[SecurityRatty] tag: alongside

Open source still looking to shake off concerns

Sun, 24 Aug 2008 20:00:00 +0000

Although open source software has gained a place in enterprise networks alongside proprietary software, it can't seem to shake doubts about security and intellectual-property issues that have long dogged the movement.

Walking with the SDL Part 2

Mon, 21 Jul 2008 12:56:00 +0000

Jeremy Dallman here with Part Two in my series on “Walking” with the SDL. In Part One, I provided a snapshot of “Crawling” and discussed getting management approval. In Part Two, I will cover a couple more “Walk” components: expanding security training and formalizing requirements.

This blog gives us a place to talk about our experiences from using the SDL here at Microsoft and hopefully provide useful information that will help you implement it more effectively at your company. So, I would encourage you to use the Comments section at the bottom of each post to ask questions, give us feedback, or request other topics for us to cover.

Some quick definitions before we dive in. I’ve been using the imagery of learning to “crawl, walk and run” as a way to provide some basic starting points that would move your organization toward implementing the Security Development Lifecycle (SDL). “Walking” is the point where your security development practices become a lifecycle – a repeatable, reusable process that makes security a part of your development culture. To relate the analogy to SDL a bit more closely, think of crawling as the “SD” in SDL. For this post, we’ll continue to talk about walking – or adding the “L” in SDL.

Let’s jump into another component for adopting the Microsoft SDL to expand your own Security Development Lifecycle.

Expand Security Training

Once you have management approval, it is necessary to gain grassroots acceptance of the changes – at the developer, QA/test, and PM levels. If you have been “crawling”, you have probably already implemented some sort of discipline-specific training around things like threat modeling, using compiler defenses, and fuzz testing. Now that you are building a lifecycle, your goal for security training should expand. Security training should be about creating an environment where writing secure software is everyone’s mission. While security training should be undertaken with the goal of understanding security issues and how to address them, good training (and instructors) will also explain why solving security problems is in their best interests and create an environment where they know voicing security concerns is encouraged.

Training has been one of the earliest and most important elements of the SDL at Microsoft. From our experience, we learned that the most effective approach is to divide your training into two tracks: general security principles and role-specific security practices. Before I jump into the details, I want to encourage you to also read Shawn Hernan’s very good post about SDL training that highlights some of the ways to make security training effective.

The general security principles should explain why security is important, how you define security requirements, the process you will use for writing and validating secure code, and how security relates to each phase of the lifecycle or unique roles contributing to the development process. A key factor for building a development lifecycle is educating your individual contributors on the value of investing in security. Of course changing culture takes time, but using the opportunity of structured training to explain your principles will be one of your most effective platforms for influencing change.

At this point in your organizational maturity, you are also beginning to expand your security thinking by focusing on each role in the development process. Discipline-specific security training is where you dig into the details of implementing a Security Development Lifecycle.

· The developer needs to understand the practical details of how to write code securely, how to set compiler flags, what a security code review means, how to avoid using banned APIs, and what tools are available for them to perform security analysis before checking in their code.

· The QA/tester needs to know how to set security rules in test tools, how to perform penetration testing, and what the security quality criteria is for your product, or how to file a security bug.

· The PM needs to understand how to define measurable goals or how security policies can be factored into feature design.

· The business decision maker of your organization should understand how to track security metrics alongside other product measurements or how security policy plays a critical role in the overall quality and value of your product.

· Finally, it is critical for the employees occupying all job roles to understand the value of threat modeling – both as a tool for understanding threats early in the design phase and throughout the development process as a key barometer to the security pulse of your product.

Discipline-specific training will be the place to address these issues for your organization. In case you were wondering, all job roles should be required to attend both types of security training before working on your product.

Our new SDL website [http://www.microsoft.com/sdl] will be a very good place to watch for future training materials. The SDL Training and Resources page has some useful material up now and more will be coming in the future.

That’s Part Two. In Part Three, I will discuss the important “walk” components of formalizing security requirements and reusing threat models and attack surface reviews. Then we will close with the discussions on conducting final security reviews, and managing post-release documentation.

