Quote:
Originally Posted by anna
point taken about being a seperate company ... i stand corrected..
but to your second point .. a laptop that contains secure data of such nature should be encrypted. It's not a case of all laptops regardless of content it's a case of laptops that contain this data... yes it should be encryped and to me that is a company being incompetant if it does not secure such things and, as such liable.
|
I have had very close dealings with EDS in the past, in respect of their data handling procedures.
I know first hand that there is a lot wrong with the company, however, I wouldn't go so far as to accuse them of being liable. Afterall, if the laptop wasn't stolen, there would be no issue regardless of any cryptography used.
Specifically in the case of HMPS databases maintained by EDS, I know there is security on those databases, to an extent whereby if you don't have the correct software, there's no chance of you getting in. However, the software to access it is freely downloadable by all. Then you only need the password, which is (usually) stored in plain text within the data itself.
I know EDS are very careful in their wording of all their contracts. The process involves EDS recommending to their clients what they feel is suitable. Then the client either OK's it or not, and you have to bare in mind that the person giving the OK may not be a technical person in respect of computing. I also know that specifically on the HMPS contract, the equipment put in place at EDS' recommendations was not sufficient for the task. I also feel the need to emphasise the past tense on my last sentence, I don't know if this is still the case.
In the case of the MOD laptops however, it's my understanding that MOD policy is now (I don't know if it was at the time of the theft) that all data is to be securely encrypted when it is not on physically secure sites (ie, authorised personnel only). MOD staff not following this procedure are disiplined pretty severely (data released into public domain may be of higher importance than that already leaked for example).
If the above policy was in place before EDS won the MOD DII contract, and they are responsable for the data in question, then they will only claim that they recommended both hardware and software, and this was OK'd by the MOD. EDS will claim that they had no working knowledge of MOD internal procedures, and lay the blame directly at the feet of the MOD.
The anecdote in computer security goes "There is no such thing as a secure system, if an attacker has the time, resources and determination, they will gain access regardless." This is true even of the most complex cryptographic procedures the MOD have available to them. Just that by the time the data is decrypted, we'd all probably be dead. Unless it's been cracked...