Ministry of Defence | Defence News | MOD confirms loss of recruitment data

Peter Tomlinson ukcrypto at chiark.greenend.org.uk
Mon, 21 Jan 2008 09:29:16 +0000 

Ian Batten wrote:
>
> On 21 Jan 08, at 0703, Peter Tomlinson wrote:
>> Ian Batten wrote:
>>> And that, to quote George Smiley, is my _thesis_: that we get these 
>>> problems because clever civil servants can get around the Labour 
>>> ministers.  And they couldn't the tory ones.
>>>
>>> ian
>>>
>> So why are the civil servants not working out how to do the job 
>> properly?
> Define `properly'.  I think in most environments outside spooky ones 
> which live and die by compartmentalisation, and perhaps even in those, 
> security is seen as the stuff that gets in the way of doing your job.  
> I've got a 27001 surveillance audit today, and I tend to use issues 
> raised in those as sticks to beat other parts of the businesses, 
> because everyone wants to believe that all staff are honest, all 
> visitors are legitimate and all access is authorised.
>
> ian
>
Ian, Richard Thomas was on R4 Today a little after I wrote my question, 
and he put part of 'properly': in your terms, it needs a change in 
culture away from those beliefs that you describe to one where everyone 
handling data (or specifying and building and managing systems to handle 
it) has a duty of care to ensure that data is protected when handled in 
electronic systems. Or: moving from Microsh*t messy ways of doing things 
to a more precise way (even M$ is getting better, we hear).

But I was looking  somewhat further: at understanding and responding to 
the gap between rigid and often badly specified systems and the real 
world, changing the culture from one designed for the time when a huge 
pyramid of officials were interpreting policy for the next layer down, 
and were doing that all the way to the front line where the relationship 
with businesses and citizens existed and information was collected, 
stored and used. Deliberately I'm not trying to say how the new culture 
will shape up, but clearly it needs to take on board best practice from 
the quality managed private sector, in particular ensuring that what you 
do is what you agree you will do and are able to do - that means 
resourcing, training, making appointments in a way that ensures that 
competent people get the jobs, appraisal, etc. Most of the quality 
management stuff is govt policy that govt itself largely ignores in the 
areas where the problems are. I believe that our civil servants 
increasingly know that there are better ways, that they can find 
examples of those better ways across Europe, but the people above them 
are out of touch.

As Richard Thomas said, he's not concerned about the detail of whether 
or not the data in a particular laptop is encrypted, because he wants to 
see a cultural change in the public sector. That security technology 
will have to adapt does, however, come within the scope of this list, 
giving me the excuse for my rant....

Peter