Monday 26 November 2007

HMRC: CDs should be treated the same as the Server Room

This is rapidly turning into the HMRC data breach blog! I post a lot about this issue at the moment because I have personal vested interest as do many others, there are further developments almost on a daily basis, and for anyone who cares about the security of personal information in the UK, this is still a huge issue which frankly still gives me great cause for concern, and provides much thought about data security in general, which I feel compelled to write about.

Anyway, I was in discussion with several people today in regards the missing HMRC CDs, one view was that HMRC regarded the internal mail as "private" postage, a view which doesn't sit with me at all.

The way I think about it is like this, if you were to copy the company's entire database, "The" Crown Jewels of the organisation to a piece of media. Shouldn't you be applying the same security measures as to the live database, as held on the Servers? Think about all the physical security aspects of a server/comms room for instance, and the logical security within the IT Systems controlling the database. Would any IT professional ever consider removing the hard disks holding the database and posting them in the mail?

As for the "private" mail, well for a start HMRC use third parties for that, but even if they did it in house, personally I would still regard any internal mail as an untrusted medium, therefore I would insist on encryption of any sensitive or classified data send through it as a matter of course.

No comments: