The heads of several public-sector organisations, but none from central government, have signed a promise to protect personal information.
Richard Thomas, the information commissioner, launched the 10-point Personal Information Promise on 28 January, 2009. Those signing have pledged to "go further than just the letter of the law" in handling personal data, minimise the range and duration of data retention, train staff in its handling and treat its misuse as a disciplinary matter.
Several public-sector bosses have signed the promise, including Gwyn Thomas, chief executive of Welsh NHS IT body Informing Healthcare, Tim Straugham, chief executive of the English NHS Information Centre, Peter Fahy, the chief constable of Greater Manchester Police, and Tom Hartley, the lord mayor of Belfast City Council.
But the ICO confirmed a claim by campaign group No2ID, that no minister or head of a central government department had signed so far. This was despite justice minister Jack Straw and the permanent secretaries of the Home Office and the Department for Work and Pensions being among those invited to sign at the launch, according to a statement released by the ICO under a Freedom of Information request.
"I urge leaders across government, the public, private and third sectors to take a positive attitude to data protection," said Thomas. "Protecting people's personal details should not be left to chance. I urge all CEOs and their executive teams to take personal responsibility for treating data protection as a corporate governance issue affecting the whole organisation."
Companies signing included British Telecom, British Gas, Royal Mail, T-Mobile, Vodafone and the three credit-reference agencies: Callcredit, Equifax and Experian.
Talkback
Why would our glorious leaders sign this when they are busy trying to absolve themselves of any responsibility for the security of their existing data while simultaneously collecting more and more about us and smashing up the only legal protections we used to have by opting out of the data protection act.
We can help the heads of these departments make this commitment by showing them how the right mix of technological solutions provide proof that they reall do have control of their environments. For example if their networks are being patched - how do they really know that the patches have been applied and are still in place.
A comprehensive vulnerability management solution will help build the confidence to enable them to sign.
It provides the organisation with:
* Thorough and accurate discovery of network assets using both network and agent-based scans of all resources
* Automatic deployment of agents to unmanaged and rogue machines to ensure no network coverage gaps
* Comprehensive and accurate threat assessment with database of over thousands of non-patch vulnerabilities, flexible scanning techniques based on access levels and mandatory baseline policy establishment
* Patented vulnerability remediation with automatic health monitoring and status through digital fingerprint technology, a vast repository of over 15,000 patches that covers all major applications and operating systems, and enforcement of mandatory baselines
* Validation of compliance with security policies through continuous monitoring of nodes and through a full range of operational and management reports to track vulnerability assessment and remediation results
* Consolidation of security management resources with unified view and architecture
.. a sales pitch to me.
So come on fella, what are you selling here?
Sheer frustration in reading the ongoing stories that companies and governments continue to suffer from malware and virus outbreaks that conclude - if only they had patched their systems. AND if they have patched them that they remain patched. There are straight-forward solutions in the market today that address this issue - the point is people are too busy to implement them until one day they get affected and then they are too busy cleaning up.
For the overstretched IT Manager, a pro-active approach that finds the vulnerabilities and automatically remediates provides confidence across the manangement team that the organisation has taken steps to mitigate risk - which goes a long way to asserting control of their IT environment.