3 January 2011
Happy New Year… enough of festive frivolities – back to blogging….
The security implications arising when officials lose IT equipment has been highlighted by the Inspector General for the US Government Printing Office. That agency is unable to account for 88 laptops (from a sample of 304). As many as 314 GPO lap tops may have been lost over the last five years. The probability is that some will hold sensitive data. Many were allocated to the branch responsible for developing and supplying the US e-passport.
There are already doubts whether the e-Passport will secure the holder’s biodata as intended. For more than 12 months the chips for the e-Passport were manufactured in Thailand, in an uncontrolled factory. Someone with access to e-Passport components could make a clone that would foil the electronic security system.
The audit report of ethical practices in the Government Printing Office makes for interesting reading. There is no equivalent systematic appraisal of processes published on the website of any New Zealand agency.
The loss of data storage devices creates the same sort of operational and reputational threat to agencies in New Zealand as elsewhere. In mid 2010, the Privacy Commissioner investigated agency controls on portable storage devices, such as USB sticks, cell phones, iPods, PDAs (personal digital assistants), and smart phones such as BlackBerrys and iPhones. Few agencies have substantive controls and processes to account for these devices. The research found that more than 120 devices were known to have “gone missing” over the preceding 12 months from 42 agencies surveyed.
The Privacy Commissioner’s guidance recommends publishing an agency policy and setting up controls. These should include using software to track use of portable storage devises, data encryption, keeping a register of devices, and regularly accounting for them.
Interestingly kiwiblog.co.nz yesterday commented about agency IT systems, not relating to the way information is protected, but in response to criticisms about the number of games which had been entered into the Department of Labour system, as noted by the chief executive replying to an Official Information Act request.