The Data Protection Commissioner released the audit report it conducted in the Department of Social and Family Affairs. The report highlights a number of “serious concerns” relating to the security of personal details of over 300,000 people whose avail of the services of the Department.
Some of the key findings include;
- Claim forms stored in insecure areas.
- Data extracts from the Department’s systems onto PCs from where it is stored in an insecure spreadsheet. This spreadsheet in turn could easily be copied onto a USB thumb drive or simply emailed out of the organisation.
- Weak passwords in use on systems containing sensitive information.
- Data sent to other agencies, such as the Garda National Immigration Bureau, on CDs and not encrypted.
- Weak auditing in systems makes it very difficult to determine who done what.
- Lack of control over endpoint security to prevent data leakage using USB devices such as memory sticks, MP3 players and iPods.
All of the above highlight significant shortcomings in the Department’s security management system and they should be addressed as a matter of urgency.
Unfortunately we seem to be reading more and more press stories about various government agencies not treating this information with the care it requires. It is about time the security and well being of this country’s citizens is taken into serious consideration by the various government departments and that they take a structured and systematic approach to securing our data.
The ISO 27001 information security standard provides a consistent reliable framework within which any organisation can build its security programme upon. Having worked with the standard for many years I can testify to the significant improvements it brings to the management of information security.
The department has recently posted a Request for Tender for the provision of a “security partner to provide ongoing Information Security Support”. Here’s hoping that whomever wins that contract has the full support of the department and the necessary resources such as budget and management support to deliver on the recommendations made by the Data Protection Commissioner.
It is sad to think that the above issues are being addressed only as a result of the audit by the Commissioner which in turn resulted from a number of earlier security breaches. However, do take the time to download and read the report. It makes for interesting reading and there are lessons in it that we can all take away.