Friday, June 2, 2006

IPCC incident 3

EGRIN IT Focus Group is holding an IT security seminar next week. I hope everyone has enrolled. One recent example of this important topic is the IPCC incident. Members interested may wish to take a look at this LegCo webpage on the meeting of the LegCo Panel on Security held last month. It contains the IPCC report on the incident, plus papers from the Administration on information security guidelines and information security update.

The IPCC report is a plain report. It does not have any element of investigation, nor judgment. It is about what we read in the newspaper, plus some empty promises that they will be more careful next time. There are also some basic human reactions like locking up the data disc and the computers, and any access to the data to be authorized. Come to think of that, isn't almost everyone in IPCC has to access the data on a daily basis as their daily job?

From the facts of the report, the problem boiled down to two elements. One was the IPCC officer giving out the data, and the second was the contractor putting the data to the Internet. Both sides were arguing that the other side was at fault. I think both of them are.

The personal data in the complaint file are sensitive data. This is a well known fact. No matter what the contractor asked, it is obvious that the data should not be left in the hand of a third party, for testing or live run. This basic security consciousness does not have anything to do with IT knowledge. Similarly, we would not let an insecure third party take our confidential files away. The argument was on whether the contractor asked for test data or real data, but I think this is not the issue. We could not blame the contractor on this point. Even the contractor did not specifically ask for dummy data, IPCC should not let the sensitive data leave its door. I browsed the IT security guidelines and they do not specify this clearly. It may leave an impression that if we correctly engaged a contractor, with confidentiality clauses or not, then we could entrust them with the data of the system no matter what. We paid them for the job, didn't we? The main point is that the contractor is only responsible for the system development and maintenance. The IT manager is responsible for the data integrity and the satisfactory acceptance of system performance.

What the contractor did in this case was a breach of professional competence. It was like a whiz kid making use the Internet for his convenience. The contractor argued that the data were not put to the Internet as alleged, because the website which linked to the data was not intended for IPCC test data. This is a misrepresentation which could fool the ignorant LegCo members. If the data were not on the Internet, how could they be accessed on the Internet. The fact was that the contractor used the service of China2easy, a public Internet service provider, and relied only on the password protection mechanism, which I think was used to control the activities of paid customers. The data were not encrypted nor were they protected from authorized and unauthorized access. We all know that the Internet is a jungle. The contractor, who is a professional technologist, should know best. Even if he thought the data were dummy, they should not be stored that way because test data still contained the database structure of the IPCC system.

But please do not misunderstand me on the faith on security. Actually OCGIO have created much rules and guidelines on IT security. We hate them because of their bureaucracy nature which created much barriers, but they are there for our protection, something which OCGIO does not do for us itself. The issue is how to get people to know and follow the guidelines. The seminar on IT security should give the guidelines some publicity. IT managers should all know them by heart.

Please also do not misunderstand me on the faith on the Internet. Properly used, it is actually a very secured place. Although we heard some horror stories now and then, we should consider that we now have eBanking, eGovernment and almost every kind of everyday activities on the Internet. All we need to do is to take reasonable precautions. For secured data like IPCC database, there are many methods of protection, ranging from data encryption, virtual private network and proper authentication, which you will hear about at the seminar.

No comments:

Post a Comment