31Oct 08
D'Ascenzo: Read p23 of security review
Posted by Liam Tung @ 16:40 2 comments
Following yesterday's admission by the Australian Taxation Office that its courier had lost a CD containing the details of 3,000 self-managed super funds, it wants to review how it handles information. My suggestion: go back to the review completed in April.
I could see tax commissioner Michael D'Ascenzo wipe a bead of sweat from his brow and sigh with relief when he was told the CD only affected 3,000 people and not 25 million like in the case of its UK counterpart Her Majesty's Revenue & Customs's (HMRC) missing CDs.
In the absence of data breach disclosure laws, it was commendable of D'Ascenzo to disclose the loss, but I find it surprising the ATO isn't already encrypting files on CDs it sends out into the wild.
As security consultant, Chris Gatford, from penetration testing firm Pure Hacking told me, placing files in an encrypted Zip folder ain't "rocket science"; you just need good key management practices.
The ATO reckons the lost CD is a "low risk", because for theft (ID or financial) to occur, a person would need access not just to the individual's name, address, and tax file number — the details contained on the CD — but all their account information too.
Still, the last time I spoke to the ATO's CIO Bill Gibson, he was spooked by the HMRC data breach. That incident and another CD lost by the ATO had prompted it to conduct a 72-page review of its handling of information, which was done by PriceWaterhouseCoopers (PWC).
The ATO paid a wad of taxpayer's money for PWC to conduct that review, called "Australian Taxation Office: Information Security Practices Review" (PDF), but following this incident it wants to conduct another review of its handling of information.
My message to Michael D'Ascenzo: scroll down to page 23 under the heading "Information leakage — Potential hot spots". You don't need to conduct another review. Here's what it said back in April:
"Information [at the ATO] exchanged without a consistently applied security mechanism to guard against unauthorised disclosure or loss, including: international transfer of classified information using relatively low grade encryption; unencrypted files, or non password-protected files, transferred on physical media such as CD-ROM or electronically via email."
3%
2%
Anything done in April is very unlikely to have trickled down into policy, procedures and training materials by now, let alone actually being implemented.
And then there's corporate culture to deal with, and if it's anything like that in any large enterprise (commercial or government), will thoroughtly resist the security discipline required.