« Returning after its 24-day recess, the Commons rises early two days running - without a word of debate about the economy | Main | Timothy Kirkhope wants to keep the pound »

Shailesh Vara uncovers lax data security at the MoD

Shailesh_varaShailesh Vara, Shadow Deputy Leader of the House of Commons, has received some troubling written answers. It emerges that the Ministry of Defence has failed to adequately protect its data.

In light of the scandal of child benefit data being lost in 2007, the Government laid down minimum standards for data protection. (These include better use of encryption and passwords and restricting the ability of officials to remove data from discs and laptops.)

It turns out that the MoD is lagging behind. This would be worrying for any department, but is especially so in the case of the Ministry of Defence.

"Mr. Vara: To ask the Secretary of State for Defence what percentage of the IT systems in (a) his Department and (b) its agencies are fully accredited to the Government’s security standards. [245384]

Mr. Bob Ainsworth: The Ministry of Defence and its Agencies have several hundred computer systems in use ranging from corporate IT systems serving thousands of users across the Department and its Agencies, to business area systems serving smaller communities. The following data covers those systems within the MOD and its Agencies where accreditation is centrally controlled by Defence Security and Standards Assurance (DSSA), which are either connected to the MOD networks, or are stand alone above Secret, or are systems that contain significant value to the MOD e.g. those systems that contain particularly sensitive or personal data. It does not include those systems where authority for accreditation has been delegated e.g. stand alone systems with no onward connectivity, and where a further breakdown of information could be provided only at disproportionate cost.

58 per cent. of systems have been through the accreditation process. Of these, 27 per cent. of systems are classed as fully accredited and are being operated in a manner within the MOD’s Senior Information Risk Owner (SIRO)’s risk appetite; 31 per cent. of systems are currently classed as having conditional or interim accreditation with constraints placed on the operation of the system to ensure that identified risks are adequately managed within SIRO’s risk appetite.

The balance of systems (42 per cent.) are in the process of being accredited; this represents the significant workload undertaken to plan and develop solutions for new equipment systems or platforms; this also includes applications from legacy systems, many of which will be migrated onto the developing Defence Information Infrastructure."

The MoD has already lost dozens of USB memory sticks, some of which contained information classified "Secret".

Yesterday the story was written up by James Kirkup in the Telegraph. Mr Vara was quoted:

"We are dealing with very sensitive and important data and it is simply unacceptable that there is so much information which is still at risk."

Mr Vara is quite right.


You must be logged in using Intense Debate, Wordpress, Twitter or Facebook to comment.