Compliance

After attending the BCS IS Security Group meeting yesterday, I began to think about how small (or more accurately, medium) companies might deal with the additional compliance actions required of the GDPR. There would seem to be two design patterns, a golden source, or an all knowing switch. The first pattern led me to consider the SaaS solutions, which should be used to dealing with suspects, prospects and customers (CRM), also any employees that might be employed, with the ERP solution catering for personal data located in the supply chain. Over the years I have been made aware of Sugar CRM & OpenBravo (ERP), more recently I have looked at Financial Services KYC problem, and been pointed at kyc.com,  an enhanced CRM system designed for the financial services industry. The gap is an industry leading HR system, and it will surprise none of my long term friends and colleagues, that I think we can assume that fault is in the buying community where the priority would seem to be recruitment and applicant tracking although, of course, payroll was the first SaaS offering by an order of decades. …

Focus

Over the weekend, a spat broke out between Jon Lansman, veteran leftist and Tom Watson MP. This twitter exchange pretty much summarises it.

Actually this was started because comments Lansman made to a private meeting were leaked to the press via video and blown up into a new conspiracy.

What I want to add, starting from Watson’s tweet, is that I believe it’s the so-called moderates that are destroying the party as an electoral force. The focus on the personality of the Leader and the evidence free proposition that we just need to knock on a few or even many more doors and we can win is wrong.

There are central political questions that need to be answered or Labour will follow the Greek PASOK, the Dutch PvdA, the French PS and its own example in Scotland. …

Faerûn

I returned to NWN2 last night, I should probably take notice of the fact that I find it so hard to return to. The fights are so hard …. This can be fixed … I think.

But the bioware forums have finally gone for ever. …

Privacy Law

Here’s an interesting review of the UK’s DP Act and the likely implications of the GDPR/Brexit. The author identifies that the Commission has launched an infraction investigation into the UK’s implementation of the Data Protection Directive, they identify some of the weaknesses and report that despite issuing several freedom of information requests, that the infractions identified by the Commission are secret.

It is suggested that the UK Government will use the Restrictions Article powers to reduce the impact of the GDPR and in doing so may jeopardise the UK’s attempts to obtain an adequacy ruling. I think they’re a bit excitable since UK firms and foreign owned multi-nationals will be able to use model clauses and binding corporate commitments to trade with the EU even without an adequacy ruling, although some firms may choose to relocate, most easily to Dublin.

The article also talks about two court cases which have expanded citizen protection under the DPA using reference to the Directive and the CJEU rulings. After Brexit, the opinions of the CJEU are likely to be irrelevant, …

A note on IT Integrity and authority

I posted an article that had taken a long time to get approval for on my employer’s blog, Information Integrity, the final frontier. I argue that the business has not taken integrity as seriously as it has availability and confidentiality. In the blog, I state that,

Information integrity requires an accurate representation of the state of the business and the audit records as to how it got there. Modern systems need to record both; it’s not enough that the system is provably accurate, records are required to ensure that transactions and changes are appropriately authorised.

The key insight is that not only must the true state of the data be recorded but that the person verify this truth must be recorded.

The article talks about strong “Requirements Management” and good “Testing” processes, and then talks about the use of PKI to sign application to application feeds or transactions to guarantee to the system of record that the author is a permitted actor and that the delivered data is accurate and authorised. I also propose that application logs as proposed under the “Application Security” domain of ISO/IEC 27034 should be used to record the authority/author of a database update.

ooOOOoo

Given the startling longevity of this blog, I have made a mirror of the Citihub article and loaded it to this site; integrity: the final frontier, a mirror …

Adequacy

I am looking at the GDPR, and considering the issue that post-Brexit, the UK will probably have to seek an “adequacy ruling” to allow IT services trade and trade dependent on cross border IT between the UK & the EU to continue. If we adopt the GDPR as part of the so-called “Great Repeal Bill”, then there should be no problem. In the unlikely event that the fUK-EW legislates for greater data subject privacy then the EU may object because it breaks their single market rules; all jurisdictions must treat entities and citizens of the EU equally, whereas if we were to weaken the privacy provisions then the Commission would deny us an adequacy ruling. Today’s insight is that it works both ways. …

Obvious

I have just had my electricity meter upgraded so they won’t have to visit it to read it any more and the plan is that I can monitor my electricity use in real time!. This would be like the car displays that tell you your MPG and thus not very useful. They are both things that you can do nothing about. 

However, the data transport between the meter and the consumer monitor is bluetooth, a technology with a common range of 10m, or 13 yards or paces. The link also requires a line of sight between the two devices. Someone took this decision, despite the fact that every meter they ever install has a cable running into the delivery site. They could equally have used the phone connection required for remote monitoring and billing.

I should think this choice makes the technology’s use impossible in every block of flats in the country and possibly even in many large houses.

Someone or several people chose to do this!  …