I’d like to hear if anyone is using the concept of “crawling” and “walking” to implement SDL in your company.

? Do you provide security training to your employees today?

? Do these additional training topics make sense in your organization?

? What would you add to this that is unique to your application or company?

SearchScan works nicely alongside SiteAdvisor

Thu, 03 Jul 2008 10:59:20 +0000

A really great service for Yahoo SE users.
Anything you can do to stay safe, do it!

clipped from www.pcworld.com

Yahoo Search Adds SearchScan, a Good Security Step

SearchScan, as Yahoo calls the feature, is a good move that can help protect users’ privacy and security, and one that I’d like to see the company take further. Here’s how it works.

Mashup of the Titans

Wed, 25 Jun 2008 13:29:25 +0000

Information Security - an Oxymoron for the information age

“Always the beautiful answer who asks a more beautiful question.” e. e. cummings

...or why i am with Gelernter

This is a mashup of Saltzer & Schroeder's famous information security principles with David Gelernter's Manifesto.

The premise of this mashup is to examine the paper by Saltzer and Schroeder which was written in 1975 and serves as the basis for most information security programs against the Gelernter's manifesto as to where computing is actually going. Each of the eight principles in Saltzer and Schroeder's paper is listed in order, and followed by select excerpts of Gelernter's manifesto. This comparison is to examine theoretical information security principles vis a vis the actual utility of modern information systems. I will not make an attempt to reconcile theory and practice, but will point out where the two schools of thought agree. In fairness, Saltzer and Schroeder's paper was written 25 years before Gelernter's, however Saltzer and Schroeder's principles dominate the thinking about information security to this day and so its important to view them side by side with Gelernter's thinking on the direction of computing.

Saltzer and Schroeder:

"a) Economy of mechanism: Keep the design as simple and small as possible. This well-known principle applies to any aspect of a system, but it deserves emphasis for protection mechanisms for this reason: design and implementation errors that result in unwanted access paths will not be noticed during normal use (since normal use usually does not include attempts to exercise improper access paths). As a result, techniques such as line-by-line inspection of software and physical examination of hardware that implements protection mechanisms are necessary. For such techniques to be successful, a small and simple design is essential."

Gelernter:

"9. The computing future is based on "cyberbodies" — self-contained, neatly-ordered, beautifully-laid-out collections of information, like immaculate giant gardens."

Conclusion(gp): So far, so good

Saltzer and Schroeder:

"b) Fail-safe defaults: Base access decisions on permission rather than exclusion. This principle, suggested by E. Glaser in 1965,8 means that the default situation is lack of access, and the protection scheme identifies conditions under which access is permitted. The alternative, in which mechanisms attempt to identify conditions under which access should be refused, presents the wrong psychological base for secure system design. A conservative design must be based on arguments why objects should be accessible, rather than why they should not. In a large system some objects will be inadequately considered, so a default of lack of permission is safer. A design or implementation mistake in a mechanism that gives explicit permission tends to fail by refusing permission, a safe situation, since it will be quickly detected. On the other hand, a design or implementation mistake in a mechanism that explicitly excludes access tends to fail by allowing access, a failure which may go unnoticed in normal use. This principle applies both to the outward appearance of the protection mechanism and to its underlying implementation."

Conclusion(gp): A conservative design principle that puts the object's owner in control of permissions. This makes a lot of sense from the object point of view, but does little to address the use case in which it executes.

Saltzer and Schroeder:

"c) Complete mediation: Every access to every object must be checked for authority. This principle, when systematically applied, is the primary underpinning of the protection system. It forces a system-wide view of access control, which in addition to normal operation includes initialization, recovery, shutdown, and maintenance. It implies that a foolproof method of identifying the source of every request must be devised. It also requires that proposals to gain performance by remembering the result of an authority check be examined skeptically. If a change in authority occurs, such remembered results must be systematically updated."

