Friday, June 27, 2008

MoD 'Facebook generation' warning


Sir Edmund's report

Armed forces recruits from the "Facebook generation" do not take data security seriously enough, a Ministry of Defence security probe has found.

Young recruits were used to the "rapid and often uninhibited exchange of information", the report added.

But "this behaviour must be tempered by common sense and sound judgment... and the particular concerns of MoD work", report author Sir Edmund Burton noted.

He was asked to investigate after the theft of MoD laptops in Birmingham.

In a highly critical report, he says the MoD had lost its Cold War discipline for data security and there was "little awareness" of its importance among staff.

As a result a major security incident had been "inevitable".

'Supervision failure'

Sir Edmund, chairman of the Information Advisory Council, launched his inquiry after a laptop with the records of 600,000 recruits was stolen from a Royal Navy recruiter's car last January.

The car had been parked overnight in the Edgbaston district of the city.

Investigators found that it was one of four such laptops - out of a total of just 55 - to have been stolen since 2004. All were taken from parked cars.

Sir Edmund said the losses indicated a "failure of supervision" and that there was a "very limited understanding" of the MoD's obligations under the Data Protection Act.

"During the Cold War, awareness of real security was ingrained in individuals and organisations," his report said.

"Audit, inspection, and compliance regimes were rigorously underpinned by codes of discipline.

"These well-developed processes and procedures have not been translated, effectively into the information age.

"Generally, there is little awareness of the current, real, threat to information, and hence to the department's ability to deliver and support operational capability. "

'Strict control'

"Consequently, there can be little assurance that information is being effectively protected," the report says.

Sir Edmund drew attention to the way that the armed forces recruits now come from the "Facebook Generation" among whom a culture of "rapid and often uninhibited exchange of information" was the norm.

"At work, this behaviour must be tempered by common sense and sound judgment, informed by data protection practice, and the particular concerns of MoD work," the report noted.

"However, returning to the strict information control of the type applied to paper documentation of 15 or more years ago is not considered practical in the modern working and cultural environment."

He said the MoD had sought to adopt modern ways of working, particularly in the personnel department with improved access to personal details.

But "one consequence of embracing this new data sharing culture has been a decline in overall departmental security practice".

It said senior officials "shared a concern that the younger generation of MoD staff are not inculcated with the same culture of protecting information as their counterparts from previous generations".

The report made 51 recommendations, including the establishment of a "coherent system of censure and punishment" for individuals who lose or compromise personal data which reflects the seriousness and scale of the loss.
Original here

No comments: