Tuesday, January 29, 2008

Australia Day Weekend

On Saturday it was Australia Day which meant yesterday (Monday) was a public holiday. The net result was a fantastic 4-day weekend for me!

We decided to partake in Australia Day celebrations by visiting South Bank. Before that however, we took a train into the city and had a walk up Queen St Mall. Queen St Mall is an open air shopping arcade and pretty much the centre of Brisbane. Like many other cities, as a central pedestrian area there's always the odd sideshow (or freak show), busker and human statue to entertain the passing public. Surprisingly, Queen St Mall was the quietest I've ever seen it. Whenever I'm there during my lunch break at work it's always heaving with people. It's really strange to find a city centre shopping area that's busier during the week than at the weekends. Maybe most people had sense and decided to head to the beach for Australia Day?

After getting some lunch in the Myer Centre (after finally deciding what to have from the endless selection of food outlets in the food court) we walked over the Victoria Bridge to South Bank.

South Bank is always a hub of activity when there's public events to celebrate and Saturday was no exception. However, having seen most of the stuff before (it seems like Brisbane is celebrating something nearly every weekend) we headed to the newly refurbished lagoons to cool off.


More photo's on flickr.

The beach in the city should be a must for all cities I reckon. It would be nice to work that side of the river, with the option of taking a dip during lunch or straight after work. A large section of the lagoons is pretty deep (out of my depth anyway, which is not hard) so good for swimming. It was hard getting Lauren out when it was time to head back home.

We could have hung around for the obligatory fireworks but instead we headed home and went next door for a BBQ and a few glasses of vino.

On Sunday we thought we'd try out another beach. This time we headed down to Mermaid Beach on the Gold Coast, which is south of Surfer's Paradise. As soon as we arrived though we realised that we should have checked the conditions before we left. There was heavy wind on the beach, which was weird because as soon as you walked off the beach the wind died to a light breeze. The ocean was pretty rough too.

Not wishing to miss an opportunity I braved the conditions and went in to jump a few waves. I didn't last long. The ocean was lovely and warm but the continuous rush of fast incoming waves made it dangerous to venture in too far. Similarly, there was a strong under-current (rip) that was pushing northwards. I reckon if I'd have picked my feet up for too long I would have been at Surfer's Paradise within a matter of minutes!

Conditions weren't much easier lying on the beach. The wind was picking up the fine white sand and blasting it against our skin. You have to be a committed beach God/Queen to put up with that level of discomfort. We soon left the beach and headed back home. The elements had beaten us so we retired to the comfort of the complex swimming pool.

On Monday we did have plans to go to an expats meetup at a British pub in the city. It was such a lovely hot day however that we couldn't bring ourselves to spend the afternoon in a pub. Instead, a good few trips were made between the sun longer, pool and beer fridge. Particularly as it was touching 34 degrees inside the house!



The weekend wasn't all play though, I did manage to get a few hours in on Monday working on my business (mainly trying to coerce developers in India to actually do the work I'm paying them for!).

Sunday, January 20, 2008

Reported UK Data Losses - It's Worse Than You Think

It comes as no surprise to me that we're seeing a lot of news reports lately regarding lost or stolen government laptops and removable media containing personal information. In the last week alone we've seen records of 600,00 people have been lost by the Royal Navy, as well as the loss of 4000 patient records by Stockport Primary Care Trust.

The truth is, this has been happening for years and the incidents that are being reported to the press are probably only a fraction of the actual incidents. In the UK there are no legal requirements for government departments or companies to publicly disclose data losses, so you have to draw the conclusion that the only reason why the Government is being upfront about losses at the moment is because they know this is an hot issue in the press and if they didn't offer full disclose it would probably be leaked anyway.

I was watching the news yesterday when David Milliband, the Foreign Secretary, made the remark that we cannot legislate against people having their laptops stolen from cars. That's all very well but he's missing the point entirely. You can't legislate against laptop theft but you can legislate against how data is stored and protected in the first place.

Another investigation on its own isn't going to stop this from happening again. As an Information Security Consultant who has worked with both local and central government, I've seen at first hand the systems and processes that are in place governing data protection, or rather lack of them. Unless there's a fundamental change to the approach to security within the Government this type of incident will occur again and again.

