Your shout: readers share their views

Missing CDs, HSBC's fraud initiative, Abbey's system problems, social engineering

Missing child records beg some obvious questions

Name and address withheld

In response to Tony Collins' blog on the missing child benefit CDs, some obvious and fairly simple questions need to be answered by the HMRC:

● The ability to write a CD on any PC connected to a civil service network is a security weakness, and only certain authorised individuals should have CD writing enabled in their login security profile. Why was a junior official able to download this information onto CDs and who authorised the creation of the user profile with the relevant security privileges?

● The child benefit database presumably has a quite complex structure. So why did the National Audit Office need to access/analyse this material on its own mainframe - would it not have been better to audit the information in-situ? If it is not possible to do so this identifies a major failure in systems design.

● Over the past decade the government has invested heavily in the creation of a secure national infrastructure - the GSI. Why was the data not securely transferred via FTP over the GSI?

● Given that sensitive financial and personal data was required by the National Audit Office, what procedures are in place to ensure its secure handling and destruction once the audit is complete?

HSBC offers lessons for other banks on fraud

Colin Rickard, managing director EMEA, DataFlux

Your analysis "Banks need single view for Basel 2", gave a good account of the scenario currently facing HSBC.

Realising a single view, in real time, in fraud detection is essential and long overdue. Many industries are having to face the fact that their data requires urgent attention to provide a single, reliable view of the "truth" due to increasing levels of legislation.

Reassuringly, the technologies to deliver this information have been available for a long time now and are well tested.

Companies that move fast to gain full control of their data will ensure they are compliant, but will also realise significant competitive advantage. Offering a coherent fraud detection policy, for example, is a great way to differentiate in industries that are becoming commoditised. Barclays, for example, makes fraud protection a central theme of its Barclaycard offering and manages data as a strategic asset.

Thanks to this IT initiative HSBC is now positioned to compete more effectively by providing peace of mind. Bravo.

Evidence that Abbey is struggling with systems

Colin Beveridge

I was very interested to see your piece about the problems at Abbey.

I am an Abbey customer and have observed some of its problems first hand. Over the past few weeks the Harrogate branch systems appear to have been down (or curtailed) on a fairly frequent basis. On one occasion the branch was operating on a completely manual basis for counter operations, although the ATMs were working.

On other occasions, I have observed branch staff exchanging views to the effect that they could not get into the system at all. Likewise, the central helpdesk staff have told me their systems are down when I have called. I seem to recall that the electronic banking service has also been disrupted when I have tried to log in.

As a customer and a systems professional, I can see a bank that is very much struggling with its systems.

Encourage people to value and protect data

Andrea Simmons

Regarding David Lacey's blog post "Security culture and social engineering", so what kind of culture do they have at central government? Every week there are crass and simple errors taking place, to wit the news about child benefit data going "missing".

The key here seems to be the ongoing requirement to encourage people to appreciate the value of information and thus to protect it.

In defence of the Data Protection Act, the compliance requirement is there - to provide "appropriate organisational and technical security measures". Why aren't people doing this yet? Someone, somewhere is not providing appropriate advice, guidance or training.

Read more on IT risk management