LPS 1224 Issue 3: ‘Requirements for Secure Database Register’ specifies requirements for companies providing third party secure asset registration services within the UK. The new issue of the Loss Prevention Certification Board (LPCB) standard is said to be based on the “very latest Best Practice” regarding information security.
The updated standard now encompasses services that use Internet, e-mail, postal and fax-based information transfer. The minimum requirements defined in the standard are designed to prevent unauthorised viewing, manipulation or destruction of information registered on secure asset registers, while also ensuring that information is suitably accessible to approved registered keepers of assets and those legally entitled to verify details of the registered keeper (for example, law enforcement officers investigating a loss or theft).
LPS 1224 requires service providers to undergo thorough assessments of their facilities, systems and processes before approval is granted, and regular auditing to ensure those stringent standards of compliance demanded to achieve approval are duly maintained at all times.
Red Book of approved services
A full list of verified asset registration services will appear in the Red Book list of approved security and fire services. Published free of charge in paperback, CD and web formats, the Red Book is used by security and fire system specifiers the world over.
The truism that the loss of personal data not only has a detrimental effect on the individual concerned but can also have a highly damaging impact on the organisation holding the information was amply evidenced over the weekend with the news that an Atos Origin employee managed to lose a memory stick which could have left the private details of 12 million people open to abuse by hackers.
Atos Origin manages the GB pound 18 million Gateway web site, which allows members of the public to access hundreds of Government services including self-assessment tax returns, pension entitlements, child benefits and details of parking tickets. The memory stick was discovered in a pub car park in Cannock, Staffordshire near to Atos Origin’s base. An employee who broke the rules by removing the data is undergoing disciplinary procedures.
Yet again, the Government appears determined to sweep another data loss incident under the carpet. In this morning’s press, Prime Minister Gordon Brown simply said: “Mistakes happen”.
Instructions to Government ministers
Work and Pensions Secretary James Purnell wad forced to issue an apology on Saturday after he left confidential ministerial correspondence on a train. In response, the Prime Minister has urged Cabinet Secretary Gus O’Donnell to send out fresh instructions to ministers over how sensitive data must be handled.
“There are very strict rules about information being outside buildings and these have to be followed,” Prime Minister Brown told the BBC. “This recent case with a private company [Atos Origin], where information about individuals has been lost, makes me even more determined to root out this problem.”
The Mail on Sunday, which broke the story, said the memory stick might allow someone to access the personal details of the 12 million people registered on it – but a spokesperson for the Department of Work and Pensions suggested that the device contained user names and passwords for testing an old version of the system, and that all of the information was encrypted.
“We have moved immediately to make sure there is no conceivable risk to users of the Government Gateway, and we’re convinced its integrity hasn’t been compromised. On the basis of an initial examination of the contents of the memory stick, it’s our experts’ opinion that the contents would not allow anyone to breach the very strong security safeguards protecting the web site.”
Simply not good enough
The Prime Minister is also quoted as stating: “We can’t promise that every single item of information will always be safe because mistakes are made by human beings.” However, Shadow Justice Secretary Nick Herbert countered: “Private information is entrusted to the State. It’s about time Gordon Brown accepted his responsibility to make sure it’s held securely.”
Technological measures such as endpoint security software offer policy-based control for portable storage devices and ports including USB ports, CD Roms, storage devices and MP3 players, as well as granular access control, auditing and shadowing of files and other sensitive data copied between PCs and Windows mobile-based devices.
This ensures that no information can be removed or copied from the corporate system without permission. Rather than disable the port completely, it can offer a layer of management such that the IT Department may change settings as appropriate from a central location making the solution completely flexible.
For example, organisations can centrally define which types of data specified individuals or groups are allowed to download on to a mobile device. This added layer of protection prevents employees from using their corporate and personal computing resources to extract valued information beyond the scope of their jobs and outside the guidelines of IT security.
LPS 1224 Issue 3: obtaining a copy
For details on how you can obtain copies of the new LPCB standard 1224 click on the link provided on the right hand panel of this page.