Gelernter:

"8. The software systems we depend on most today are operating systems (Unix, the Macintosh OS, Windows et. al.) and browsers (Internet Explorer, Netscape Communicator...). Operating systems are connectors that fasten users to computers; they attach to the computer at one end, the user at the other. Browsers fasten users to remote computers, to "servers" on the internet.

Today's operating systems and browsers are obsolete because people no longer want to be connected to computers — near ones OR remote ones. (They probably never did). They want to be connected to information. In the future, people are connected to cyberbodies; cyberbodies drift in the computational cosmos — also known as the Swarm, the Cybersphere.

13. Any well-designed next-generation electronic gadget will come with a ``Disable Omniscience'' button.

17. A cyberbody can be replicated or distributed over many computers; can inhabit many computers at the same time. If the Cybersphere's computers are tiles in a paved courtyard, a cyberbody is a cloud's drifting shadow covering many tiles simultaneously.

20. If a million people use a Web site simultaneously, doesn't that mean that we must have a heavy-duty remote server to keep them all happy? No; we could move the site onto a million desktops and use the internet for coordination. The "site" is like a military unit in the field, the general moving with his troops (or like a hockey team in constant swarming motion). (We used essentially this technique to build the first tuple space implementations. They seemed to depend on a shared server, but the server was an illusion; there was no server, just a swarm of clients.) Could Amazon.com be an itinerant horde instead of a fixed Central Command Post? Yes."

Conclusion(gp): Complete mediation provides the underpinning for Saltzer and Schroeder's system, but does not appear to scale to the desired itinerant horde at least in common interpretation.

Saltzer and Schroeder:

"d) Open design: The design should not be secret. The mechanisms should not depend on the ignorance of potential attackers, but rather on the possession of specific, more easily protected, keys or passwords. This decoupling of protection mechanisms from protection keys permits the mechanisms to be examined by many reviewers without concern that the review may itself compromise the safeguards. In addition, any skeptical user may be allowed to convince himself that the system he is about to use is adequate for his purpose. Finally, it is simply not realistic to attempt to maintain secrecy for any system which receives wide distribution."

Conclusion(gp): both seem to agree, hard to get the itinerant horde moving in a swarm without open standards.

Saltzer and Schroeder:

"e) Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key. The relevance of this observation to computer systems was pointed out by R. Needham in 1973. The reason is that, once the mechanism is locked, the two keys can be physically separated and distinct programs, organizations, or individuals made responsible for them. From then on, no single accident, deception, or breach of trust is sufficient to compromise the protected information. This principle is often used in bank safe-deposit boxes. It is also at work in the defense system that fires a nuclear weapon only if two different people both give the correct command. In a computer system, separated keys apply to any situation in which two or more conditions must be met before access should be permitted. For example, systems providing user-extendible protected data types usually depend on separation of privilege for their implementation."

Gelernter:

"37. Elements stored in a mind do not have names and are not organized into folders; are retrieved not by name or folder but by contents. (Hear a voice, think of a face: you've retrieved a memory that contains the voice as one component.) You can see everything in your memory from the standpoint of past, present and future. Using a file cabinet, you classify information when you put it in; minds classify information when it is taken out. (Yesterday afternoon at four you stood with Natasha on Fifth Avenue in the rain — as you might recall when you are thinking about "Fifth Avenue," "rain," "Natasha" or many other things. But you attached no such labels to the memory when you acquired it. The classification happened retrospectively.)"

Conclusion(gp): Information Security models tend to look at things statically through information classification lenses, but its how information is used that makes it valuable. In practice this is how information security theory breaks down in the face of reality - what does an access control matrix look like for a mashup? What does it look like for a data mining app?

Saltzer and Schroeder:

"f) Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur. Thus, if a question arises related to misuse of a privilege, the number of programs that must be audited is minimized. Put another way, if a mechanism can provide "firewalls," the principle of least privilege provides a rationale for where to install the firewalls. The military security rule of "need-to-know" is an example of this principle."