Based on my own experiences, there are a number of problems with current arrangements that make these incidents likely, including a lack of clearly defined legislation governing data security, insufficient independent regulatory oversight of security in government departments, and a lack of due diligence and contracts management when it comes to outsourcing services to the private sector.

For what it's worth, here's my two pennies worth of how I believe these issues could be resolved:

1. New legislation needs to be passed mandating strict standards for government systems

The Data Protection Act is not specific enough when it comes to requirements, and can be interpreted in a number of ways. That's why the Information Commissioner has such an hard job with enforcing the requirements and issuing penalties when things go wrong. The DPA has eight principles, one of which specifically addresses data security - Principle 7:

'Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.'

The key word here is 'appropriate'. Appropriate is subjective. The interpretation of Principle 7 in the Act itself doesn't particularly help either because it uses words such as 'reasonable measures'. In guidelines produced by the Information Commissioner supporting the Data Protection Act reference is made to more specific security requirements, but it can be argued that there is nothing on the Statute book that specifies the exact minimum requirements for protecting personal data. Similarly the Act does not properly reflect new technologies and new threats.

The government could address this by first updating the Data Protection Act to strengthen requirements which I believe it is already planning, but also implement new legislation that specifically addresses security standards for Government held data. This should be something similar to the US Federal Information Security Management Act (FISMA). FISMA is a comprehensive framework that has strict requirements for all federal agencies. The UK legislation would need to make it clear that government departments are required by law to implement the requirements of the HMG Manual of Protective Security, HMG Information Security Standards, as well as the recently published Information Assurance Policy. Whilst the MPS and security standards have been around for a while now, the continuation of these types of security breaches just goes to show that they are not being properly implemented or enforced.

2. The CSIA and CESG should be given a larger budget and more powers

In 2003, the Central Sponsor for Information Assurance (CSIA) was established in the Cabinet Office with responsibilities for providing strategic direction in information assurance across all government departments, guided by a National Strategy for Information Assurance.

The Computer Electronics Support Group (CESG) is the Information Assurance arm of GCHQ (GCHQ is responsible for electronic surveillance, similar to the NSA in the US) and acts as the National Technical Authority for the UK Government, similar to the National Institute for Standards (NIST) in the US. However, if you look at the output of the CESG and need for the CESG to rely on private sector specialists to carry out work on their behalf (through the CLAS scheme), it's clear that they have a long way to go before their standards become as clear or prolific as NIST, or they have the ability address Government security in a way that NIST is doing through the FISMA Implementation Programme.

As for the CLAS programme, even though HMG Security Standards specify that that IT projects should go through formal security accreditation by a CLAS consultant, many don't.

It seems to me that both CSIA and CESG don't have the budget or resources to properly fulfil their obligations, because if they did, we wouldn't keep having to read about data losses. If the CSIA and/or CLAS had the powers and resources to carry out regular, in-depth audits of all government departments and carry out full security accreditation and certification then issues such as poor data handling procedures and lack of encryption on laptops and backup tapes would be picked up and addressed.

3. Government departments should be given a dedicate Information Security budget

This may have changed now but from what I've seen IT security expenditure is usually taken out of the general IT budget. Companies that have good security generally ring-fence approx 15-20% of their IT budget specifically for security. Government departments should do the same.

4. Government departments should be subjected to more stringent regulatory oversight

When the Nationwide Building Society was fined £1 million by the Financial Services Authority (FSA) after a laptop was stolen containing thousands of customer's banking details, this was enough of a wake-up call to other banks to finally implement the end-device security programmes that their security departments had been recommending. A good proportion of the banks are now using technology such as that provided by the likes of PointSec and Safeboot to lock down laptops and encrypt the hard drives. I personally use TrueCrypt on my home laptop which is open source (free).

Government departments should be subject to similar compliance penalties. Now I'm not one who particularly believes that financial penalties for public sector bodies is the right way to go. After all, it's tax payers money that pays the penalty and it's tax payers, not company directors or shareholders as with a PLC, who ultimately lose out because there's less money to put into government services. However, it's clear that the current situation, where the Government suffers some embarrassment and a Civil Servant is forced to hand in his resignation (sometimes, not always), is not enough of a penalty. This is a tricky one, because if the penalties are severe then the departments concerned will be less likely to publicly disclose the incident in the first place.

