Never rains …

Never rains …

A short note on Labour’s cyberbreach. Sienna Rogers at Labour List reports on the 3rd party victim of Labour’s cyber breach. The software is I believe provided by blackbaud, who usually provide this as software-as-service, and have been previously attacked, but Rogers states the system is run by Tangent which I believe to be a trading name for Tangent Marketing Services. This article in the Guardian (HTML/ .PDF ) reports (2007) on Labour’s award of the contract and identify Michael Green as the supplier CEO, although his wikipedia page suggest he’s moved on; he us still registered as a Director at Companies House, although the last set of annual accounts state he has resigned. Labour’s General Secretary at the time was Peter Watt whom wikipedia quote the BBC as saying he resigned “following the revelation that a property developer made donations to the party via three associates”. Tangent also appointed an ex-Party Director of Communications, Paul Simpson (HTML / .PDF) as it’s account manager for the Labour Party in 2009, although he left 4 years later.

This story adds to the questions that need to be answered, one of which is why the software and its run time contract has been in place for so long? Has it it been market tested, are the terms and conditions still appropriate?

When the leak was first reported, I wrote a piece on IT Vendor Management (also on my blog) and posed some question. I also wrote a short piece on Cyber-security and the NIST Cyber-security framework. In the first of these articles I described what a decent vendor management policy looks like, and how the use of international standards on IT security, (ISO 27001), and governance (COBIT) would help, as would having a National Executive Committee properly equipped, trained and interested.  …

On Cyber-security

On Cyber-security

I posted a note on cyber security on my linkedin blog. I post some pointers on the standards and controls needed to defend against a cyberattack and implement “adequate technical and organisational” protection. It looks and links at the NIST cyber-security framework and lists some of the necesary controls to implement a reasonable defence and prove “adequate technical and organisational” controls. If you do what I suggest badly, you might get away with it, if you do it well, you might stop and or recover from attacks.  …

Tory Conference Data Breach

Over the weekend, it seems to have been established that the Tory Party’s confence app suffers a major secutity flaw and that personal details of its users are available to all. While the BBC seem concerned that the ex-Foreign Secretary’s details are available, its of equal concern that all the journalists are also exposed. The maximum fine for any breach is €20m.

A further problem is that under the new laws, people who suffer a breach of rights no longer have to prove harm. This would seem to be a breach of rights and so will be treated at the serious end of the spectrum and there’s a low burden of proof.

Additionally I would add, this app It should have had a data privacy impact analysis and if deemed a high risk, permission needs to be sought from the ICO to deploy it.

The cyber-security controls should have been defined before and tested before and after the DPIA.

The Tories have 72 hours to notify the ICO of the breach and will need to consider remediation for each an every user impacted.

I am sure the ICO would not want the Tories to be their first case as they would like to have established a precedent based tariff; they wouldn’t want the governing party to be the precedent; expectations are that the ICO will be one of the more forgiving of the European data protection supervisory authorities. …

More on Brexit

More on Brexit

Many the implications of the vote to leave the EU has been exercising my mind. I have finally got my notes & thoughts to publish my initial views on the politics of the aftermath; this article attempts to limit itself to the events and thoughts of the first week after the referendum. I have published them as at the date I started my storify where I collected the sources I wanted to quote. This is because it is one of a planned series, I plan to follow up with a piece on immigration, one on Labour Party and Left unity and one on the mutation of capitalism and politics.

One of the reasons for my delay was that I was asked for a number of quotes in the IT trade press which took some writing time. I have posted the complete quotes as three articles in linkedin pulse, on Cybersecurity, Privacy & Trade and the single market, covering innovation, TTIP & Privacy and net neutrality. …