Department of Transport - ISO27001 will help you save face
Some free advice for the Department of Transport.
My last blog entry about eNatis seems to be exactly what the D.O.T is trying to tell everyone: "leave us alone, everything is fine except the website which is in no way linked to the personal data was hacked".
Hey, even uber-hacker (did I really use that term?!) Kevin Mitnick had his web site hacked. It happens, and what we should be worried about is not the website but the data in the database. Who cares if some kid scribbles junk on a website? You should care if he manages to get inside the data to your credit card details and personal information like name, address, ID number, car registration number and accesses it for himself to use elsewhere (loss of confidentiality), or changes the information (loss of integrity).
I do believe that the press is squeezing this story for more than it is worth because, well, they need news and this is an easy target. But its also easy news to print because of all the issues that eNatis has had in the past and the lingering doubt that the Auditor General's report brought about.
The department tried to stop the report from being made public but once it was made public because it said that the system was very insecure. The department followed up with a statement that the system had since been fixed which is quite an easy thing to say but not very convincing.
I think that we as the public who are forced to put our private information in this database (or alternatively don't have a vehicle or license to operate one) should insist that the system and processes around it be certified in some way. My choice would be ISO 27001 but there are other similar certifications and I'd be happy with any one of those.
But really, the D.O.T should be proactive on this and not wait for public backlash, they should investigate security measures now so that when the inevitable audit comes, they are ready.
And when the media jump on something silly like a minor website hack they would have their ducks in a row to argue back.
Some free advice for the Department of Transport.
My last blog entry about eNatis seems to be exactly what the D.O.T is trying to tell everyone: "leave us alone, everything is fine except the website which is in no way linked to the personal data was hacked".
Hey, even uber-hacker (did I really use that term?!) Kevin Mitnick had his web site hacked. It happens, and what we should be worried about is not the website but the data in the database. Who cares if some kid scribbles junk on a website? You should care if he manages to get inside the data to your credit card details and personal information like name, address, ID number, car registration number and accesses it for himself to use elsewhere (loss of confidentiality), or changes the information (loss of integrity).
I do believe that the press is squeezing this story for more than it is worth because, well, they need news and this is an easy target. But its also easy news to print because of all the issues that eNatis has had in the past and the lingering doubt that the Auditor General's report brought about.
The department tried to stop the report from being made public but once it was made public because it said that the system was very insecure. The department followed up with a statement that the system had since been fixed which is quite an easy thing to say but not very convincing.
I think that we as the public who are forced to put our private information in this database (or alternatively don't have a vehicle or license to operate one) should insist that the system and processes around it be certified in some way. My choice would be ISO 27001 but there are other similar certifications and I'd be happy with any one of those.
But really, the D.O.T should be proactive on this and not wait for public backlash, they should investigate security measures now so that when the inevitable audit comes, they are ready.
And when the media jump on something silly like a minor website hack they would have their ducks in a row to argue back.