How about this: what if (1) a law was introduced similar to the California Security Breach Notification Law making it compulsory to publicly disclose security incidents that impact personal data, and (2) senior management and ministers are made directly accountable for any security breaches. Depending upon the severity of the incident the Civil Servant up to the Minister and finally the Secretary of State will be forced to resign (completely from Government, not just shuffled to another post) and/or personally fined. That could work?

By the way, I believe strongly that a security breach notification law should be introduced that also applies to all companies. I've seen many a security breach that has been completely covered up internally and not even reported to the authorities through fear of damage to reputation and contractual penalties.

5. Improve due diligence and contracts management for outsourced contracts

The scary thing is that large parts of government services have been outsourced to the private sector, and many of these private sector companies have not made the investment in security that you would expect when we're talking about the protection of government systems and government held data.

I've seen at first-hand how companies bid for government contracts, promise the world in the bid so that they'll win the contract, and then fail to deliver what they've promised and get away with it because the Government doesn't carry out sufficient due diligence before awarding the contract, or in-depth audits for the duration of the contracts.

The likes of EDS and Capita have large multi-million pound contracts to manage a huge proportion of government IT systems and services. Some of these contracts run for 10 years and were written at a time when security wasn't the issue it was today. Even the contracts that are written today don't go far enough to mandate security requirements. The contracts that I've seen have some reference to the Manual of Protective Security and usually state that providers should 'demonstrate compliance with' ISO 27001 - the international best practice standard for Information Security Management. However, there's a big difference between compliance and certification.

ISO 27001 certification should be a minimum requirement, at least this would demonstrate that the company has a formal security risk management and governance framework in place, and this has been independantly verified by an external auditor. However, even this does not go far enough. I help companies achieve ISO 27001 certification and I know how easy it is to get certified by simply choosing the right auditor (there's a massive difference between success criteria from one auditor to the next) and producing documentation that looks the part but does not necessarily reflect reality. Government contracts should specify in detail the exact security requirements. Instead of having security specifications which have ambiguous statements like 'Data should be protected according to risk' they should say, for example, 'data held on backup media must be encrypted, and as a minimum AES encryption with a bit-strength of 256 must be used'. This would make it clear to service providers that investment in technology such as data encryption is not optional.

As for due diligence, what tends to happen in my experience is that bidding companies are asked to provide copies of company security policies and standards. This is not good enough. Just because the security policy stipulates that a certain level of security is required that doesn't mean that it's standard practice for the company to implement it. No, there needs to be thorough due-diligence which includes in-depth investigation, inspection of systems and processes, and even visits to reference sites.

Furthermore, once the contract is awarded, it's not good enough, as is usually the case at the moment, to simply send out an annual security questionnaire to the service provider. Again, just because someone puts some good sounding words in a completed security questionnaire it doesn't mean that those answers reflect reality. There needs to be regular, full, independent audits of all aspects of the IT environment and services being provided.

Anyway, I've said my piece. How are we supposed to have trust that the UK national ID card programme will securely hold our biometric identifier, an identifier that we can't revoke or change, or that the NHS Spine, which has been contracted out to BT, will securely hold all our health records? You may think so what if someone gets hold of my personal information, they can't do anything with it. Think again. The risk of identity theft should not be underestimated. Identity theft is said to be the fasting growing crime and with a few pieces of personal information it's possible for a fraudster to take over your entire life - access your bank account, get your mail redirected, get identity documents such as passports and driving licences issued to them in your name with their photo. There's many documented incidents that prove this is happening all the time.

I worry because my details are on UK and Australia government systems!

When I read about the loss of the Royal Navy laptop it made me wonder if I could be affected. It's been over 16 years since I joined the Navy but 600,00 records were lost and there's only 36,500 personnel currently in the Navy. I know the 600,000 figure includes people who have just expressed an interest in joining the Navy but even so, it makes you wonder how many years back the records go. After all, if they're allowing full recruitment records to be copied out of a central database and onto a laptop, and they're not encrypting the laptop hard disk, they're probably not doing much to enforce the fifth principle of the Data Protection Act - ‘Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes'.

