fact-check, NHS Mail
Leon Clarke
leon at leonclarke.org
Tue Jun 23 11:45:56 BST 2009
Adrian Midgley wrote:
> "NHSmail is accredited to the Government 'RESTRICTED' security standard
> and whilst the detailed requirements of this accreditation cannot be
> disclosed, we can say that NHSmail is fully secure, ... "
>
>
> How detailed does one have to get nowadays in order to go beyond
> something that can be disclosed? Apart from it having been disclosed to
> rather a lot of people who have handled restricted material and then
> left the services.
>
I was under the impression that if you wanted your system to be used for
RESTRICTED data, it needed to be certified to EAL 2 in the common
criteria, the detailed requirements of which are disclosed, and could be
found by anyone who could be bothered to google for them (and who can be
bothered to read BORING documents)
To me, RESTRICTED always seems to mean 'not really SECRET', and so can
hardly be called 'fully secure'. Then again, higher levels of the CC are
very expensive and a lot of hassle, and it could easily be argued that
it isn't a good use of NHS money.
Leon
More information about the ukcrypto
mailing list