

This is a summary of some of the most important parts of a hard-hitting report by the Public Accounts Committee on the Windows-based £7bn Defence Information Infrastructure [DII]  project 

The DII is not a failure. Given its complexity and over-ambitious timetable it's surprising more hasn't gone wrong; and parts of it have gone well: the MoD has a strong relationship, for example, with EDS which leads the Atlas consortium, the main DII contractor.

Still, progress has fallen well short of expectations and in the first three years of the programme the MoD spent more than 90% of the original budgeted costs of the first stage but received fewer than 50% of the terminals and software it had expected. Core software such as word processing, email, internet access and security should all have been available in June 2006, but less than half of the requirement had been delivered two years later in June 2008. The report criticises the MoD and Atlas for "severe underperformance".

From the report [my sub-headings]:

Did the MoD mislead Parliament in 2006 by understating DII's full costs?

"The Department originally forecast that the Programme would cost £5.8bn ...This cost is greater than the £2.3bn that the Department had previously reported to Parliament. The Department stated that it had provided Parliament with the value of the contract that had been awarded to ATLAS at the time, which is its usual practice, but subsequently acknowledged that this could have been explained more fully.  The Department now estimates that the cost of delivering the DII Programme will be £7.09bn ...

My colleague Philip Virgo who blogs for Computer Weekly and is Secretary-General of the Parliamentary and IT industry body Eurim, sent me a comment earlier this month which raises important matters. 

He pointed out that NHS consultants may have to keep track of dozens of passwords which change regularly - and those who may be able to help with lost passwords tend to keep office hours only.

Virgo says:

"Little black books and post-it notes are the only option if you are not to resort to the ultimate sin of shared pass-words - when your professional indemnity insurance (and thus your future employability let alone your reputation) depends on what is done in your name."

This raises an interesting question which has never been satisfactorily answered: How can the need for health information to remain confidential be reconciled with big NPfIT databases of medical records and the password-sharing, post-it-note culture of the NHS?

What Barts and The London NHS Trust called a "major incident" - the spread of the Mytob computer virus to a network of nearly 5,000 PCs - was entirely avoidable.

An independent report on the management's response to the incident goes before the trust's board today. Although trust's anti-virus software was updated daily, some PCs did not have it configured properly. So the virus was let in through the back door, said the trust.

Link:

Virus attack at London hospitals was "entirely avoidable" - Computer Weekly website

London Hospitals hit by computer virus - Graham Cluley, Sophos

Mytob and the NHS - Eset site

Mytob-infected emails - Neil Turner's blog

Did suspected Zotob Hacker write Mytob worm? - Information Week

Mytob worm domindates virus charts - from 2005

When they were planning for ID Cards, executives at the Identity and Passport Service thought it a good idea to use the DWP's Oracle-based Customer Information System to store the biometrics part of the National Identity Register.

It avoided the costs, complexities, and risks of failure which would have cast a shadow over building a large database built from scratch.

The problem now is that, through practice rather than any specific plan, the DWP's CIS is becoming the government's main citizen database.

This means that thousands of council staff and other public and civil servants are being given access to it.

And some council staff have already been using the CIS to check the data it holds on their friends and relatives.

Officials at the Identity and Passport Service point out that although the National Identity Register is being built on the DWP's CIS, ID card biometrics will be held separately on the CIS database.

Tests of Germany's first-generation electronic health cards and doctors' "health professional cards" have run into problems.  The plan is said to involve the construction of world's largest private key infrastructure (PKI) to allow 80 million health cards and health professional cards to check each other for authenticity.