Tuesday, March 14, 2006

IPCC incident

This is a very unfortunate incident, especially when it happened in IPCC, which is a department almost exclusively staffed by EO. Please see latest press report below. Barring any intentional malicious act by the persons with proper authorization to data access, which is something any IT security system could not prevent, the data leakage seems to stem from negligence, or ignorance/indifference to data security. Basically, this has nothing to do with IT. If you need to contract out the counting of money, or re-indexing many personnel files, would you let the contractor take them away to sort them out? Electronic data are of equal importance.

I think many colleagues have similar experience from the recent exercise of the eLeave project. Many departments contracted out the project which involved the conversion of personal bio-data as well as old leave records. These small IT projects belong to HR managers and are mostly handled by EO. I understand that all conversion work were conducted within the premises of the departments using office PC and LAN. Grateful if colleagues would share their experience. Are there any eLeave system using OCGIO's hosting service, which has just been contracted out as well?

This case is a strong illustration that IT management has become an essential management field, which is closely integrated into everyday management work. In all smaller departments or offices, managers (aka EO) are the de facto persons to be responsible for the management of IT systems which are part of all office systems. For large IT systems, the management aspect is very complex that professionals in resource and system management (aka EO) are required. It is so obvious that the EO grade needs to be prepared, at a very early stage, for the provision of such professional managerial service.

There are some IT training for EO, mainly on the use of office tools like MS Office, network admin, database admin, system development, etc. While all these are useful for IT awareness, I think more advanced topics on IT management are required. Word/Excel/LAN admin are actually clerical work. While managers need to know what they are, there is no need for intensive training. It is like training EO to type or to index files. Instead, we should make reference to the topics taught in university IT management courses: like IT security, IT project management, data privacy law, contract management, etc.

The most essential move, which is the responsibility of grade management, is to promote IT management as a professional stream of EO work. Strategic steps should be in place to identity, develop and properly create a career for IT management professionals within the grade. There is no need to worry about the fast developing technology which can be obtained from the market. Just like any other management streams, managers need to keep abreast of the general development in their field. Such general information is readily available from newspapers and journals. When managers are in posts with good recognition and prospect, they will seek out such general information as part of the job and equip themselves properly.


【明報專訊】警監會專家小組徹查後發現,投訴警察的約2萬名市民個人資料,包括姓名、地址、身分證號碼等,原來早於2004年已開始外泄,於互聯網上流傳達3年之久。調查小組把責任歸咎外判承辦商,指警監會當年把一隻載有資料庫光碟,交予承辦商「轉碼」,承辦商貪方便把資料上載至伺服器,結果令資料外泄。

警監會主席黃福鑫,昨日公布事件調查結果。黃福鑫指出,投訴資料外泄是由於2004年期間警方投訴警察課把投訴資料,以光碟模式轉交警監會,但警監會電腦系統當時採用視窗98年,與投訴警察課系統有異,須外承辦商作格式轉換。有關承辦商為求方便,把資料放在FTP伺服器,卻沒有設下載密碼。

警監會在處理個人資料程序時,亦未有諮詢私人專員公署。警監會承認,資料外泄並於網上流傳長達3年,涉及個案由1996年至2004年,其中7宗投訴仍在調查中,該會相信調查不受今次事件影響。

此外,警監會極度關注外泄資料遭濫用的情?,強調未經當事人同意下使用有關資料,便屬違反法例,可能會被警告及起訴。警監會已委任電腦專業人士,追查過去 3年曾查閱及下載有關資料的紀錄。

對於事件是否涉及人為疏忽,黃福鑫表示相信會有「公論」,而負責處理有關資料的行政主任,已於周六起主動申請放假。由於事件在04年發生,黃福鑫坦言當時他並未出任主席,無可否認的是,事件對警監會的公信力帶來嚴峻考驗。

黃福鑫表示,警監會將成立人個小組委員會,接觸受影響而求助的市民及提供協助。此外,他們會立即進行一系列措施,包括提升電腦系統及加強可查閱投訴資料的權限規定等。

香港電腦保安事故協調中心經理古煒德表示,承辦商在事件中要負相當大責任。他說,承辦商只要為警監會設計一個轉碼程式,警監會便可自行轉碼,毋須讓他人接觸重要資料。他懷疑承辦商未必有足夠經驗﹔另外,警監會在選擇承辦商時,亦應該考慮對方的可靠性。

No comments:

Post a Comment