Monday, January 14, 2008

Schmap Brisbane

I forgot to mention, in follow up to my I'm on the Schmap Brisbane Short-list post, it's been confirmed that my photo has been included. The page is here - http://www.schmap.com/brisbane/tours_tour1/#p=131021&i=131021_4.jpg

Normal Service Resumes

The worst of the weather seems to behind us so it was business as usual this weekend. A lot of time was spent in the pool. We had a BBQ Saturday night with the neighbours, and I managed to get a gym session in on Saturday and a game of golf on Sunday morning.

The golf was hard work to say the least. Not just because it was the first time that I've played since coming to Australia and consequently I was rubbish (well, to be honest, I'm rubbish most of the time), but also because of the overbearing humidity. We only did 9 holes but by the end of it I looked like I'd just come out of the swimming pool, the sweat was dripping off me. Not an attractive look! I was speaking to someone from Melbourne last week and they said that even though Melbourne has been suffering 40 degrees heat in the last few week, in Brisbane it feels like 40 when it's 30 due to the humidity. I dread to think what it's like when it reaches 40 degrees here! Thank God we have the use of a pool. On that note I've been really proud to see how well Lauren's swimming has come on in the last few weeks. She's like a fish now. Her confidence has grown in bounds and she's jumping in and swimming underwater, something she wouldn't do only 2 months ago.

On the work front I'm being kept really busy. I've got 3 client projects, all 3 of which have strict deadlines to achieve security compliance or certification by March/April. So all of the clients are panicking in one way or another and in turn they're piling the pressure on me to complete the work for them. Luckily, a lot of the work I do for one client can easily be copied (with a few tweaks) over to the next so to them it looks like I'm delivering way above expectations. Nevertheless, I don't think I've had a job since being on operations in the Navy where I've been constantly rushed off my feet. I don't mind though. The days go quick and after all, it is only 4 days a week.

On the business front development is continuing at a snail's pace. Every time I think the developers are close to finishing and getting ready for handover I find another problem. After this is finished I reckon I can write a book about what to do and what not to do when outsourcing work to India!

Sunday, January 06, 2008

I'm not the only one!!

Yes I got burnt - again! But I'm not the only one, Daryl has too. He didn't even realise at first he's getting redder as the evening progresses, we're glowing like little berries. There's only Lauren who isn't red - she's a gorgeous colour (with a permanent white bikini on) It's a good job we look after her and always put her cream on. I just wish I'd remember this pain next time I attempt to leave the house without any on.

It just shows how strong the sun is when the clouds clear here - let it be a warning to our visitors (to come) forget your factor 8 and 15, it's 30+ here all the time.

Finally Some Sun

It finally stopped raining long enough this weekend for us to get some sun and take a dip in the pool. In fact Rach even got sunburnt. Again. Will she ever learn?

The whole xmas and new year period has been a complete wash-out. Brisbane has succumbed to the effects of the El NiƱo phenomenon, which is causing monsoon conditions all along the coast of Queensland. What I don't understand however, is how come after all the rain we've had the dam levels are still only at a combined level of 21.13%. Everytime we get a good soaking of rain it seems to completely miss the dams. So it looks like there'll be no end to the level 6 water restrictions any time soon.

It was really hard getting into the xmas spirit this last year. Listening to Bing Crosby sing White Christmas didn't quite seem right when we were sweating due to the high humidity! As per usual xmas crept up on me from nowhere and I had to rush about at the last minute buying presents.

I was in Sydney all week again the week before xmas and it was hell! I did have plans to get some xmas shopping done in Sydney but the mass of people was horrendous. I can't understand people who go for a weekend away xmas shopping in the major cities. I had to literally push my way through people just to get from one street to the next.

Back to work tomorrow. It's been a nice break having two weeks off but the weather has made it a bit of a let-down as I've hardly left the house. I bought some new golf clubs last week so we went to the driving range yesterday to try them out. On the way I stopped off and bought Lauren a junior set so she could have a go. She loved it. There's a par-3 9-hole course near us so hopefully it will be nice next weekend and we can go for a game.