Information security lapses revealed

| 20/07/2009

(CNS): Following a damning report by the Office of the Complaints Commissioner highlighting the lack of proper procedure in the disposal of electronic data by government entities, the Computer Services Department (CSD) has announced that it has formalised the procedures by which it disposes of desktop and laptop hard drives. The OCC’s Own Motion Investigation into the use and disposal of electronic data storage containers (EDSCs), which might include sensitive information or personal details, found that none of the chief officers of the ministries or portfolios, who have the legal responsibility to see that the data is disposed of appropriately, were doing so.

The report uncovered a careless attitude towards data within government: “For less than $50, a person can buy an 8GB jump drive, which is more than enough memory to save all the word-processing files typically handled by a civil servant in a year. Yet it is not uncommon for these jump drives to go missing. They are small and often treated with no greater concern than a pen or pencil carried away from the office. The OCC has witnessed jump drives tossed into vehicles, purses and gym bags.”

The OCC report launched in January of this year and tabled in the Legislative Assembly this month, also found several instances of negligence on the part of various government entities that could potentially have resulted in sensitive information passing into the wrong hands. For example, computers from the Portfolio of Internal and External Affairs that had been donated to the prison’s educational programme could not be verified as being wiped; a private local charity had received computers from another government entity that still contained government files; and government machines with storage capacity had wound up in the Red Cross Thrift Shop.

The OCC investigated the managing and disposing of a range of electronic EDSCs, such as disks, diskettes, CDs, DVDs, UBS thumb drives, tapes, smart cards, plus scanner, photocopier, camera and fax machine memory chips and PDAs, as well as computer hard drives. While all the ministries and portfolios and their departments, with the exception of the Department of Tourism and the Department of Education Services, said they relied on CSD to dispose of their IT equipment, CSD noted in the report that it seldom actually received the EDSCs back from the various departments once the department had recommended that those items be condemned, and that not all Blackberries were brought to CSD when taken out of service.

The OCChad concluded: “With the introduction of this enhanced practice of monitoring and secure disposal of EDSCs, there will be a need for all civil servants to be made aware of the importance of properly securing maintaining and disposing of EDSCs.”

The statement issued by CSD said an increased number of government agencies are now using the department, government’s central information technology agency, to dispose of hard drives at standards that meet or exceed recommendations by the US Department of Defense (DOD). CSD noted that each agency has the right to choose how it disposes of assets, although CSD does provide recommendations on information technology (IT) disposal. In all cases condemnation requests can only be made once a department is certain of its compliance with the National Archive and Public Records Law 2007 that governs public sector records management.

Director of Computer Services, Gilbert McLaughlin Sr, noted that CSD also physically destroys hard drives as part of the disposal process. This is routinely done in the case of the central computer servers that store the bulk of government’s information, and which CSD own. Where devices are reused, McLaughlin observed that securely cleaning storage devices can be extremely time consuming, depending on the security level that must be met. For this reason there is a need to assign varying security levels to all data on such devices, and prioritise their disposal accordingly, the release said.

Work is already ongoing to develop government-wide policies covering the use, security, storage, and disposal of EDSCs, based on the classification of the types of information stored on them, the release said. As an example, such policies will require laptops storing data that is sensitive or private to be encrypted and disposed of in the manner appropriate to the security level of the information. By contrast, a desktop computer used as a public kiosk (such as a public-access PC in a library) might remain unencrypted and be disposed of in a secure, but less exacting, manner. CSD will also be exploring the feasibility of more environmentally friendly disposal options in conjunction with the Department of Environmental Health.

“In conclusion, CSD – and its parent agency, the Cabinet Office – reassures the public that positive steps are already being taken to create comprehensive, secure disposal processes for government-owned data storage devices. They will continue to inform the public of developments in this important area, as they occur,” the CSD stated.

In its report, however, the OCC also pointed out that electronic data is also accessed remotely, which further complicates the issue.

“Even when the user is accessing information over the internet or using a thumb drive, an image of the file they are working on is transferred to their computer or whatever computer they are working on. While these images are not easily accessible using standard methods of file retrieval once the token or thumb drive is removed or the internet connection is broken, the information is still on the computer. If a person that wishes to retrieve that information was able to gain access to the hard drive they could, with relatively inexpensive software … access those documents,” the OCC report stated.

Print Friendly, PDF & Email

Category: Local News

About the Author ()

Comments (2)

Trackback URL | Comments RSS Feed

  1. Its a Hackers Paradise! says:

    Who needs to rob Fort Knox when the CI Government will just give you everyone’s personal data for pennies on the dollar or free in most cases?? The good news is that we’re learning Cayman has had FOI for much longer that we thought. It was just headquartered in Mt. Trashmore and the Red Cross! Love, it. Keep em’ coming CI government, keep em’ coming….

  2. Expat 180 says:

    So generally, what the OCC is saying is that the government/civil service/Police/legal department/ here is a sloppy, unaccountable, arrogant mess, with no procedures to protect it’s empoyees, integrity, data, customers/victims, procedures and undertakings..

    Is this actually news to any body? You have a Tiger by the tail Cayman, and it is repeatedly turning round and biting your head off.