Secret terrorism dossier left on train....

[Xaccers]

Quote:

Originally Posted by Escapee

Documents Restricted or Secret must not be left out on desks whilst unattended, the reason is that Escorted visitors may not have the required level of clearance to view those documents.

Escorted visitors should never be left alone in the first place. I know I never was until my full pass arrived.

Quote:

All Restricted and Secret level documents should be locked away, also computers without suitable encryption should not contain any of these documents.

Difficult to work on a document if it's locked away

Quote:

The reason why breaches are made are often for very simple reasons. For example, I am not allowed to connect an unauthorised memory stick to a piece of equipment and copy files. The authorised memory sticks with encryption take 3 hours to backup some folders that take about 5 mins on an unencrypted stick.

I understand some people put them on an unencrypted stick, take them home and burn them on a CD. The CD can then be placed in a secure nachine and copied to he required location.

We have software at work which prevents unauthorised access to the USB ports.
If people want files transferred they have to submit a request and we do it for them.

Quote:

It's simple, measures are put in place to aid secuity but the impact in practice means people take more risks with data than if there was no security system in place to start with.

It's all about human nature!

Exactly, think about how people are going to use the system, and built the security around that to ensure no breaches.
As you've demonstrated, simply telling someone not to do something isn't good enough, you have to prevent them from doing it.

[Uncle Peter]

Exactly, that's the most worrying part: this person was actually authorised to take hard copies of Top Secret protectively marked documents out of the office. It wouldn't have been so bad if the document was scanned/ocr'd and stored on an encrypted computer or removable media with the appropriate level of encryption strength.

While the individual in question shouldn't have been reading the documents on the train, the procedures are just as much to blame.

[Raistlin]

Quote:

Originally Posted by Uncle Peter

Exactly, that's the most worrying part: this person was actually authorised to take hard copies of Top Secret protectively marked documents out of the office.[...]

I'll think you will find that they were most certainly NOT authorised to take that particular document out of the office. Their authorisation will have extended only as far as to grant them access to it and to retain it (in an appropriately secured container/location).

I wouldn't want to try to pre-empt the outcome of any investigation, but I would be quite happy at this stage to guess that the decision to remove that document from its appropriately secure environment was most likely down to the individual and would almost certainly not have been authorised.

[Uncle Peter]

Quote:

Originally Posted by Raistlin

I'll think you will find that they were most certainly NOT authorised to take that particular document out of the office. Their authorisation will have extended only as far as to grant them access to it and to retain it (in an appropriately secured container/location).

I wouldn't want to try to pre-empt the outcome of any investigation, but I would be quite happy at this stage to guess that the decision to remove that document from its appropriately secure environment was most likely down to the individual and would almost certainly not have been authorised.

True, it does actually state this in the latest BBC report having just read it. It would still be worrying if this individual were removing hard copies of Secret documents from Whitehall, strict procedures or not I would at least hope they were electronically encrypted.

If people cannot be trusted at these levels of security to follow the security procedures then I think that they should be obliged to be searched and their property searched before leaving the building.

[Raistlin]

And that's the problem.

In all walks of life you generally find that the more senior people are the less they think the rules and regulations apply to them. It's also the case that fewer people are prepared to stand up and challenge them about it as well!

As for the 'encrypted electronic' v 'paper' debate. It is my suspicion that paper files of this type (although this incident may suggest the contrary) are traditionally easier to account for, store, and control, than electronic copies.

[Escapee]

Quote:

Originally Posted by Xaccers

Escorted visitors should never be left alone in the first place. I know I never was until my full pass arrived.

True, but some of these pesky visitors have a habit of wandering or seeing things they shouldn't.

Difficult to work on a document if it's locked away

You know I meant locked away when away from your desk, when we have had visitors in my previous employment all restricted documents had to be put out of sight.

We have software at work which prevents unauthorised access to the USB ports.
If people want files transferred they have to submit a request and we do it for them.

That would be a bit difficult for our IT department, because I wouldn't give them the administrator password to enable them access to the system. As design authority I am currently the only person in the UK with authorisation to use the password. The data I move from these systems is not restricted nor is it any use to anyone else.

I could just imagine how efficient it would be asking the IT department x amount of times a day when I need to put data on a memory stick. I had that fiasco in my last employment, I played their little game until they got fed up with visiting me a dozen times a day. In the end they just gave me the required access rights, it's all about balancing security against common sense.

Exactly, think about how people are going to use the system, and built the security around that to ensure no breaches.
As you've demonstrated, simply telling someone not to do something isn't good enough, you have to prevent them from doing it.

As above, prevent them and the whole system grinds to a halt unless you increase the IT department tenfold and have them running around. We had one customer who specified a non standard connector for the USB port, the users then simply purchased the connectors, worked out the pinout and used standard USB sticks.

Common sense needs to be taken into account in these cases.

[Raistlin]

Best method for securing USB ports?

HERE

[Uncle Peter]

Quote:

Originally Posted by Raistlin

And that's the problem.

In all walks of life you generally find that the more senior people are the less they think the rules and regulations apply to them. It's also the case that fewer people are prepared to stand up and challenge them about it as well!

As for the 'encrypted electronic' v 'paper' debate. It is my suspicion that paper files of this type (although this incident may suggest the contrary) are traditionally easier to account for, store, and control, than electronic copies.

Indeed and no doubt the primary reason why MI5 are only just getting around to transferring their vast archives of paper intelligence assets to electronic systems!

As customers of becrypt like many other central govt functions and the MoD (being CAPS assured to Top Secret) I would hope that the cabinet office are extensively putting it to good use.

[Raistlin]

BeCrupt Enhanced still only reduces the classification of the laptop/disc/device from Top Secret down to Secret though, so the user of the laptop/disc/device would still have to protect it as they would anything else classified at Secret.

---------- Post added at 17:53 ---------- Previous post was at 17:50 ----------

I think you'll probably also find that it only applies to the classification, and doesn't remove any other conditions (for example the UK, US, Australian, and Canadian restrictions) that applied to the document in question.

[Uncle Peter]

Well we've had SW1 pubs, trains, Macdonalds... where will the next document or laptop be found: a strip club, top of Mt Everest, North Pole?

Who knows, some of these people will never learn.

[Cobbydaler]

And again...

Quote:

Originally Posted by The BBC

More confidential government files have been found left on a train.
The Independent on Sunday says it was handed the documents, which cover fighting global terrorist funding, drugs trafficking and money laundering.
The files, which relate to a meeting of financial crime experts to be held this week, were found on a train bound for London's Waterloo station on Wednesday.

Link

[cimt]

Quote:

Originally Posted by Cobbydaler

And again...



Link

Hmm, so 2 sets of papers just happen to get left on trains on the same day?

Quote:

The papers were found on train bound for London Waterloo on 11 June, the same day that another batch of papers relating to intelligence assessments of Iraq and al-Qaeda were handed to the BBC after being left by a senior official on a train.

[Woolly One]

At least these two sets were handed in to the authorities - OK via the Media! But how many haven't been given back - but sold on??

Restricted files lost by minister Hazel Blears

Quote:

A personal computer holding sensitive documents relating to defence and extremism has been stolen from Hazel Blears' constituency office in Salford.

The theft may mean the communities secretary has broken rules on the handling of restricted government information, the BBC has learned.

The machine contained a combination of constituency and government information which should not have been held on it.

Link

That will have been sold on the local market. Some scally will have wiped it, and will be probably playing quake or some surfing the net.