linkedin – Page 3 – davelevy.info

Wiping the phone at the Treasury

I wrote a piece on the Guardian story about the Treasury losing the Perm Sec’s texts and posted it on linkedin. One particularly disturbing feature of this story may be that messages from David Cameron about Greensill Capital have been lost. On the linkedin blog, I looked at the story from an IT Security and employment law point of view rather than looking at the political corruption angle. I suggest that for an organisation with a public record, FoI or compliance liability that SMS and whatsapp or any messaging product without central logging should not be used. I suggest that wiping the phone instead of a password reset especially when the device has not been lost might be a bit extreme. I hint that peer to peer messaging without a super user is also inappropriate. For more, use the "Read MOre" button ...

Wiggle room on human rights law

I made a linkedin blog on the ECtHR’s margin of appreciation. I was reading up on the UK’s post Brexit data sharing arrangements with the EU, and under the terms of the GDPR. I was diverted by the ECHR’s doctrine of a “margin of appreciation”. For more, see overleaf or below … …

Vendor Management and the Labour Party

I wrote a blog on linkedin, on what I call Vendor Management. This is based on my experience as an IT Security and Compliance consultant, and leans on ISO 27001. Some of the words in this article, mirror what I say in the linkedin post. This article, see below/overleaf talks about risk classification, risk control super-strategies and risk monitoring. It then looks at the Labour Party, recommends the adoption of quality brands as an employer and as an IT User. It ends by asking some basic questions about the impact of [the lack of IT Governance]. It challenges the secrecy and the commitment of the NEC to get this right and concludes the statement that there is a common body of knowledge that allows the effective management of IT & IT Risk. AS Liverpool Council have discovered, this can’t be made up. …

Privacy Regulation

I wrote a little piece on my linkedin blog on the EU Commission’s proposal to agree a data “adequacy” agreement. I point out the next set of hurdles, although I downplay the likelihood of any intervention by the CJEU but note that not was critical in striking down the original EU/US “Safe Harbour” agreement. I note that one threat to its renewal at the end of its four year live is the desire and plans of the British Govt to depart from the current legal protections which are based on the EU’s GDPR. For more, see overleaf or below. … …

Finance in the City

I made a blog on linkedin; a lot of money left the City on the 4th Jan, the first day of trading after the end of the UK’s brexit transition period. The article has a bit of explanation and a bit of prediction; more could follow and some of the market infrastructure companies and lawyers may need to do so too. While non European finance will likely remain in London, and provide both volume and gravity, the death of LIFFE showed that things can change.

Bloomberg are not so equanimous, and express their views in an article behind a “please pay us” splash screen; it’s a review of the leading merchant bank’s economists talking about the investment opportunities in the UK now that we have an idea of the new framework defining the terms of Trade. Many are neutral, the headline quotes the ‘bear’.

I am not sure, I suspect that the gravitational effect of world trade in non-Euro shares and the trade in currencies will maintain a critical mass giving the skills and infrastructure the reason to stay in London. What’s gone is gone but we need the Government to get on top of the negotiations on “equivalence”, which will determine the banks’ ability to serve both the EU market and EU citizens in the UK. …

Technical debt, depreciation and risk

I wrote and posted a piece on Technical Debt on my linkedin blog. Its post comment, based on the concluding paragraph says, “I look at “Technical Debt” in the context of IT budget planning and suggest that it is not such a useful concept. Using standard risk management analysis is a more effective means of planning a maintenance budget which should consist of funding for both error & risk remediation. Depreciation is a better financial model for the problem.”

There must be much written about the nature of depreciation from physical wear and tear, to the need and cost to replace due to increasing failure; perhaps I should look for some reading on how this applies to information systems. I question if software is an asset in terms of accounting theory, I suppose so because it has value in more than one accounting period, but can it be realised? I also question the value of placing a cash value on software in use, identifying its cost to acquire is potentially simple, its residual value is much harder and synchronising this change to a single corporate depreciation rule can be difficult.

Some things I considered writing about include the number of times while trying to clean up or rationalise corporate IT estates to be told that, “you’re not touching that!”. We used to joke that they’d lost the system which pays the board’s bonuses, but these systems were almost always obsolete and acted as a technology sink keep product in the portfolio that should have been abandoned. Recently I came across the phrase, fictional capital, these systems had an unknown value and the decision to leave them alone seemed based on a pessimistic and fictional view of their value. I sometimes suggested turning them off to see who squealed but this advice was never accepted.

Also it needs to be considered that the maintenance budget is a function of the size of the information systems portfolio and much of it is a fixed cost. If you don’t spend the money the systems stop and they do not vary with output. …

On DMCA takedown of youtube-dl

The EEF thought fit to comment on an RIAA DCMA takedown using §1201 of the DCMA aimed at a program called youtube-dl hosted on Github; I forwarded it via Facebook with a cryptic, acronym laden comment, and not surprisingly, some of my correspondents suggested I could have been more helpful and understandable. So I wrote an article on Linkedin, although much of it can be gained from the EFF article, however, this version includes a bit on oppressive economics of copyright maximalism, and a comment noting that Github have reposted the repo and revised their process to ensue their policies of supporting developers is fully considered when considering takedown notices. ...

Lightening never strikes twice

In my blogs on the Track & Trace failure [blog | linkedin], I make the throwaway comment that Govt. IT often fails repeatedly because no-one is accountable, nor punished and thus they fail to learn but in this case it’s not true; Dido Harding the CEO of the Track & Trace was CEO of Talk Talk when it was fined £ ½m for another data protection breach caused by another failure to in this case close down an application running on an out of date & unpatched version of MySQL, making it vulnerable to a SQL injection attack, one of the OWASP top 10 vulnerabilities. How unlucky can you get? …

There’s no divorce in Bitcoin

I attended a presentation hosted by the BCS, and given by Ron Ballard, based on his article in IT Now, “Blockchain: the facts and the fiction”. What he said inspired some thoughts and reminded me of others, some of which I have previously published on my blog. I wrote an article, called Learnings of Bitcoin, which was meant to be a spoof on the Borat film title and posted it on my linkedin blog, The article looks at the tight coupling of Bitcoin, and its consensus mechanism, the proof of work, together with its costs and vulnerabilities. It examines the goal of eliminating trust authorities and its questionable ability to meet the necessary roles of money as a means of exchange and a store of wealth. In the comment pushing it, I say, "This might be a bit basic for some, but you can't have a coinless immutable blockchain, at least not one based on 'proof of work'.", at which point you need to consider if there are better data storage platforms for your use case. I use more words to explore these issues below/overleaf ....

On Record Management

As part of my series on devising systems to create logs to protect an organisation and its staff against charges of criminality, I posted an article on my linkedin blog called “Doing Record Management well”. It doesn’t surprise me that there is an ISO Standard (ISO 15489) on the subject, but it does surprise me that I hadn’t heard of it until I started to research some of the articles in this series.

I have a research note on my wiki, which links to the Bank of England policy and also quotes Deutsche Bank’s policy, which is available because they post it on internet. I quote it here,

Deutsche Bank’s code of conduct, see page 25, says, among other things,

“Maintaining accurate books and records is fundamental to meeting our legal, regulatory and business requirements. You are responsible for maintaining accurate and complete records and for complying with all the controls and policies our bank has in place. You should never falsify any book, record or account that relates to the business of our bank, its customers, employees (including your own activities within our bank) or suppliers. You must never dispose of records or information that may be relevant to pending or threatened litigation or a regulatory proceeding unless you are authorised to do so by the Legal Department. You must also comply with applicable record retention policies.”
DB Code of Conduct

…