Gelernter:

"28. Metaphors have a profound effect on computing: the file-cabinet metaphor traps us in a "passive" instead of "active" view of information management that is fundamentally wrong for computers.

29. The rigid file and directory system you are stuck with on your Mac or PC was designed by programmers for programmers — and is still a good system for programmers. It is no good for non-programmers. It never was, and was never intended to be.

30. If you have three pet dogs, give them names. If you have 10,000 head of cattle, don't bother. Nowadays the idea of giving a name to every file on your computer is ridiculous."

Conclusion(gp): Least Privilege is the point where the practical matter of applying Saltzer and Schroeder's principles breaks down in modern systems. Its a deployment issue, and a matter of insufficient models and modes.

Saltzer and Schroeder:

"g) Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users [28]. Every shared mechanism (especially one involving shared variables) represents a potential information path between users and must be designed with great care to be sure it does not unintentionally compromise security. Further, any mechanism serving all users must be certified to the satisfaction of every user, a job presumably harder than satisfying only one or a few users. For example, given the choice of implementing a new function as a supervisor procedure shared by all users or as a library procedure that can be handled as though it were the user's own, choose the latter course. Then, if one or a few users are not satisfied with the level of certification of the function, they can provide a substitute or not use it at all. Either way, they can avoid being harmed by a mistake in it."

Gelernter:

"6. Miniaturization was the big theme in the first age of computers: rising power, falling prices, computers for everybody. Theme of the Second Age now approaching: computing transcends computers. Information travels through a sea of anonymous, interchangeable computers like a breeze through tall grass. A dekstop computer is a scooped-out hole in the beach where information from the Cybersphere wells up like seawater.

16. The future is dense with computers. They will hang around everywhere in lush growths like Spanish moss. They will swarm like locusts. But a swarm is not merely a big crowd. The individuals in the swarm lose their identities. The computers that make up this global swarm will blend together into the seamless substance of the Cybersphere. Within the swarm, individual computers will be as anonymous as molecules of air.

55. Software can solve hard problems in two ways: by algorithm or by making connections — by delivering the problem to exactly the right human problem-solver. The second technique is just as powerful as the first, but so far we have ignored it.

56. Lifestreams and microcosms are the two most important cyberbody types; they relate to each other as a single musical line relates to a single chord. The stream is a "moment in space," the microcosm a moment in time."

Saltzer and Schroeder:

"h) Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user's mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors."

Gelernter:

"7. "The network is the computer" — yes; but we're less interested in computers all the time. The real topic in astronomy is the cosmos, not telescopes. The real topic in computing is the Cybersphere and the cyberstructures in it, not the computers we use as telescopes and tuners.

27. Modern computing is based on an analogy between computers and file cabinets that is fundamentally wrong and affects nearly every move we make. (We store "files" on disks, write "records," organize files into "folders" — file-cabinet language.) Computers are fundamentally unlike file cabinets because they can take action.

31. Our standard policy on file names has far-reaching consequences: doesn't merely force us to make up names where no name is called for; also imposes strong limits on our handling of an important class of documents — ones that arrive from the outside world. A newly-arrived email message (for example) can't stand on its own as a separate document — can't show up alongside other files in searches, sit by itself on the desktop, be opened or printed independently; it has no name, so it must be buried on arrival inside some existing file (the mail file) that does have a name. The same holds for incoming photos and faxes, Web bookmarks, scanned images...

32. You shouldn't have to put files in directories. The directories should reach out and take them. If a file belongs in six directories, all six should reach out and grab it automatically, simultaneously.

33. A file should be allowed to have no name, one name or many names. Many files should be allowed to share one name. A file should be allowed to be in no directory, one directory, or many directories. Many files should be allowed to share one directory. Of these eight possibilities, only three are legal and the other five are banned — for no good reason.

53. Your car, your school, your company and yourself are all one-track vehicles moving forward through time, and they will each leave a stream-shaped cyberbody (like an aircraft's contrail) behind them as they go. These vapor-trails of crystallized experience will represent our first concrete answer to a hard question: what is a company, a university, any sort of ongoing organization or institution, if its staff and customers and owners can all change, its buildings be bulldozed, its site relocated — what's left? What is it? The answer: a lifestream in cyberspace."

Conclusion(gp):

The Saltzer and Schroeder principles of Open Design and Economy of Mechanism hold up well in the face of modern computing realities, and to a certain extent Fail Safe Defaults does as well; however if we information security people are to be effective we need to re-think the other principles.

Last word: Gelernter:

We'll know the system is working when a butterfly wanders into the in-box and (a few wingbeats later) flutters out — and in that brief interval the system has transcribed the creature's appearance and analyzed its way of moving, and the real butterfly leaves a shadow-butterfly behind. Some time soon afterward you'll be examining some tedious electronic document and a cyber-butterfly will appear at the bottom left corner of your screen (maybe a Hamearis lucina) and pause there, briefly hiding the text (and showing its neatly-folded rusty-chocolate wings like Victorian paisley, with orange eyespots) — and moments later will have crossed the screen and be gone.

Utah's FrontRunner Commuter Rail Unwired

Fri, 13 Jun 2008 09:34:53 +0000

The newly launched 40-mile commuter rail line, FrontRunner, goes official with its free Wi-Fi: Nomad Digital, one of the longest-established firms providing connectivity to trains, has unwired the 12 double-decker trains on this new line, which opened for service in late April. About 1,000 passengers ride the route from Ogden to Salt Lake City each day (as of mid-May), and the service logged 700 users per day just a few days ago. Speeds aren't noted. Nomad worked with local firm Wasatch Electric and uses Redline gear. (The press release isn't up at this writing, nor has either the rail authority nor Nomad's site been updated.)

That's an insanely large percentage of riders using the service, so it's possible ridership has increased even more than the mid-May figures indicate, or the commuters are really intense computer and handheld users. Also, note that the FAQ for the authority's overall Wi-Fi service requires you to be 18 years or older. It is Utah, after all--a minor might do something dirty with the service and the transit authority would be held responsible. The authority offers Wi-Fi on some buses, too.

The network is backed by fiber that runs alongside the track, which can make a huge difference in the ability to bring in backhaul. Other train lines have to work with either or both cellular and satellite backhaul, although Nomad typically uses fixed WiMax, as they are in this deployment. They're finishing up a 600 km London to Glasgow route for Virgin in the UK, which will be vastly larger than any other Internet-equipped route in the world.

This is one of the first major production service launches of train-based Wi-Fi in the U.S. VIA Rail in Canada is the only other in-production system offering in-transit Wi-Fi on a train line in North America. There are several trials, pilots, and phased-in plans underway. I thought 2007 would be the year that train-based Internet access took off; looks like it will leave the station worldwide in 2009, perhaps due to better 3G cell cover and improved antenna designs, as well as new commuter rail systems like FrontRunner that are designed with the idea of connectivity.

iPhone Wi-Fi Hotspot Access Now in AT&T Plan Details

Thu, 08 May 2008 05:39:38 +0000

It's on, it's off, it's on again: Access to AT&T hotspots is back on again, at least in the fine print, as the company now includes the statement that all iPhone plans in the U.S. include "access to AT&T's more than 17,000 Wi-Fi hotspots, including Starbucks." (Click the Plans tab at top to see that text.)

AT&T appeared to have flipped a switch several days ago on its "attwifi" SSID that has appeared alongside T-Mobile's during this several-month transition at Starbucks from one operator to another. iPhone users were presented with a custom login screen that prompted them for their phone number to obtain free access. That gateway page disappeared a few days. I haven't tested if it's back, but at least AT&T has, at long last, made the connection that its iPhone customers might enjoy the same free access to hotspots as its 7m fiber and qualifying DSL customers.

Stolen USinternetworking laptop also affects XL employees

Thu, 24 Apr 2008 11:07:36 +0000

Technorati Tag: Security Breach

Date Reported:
4/16/08 (this incident is also the cause of "Stolen USinternetworking laptop affects hundreds of SPX employees")

Organization:
XL Global Services, Inc.

Contractor/Consultant/Branch:
USinternetworking, Inc.*

*From the USinternetworking "About Us" page:
Founded in 1998, USinternetworking, Inc. (USi), an AT&T company, is the most experienced Application Service Provider (ASP). We use a highly automated, efficient, systematic approach to deliver managed hosting, application management, remote management, professional services, SaaS enablement, and eBusiness development and hosting to more than 150 enterprise-level organizations in over 30 countries.

Victims:
Employees

Number Affected:
Unknown

Types of Data:
Names, addresses, and Social Security numbers

Breach Description:
"A personal computer was recently stolen from an employee of one of our vendors, USinternetworking, Inc. of Annapolis, Maryland ("USi"). The personal computer contained the personal information of employees of XL Global Services, Inc. or its affiliates ("XL")"

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

I am writing to inform you about a security breach.

A personal computer was recently stolen from an employee of one of our vendors, USinternetworking, Inc. of Annapolis, Maryland ("USi").

The personal computer contained the personal information of employees of XL Global Services, Inc. or its affiliates ("XL")

This information included names, addresses, and Social Security numbers of employees
[Evan] Why this information is permitted to be stored on a laptop computer is anyone's guess. Allowing this information to be stored on a laptop computer alongside another client's information (see "Stolen USinternetworking laptop affects hundreds of SPX employees") and without encryption (we are assuming that there is none because none was mentioned) is shoddy. Our vendors are not allowed to co-mingle our data with that belonging to another company. Our vendors are not permitted to store "confidential" information without employing encryption. Our vendors are audited for compliance no less than semi-annually.

USi also informed us that the laptop itself was password protected and the two files containing the personal identifying information of Company employees would not be immediately evident.
[Evan] So? Password protection (probably OS-level) and security through obscurity are both ineffective.

At our request, USi immediately reported the theft to local law enforcement in Columbus, Ohio to investigate the matter.

the investigation has not yet been successful.

Although we have no evidence that this information has been improperly accessed or misused, we want to make you aware of the incident and the steps that have been taken to prevent a reoccurrence.
[Evan] I found nothing in the breach notification that reflects what the companies plan to do or have done to "prevent a reoccurrence".

We have sent multiple e-mail notifications to the affected employees to notify them of the breach and the status.

The notices describe, among other things:
(1) the general nature of the incident resulting in the potential information security breach,
(2) the type of personal information that was the subject of the possible security breach,
(3) the precautionary measures USi is taking (at XL's request) to help protect personal information from unauthorized use,
(4) contact information for inquiries, and
(5) how to enroll in Kroll's identity theft restoration and continuous credit monitoring services, which are being made available by USi (at XL's request) to affected individuals free of charge for two years.

XL takes privacy and security matters very seriously.

If you have questions or feel you may have an identity theft issue, please call ID TheftSmart member services at 1-800-588-9839 between 8:00 am and 5:00 pm (Central Time), Monday through Friday.

On behalf of USi and the Company, we sincerely regret this incident.

Commentary:
These are the types of breaches that always get under my skin. I don't get it. These are two respectable companies. I understand that *&^% happens, but people can prevent this *&^%!

On a side note, does anyone know if Thomas Dunbar still runs information security at XL? He is the 2006 SC Magazine CSO of the Year.

Past Breaches:
Unknown

Top 3 conclusions about IT Risk Management we like hearing

Mon, 25 Feb 2008 11:28:00 +0000

I read a nice summary of a recent Symantec 40 page survey on IT Risk Management and felt compelled to share the links and highlights that jump out. Symantec was recently noted as a leader in IT-GRC per this Gartner report.

The summary I read was posted by John Edwards over at ITSecurity.com.

Here are the conclusions that grabbed our eye:

Businesses would be far better served if they viewed security as an IT risk management element that can be addressed alongside other critical elements, such as availability, performance and compliance.
Technology alone can't mitigate IT risk. While technology plays a critical role in IT risk mitigation, balanced controls and frameworks are also necessary in order to provide complete risk management capabilities.
Management should consider implementing a continuous risk assessment process.

Oldham Primary Care Trust NHS loses two data sticks

Fri, 11 Jan 2008 14:15:40 +0000

Technorati Tag: Security Breach

Date Reported:
1/11/08

Organization:
Oldham Primary Care Trust NHS (PCT)

Contractor/Consultant/Branch:
None

Victims:
PCT "clients"

Number Affected:
148

Types of Data:
"The information lost related to copies of assessments about future healthcare needs held in a secure central file. It included people’s names, addresses and dates of birth."*

*I'm not sure if this means that copies of assessments AND names, addresses and dates of birth OR just names, addresses and dates of birth.

Breach Description:
The Oldham Primary Care Trust NHS has issued a press release announcing the loss of two "data sticks" containing personal information belonging to clients that had contact with the organization's continuing care service. A total of 148 clients were affected by the breach.

Reference URL:
The Oldham Primary Care Trust NHS Press Release
Manchester Evening News Story

Report Credit:
Oldham Primary Care Trust NHS

Response:
From the online sources cited above:

A breach of information security has taken place. Two data sticks containing information relating to 148 clients who have been in contact with the PCT’s continuing care service have been reported missing.

This should never have happened.
[Evan] Got that right.

All the individuals affected have been identified. Our first priority has been to try to contact all 148 individuals, or their representatives, personally. We have made personal contact with 145, and offered to visit them. We are waiting for three to get back to us after several attempts to contact them.

We have followed up the contacts in writing with our sincere apologies, and have set up a
dedicated freephone information line for those who may have further questions.

The information lost related to copies of assessments about future healthcare needs held in a secure central file. It included people’s names, addresses and dates of birth. It did not contain financial information.
[Evan] It's a little unclear to me what this means exactly.

There is no risk at all to anyone’s future care.

A formal internal investigation has been launched.

The PCT takes patient confidentiality extremely seriously and has taken immediate action to prevent any further similar incidents. All data sticks containing ‘personal’ information have been recalled, and a full and thorough review of current processes and procedures is now underway.

Gail Richards, Oldham PCT chief executive, said: “We are deeply sorry – this should never have happened. We have launched a full and thorough investigation, and are reviewing our current policies relating to data storage.
[Evan] It's always a good sign when a "chief executive" comments on security. I have said this before, but it shows that they understand their information security role and that the buck stops with them.

“While we believe the data sticks have been lost, we have reported the incident to the police in order to get the best advice possible. We have no reason at all to believe the information has been accessed by anyone else.”

To make sure this cannot happen again, the PCT:

Is undertaking a full audit of how removable media is used across the PCT
Has recalled all data sticks and pen drives which contain ‘personal’ data
Nearly completed recalling all data sticks and pen drives in order to reissue encrypted devices to staff alongside a new procedure for their use
Has reminded all staff formally of existing policies and procedures
Is urgently developing updated guidance for staff around information security

[Evan] These steps will go a long way towards preventing an similar occurrence. This is sound information security judgment, in my opinion.

Anyone with concerns should contact the PCT’s information line on freephone 0800 144 4304. The line is open from 8.30am8pm MonFri and 10am4pm SatSun.

Commentary:
Overall, this has to be one of the best responses I have seen in some time from an organization that experienced a breach of personal information. The response is open, thorough and honest. After reading the press release, I am clear about what happened and what Oldham Primary Care Trust ("PCT") plans to do about it. Too many times, organizations attempt to keep a breach under wraps. PCT prominently displays the information on their web site home page.

The breach happens. The organization comes to terms with the fact that a breach occurred. The organization reaches out to everyone affected with an honest explanation and sincere apology. The organization issues a press release to announce what took place and what it intends to do about it. The organization saves face and keeps a certain amount of trust in the process. I am impressed with how PCT has responded to this breach.

Past Breaches:
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay