Should Gardai have permission to use their own personal laptops ?

mconigol · 05-03-2013 09:16AM

Rasheed wrote: »

I know at work, in a hospital, there's no way we can use personal laptops for anything to do with work. If we have to, for some particular reason, no names, dates of birth, addresses etc can be used. And to be fair, whilst healthcare information is very private and sensitive, it not in the same level as the as what a Garda might have.

Bit contradictory no?

SB2013 · 05-03-2013 10:02AM

It's probably worth pointing out what Gardaí were using their laptops for. They were mostly being used to play cctv footage for analysis or in interviews from a disk or memory key. When they were used for typing stuff up it was generally saved to a memory key and transferred to a computer which could print it. I'm not aware of anyone that was stupid enough to store stuff on their laptop. The issue of memory keys is a different matter. Members will no longer be using personal ones to transfer files between computers (not all computers are attached to a printer or an email system) and backup their files. This will cause a major headache. So your concern about data protection is unnecessary for the most part.

monkeypants · 05-03-2013 10:19AM

SB2013 wrote: »

play cctv footage for analysis or in interviews from a disk or memory key.

And were these laptops, discs and USB keys encrypted and regularly scanned for security threats?

SB2013 wrote: »

When they were used for typing stuff up it was generally saved to a memory key and transferred to a computer which could print it.

Were these memory keys examined and declared safe before they were connected to the Garda network?

SB2013 wrote: »

I'm not aware of anyone that was stupid enough to store stuff on their laptop.

Fair enough, but is the entire force compliant?

SB2013 wrote: »

Members will no longer be using personal ones to transfer files between computers (not all computers are attached to a printer or an email system) and backup their files.

Personal USB keys should not be used. Only ones that have been purchased, verified and controlled by the Gardai. Should also be encrypted and their use logged.

SB2013 wrote: »

So your concern about data protection is unnecessary for the most part.

From what I've read in this thread so far, I have security and data protection concerns if members of the force are using their own laptops and USB keys without any measures in place.

Capt'n Midnight · 05-03-2013 11:09AM

To give an idea of how likely a laptop is to be compromised the open market price for complete control of 1,000 infected PC's in the UK is just 8c each.

Not sure if they localise to ROI , since many of our ISP's are UK owned and route through the UK but close enough since a couple of grand is almost certain to get you one used by PC Plod / Guarda Murphy.

When (not if) there is a data leak the financial and reputation cost will exceed any benefit. The only Guards who should be allowed use their own IT equipment are those clued up enough to know why this is a very, very bad idea and know that at the very least it's their job and pension on the line if they screw up.

As for the definition of "their own IT gear" , if anyone else has physical access to it then it's no longer their IT gear. Ditto for opening email with attachment and surfing the web.

http://www.theregister.co.uk/2013/03/04/botnet_price_list/

Botnets with drones solely located in Canada, Germany and Great Britain cost $80 per 1,000. Prices for top-of-the-line US machines start at 1,000 zombies for $120. By contrast machines located nowhere specifically cost almost five times less.

SB2013 · 05-03-2013 11:11AM

monkeypants wrote: »

And were these laptops, discs and USB keys encrypted and regularly scanned for security threats?

No. But a copy of cctv wouldn't be anyway as it would be provided by whoever owned the cctv camera.

monkeypants wrote: »

Were these memory keys examined and declared safe before they were connected to the Garda network?

Doubtful. But the network itself is internal and encrypted.

monkeypants wrote: »

Fair enough, but is the entire force compliant?

Isn't that a concern with any data protection regime?

monkeypants wrote: »

Personal USB keys should not be used. Only ones that have been purchased, verified and controlled by the Gardai. Should also be encrypted and their use logged.

You won't find any arguments against that but Gardaí can't do that on their own. It has to be provided by management.

monkeypants wrote: »

From what I've read in this thread so far, I have security and data protection concerns if members of the force are using their own laptops and USB keys without any measures in place.

You should be happy with the industrial action so as it is no longer a concern.

Rasheed · 05-03-2013 11:19AM

mconigol wrote: »

Bit contradictory no?

Sorry, I should have explained further. Sometimes I might have to present a case to the multidisciplinary team about a certain patient. If I haven't time to do it at work, I'll do it at home on my laptop and email in. If that happens, we're forbidden from using any identifying factors such as name, DOB, address, hospital number because its outside the protection of the hospital computers. That's my experience of it anyway!

Phill Ewinn · 05-03-2013 11:22AM

Chemical Burn wrote: »

I can (and have to) use my own. Yes, it's easier, more familiarity, so less excuse for cock ups. Save tax payer a bitta dosh too. There should be a Universal Garda server though onto which all work related data must be saved (and only saved onto this).

Thatscrazy. Format the bloody thing or burn it. Have some sense please.

Dravokivich · 05-03-2013 11:28AM

For fúck sake, you can do the same scare mongering for anyone who uses anything with network capabilities or that's easily mobile.

Back to the pidgeons and short hand script lads. Anyone got any old enigma machines with custom encryption lying about?

HondaSami · 05-03-2013 11:44AM

Xenophile wrote: »

Should Gardaí have permission to use their own personal laptops in the course of their duty ?

Yes of course, how else will they get anything done, it is their own laptop nothing to do with AGS data, it's not linked.
The use their own phone to take pictures of incidents all the time.

monkeypants · 05-03-2013 12:00PM

SB2013 wrote: »

No. But a copy of cctv wouldn't be anyway as it would be provided by whoever owned the cctv camera.

And how does the Guard who inserts the disc or USB key with the footage know that the footage is the only thing on there?

SB2013 wrote: »

Doubtful. But the network itself is internal and encrypted.

But what happens once the USB key is removed from the network connected PC? I assume that it's unencrypted and the data can be read by anyone. There's no control over what's coming in and what's going out.

SB2013 wrote: »

Isn't that a concern with any data protection regime?

Absolutely. However, I can prove that all 80+ machines used by my staff are patched to the latest OS level, all local databases are encrypted, antivirus and firewall are in place and the hard disk is encrypted. If someone makes a local copy of a database and doesn't encrypt it, their machine will be scanned the following day and I'll get notified.

I don't have a way of preventing people from using their personal USB keys, but I see people using them or connecting their phones, I tell them to disconnect them. I have a controlled USB key that I can share if it's absolutely required. Most things can be shared over the network. Later this year I expect measures to be brought in to prevent that.

Can the environment be compromised? Probably, but not easily.

SB2013 wrote: »

You won't find any arguments against that but Gardaí can't do that on their own. It has to be provided by management.

Agreed.

SB2013 wrote: »

You should be happy with the industrial action so as it is no longer a concern.

Not really. If the Gardai need equipment to do their job effectively, then it should be provided to them. The same as I do for my staff. Do I have to make a business case to get funding sometimes? Yes, but that's the game.

MadsL · 05-03-2013 10:39PM

monkeypants wrote: »

I don't have a way of preventing people from using their personal USB keys, but I see people using them or connecting their phones, I tell them to disconnect them.

Why not disable USB use at the network level? It can be done at Group Policy level I believe.

Zer0 · 06-03-2013 10:36AM

No, you should always keep your professional life and personal life separated, especially if it's in this line of work. I could understand if it was a different line of work, one that isn't related to sensitive data, court cases, interviews etc etc.. you could use your own gear then. But in a line of work where confidentiality and data safety is a concern then no, I don't think it'd be wise.

monkeypants · 07-03-2013 09:45AM

MadsL wrote: »

Why not disable USB use at the network level? It can be done at Group Policy level I believe.

Because every now and again, a USB key is necessary. It depends on the data being moved though.

Teyla Emmagan · 07-03-2013 10:24AM

No. Like would happen in any other organisation with a decent information security policy.

Dravokivich · 07-03-2013 10:25AM

monkeypants wrote: »

Because every now and again, a USB key is necessary. It depends on the data being moved though.

Measures can be implemented for data to be encyrpted, with tools such as Truecrypt. It makes it very easy to do, not so much to undo.

Grayson · 07-03-2013 10:59AM

There have been multiple examples in the UK of data being lost on unencrypted devices.

I personally wouldn't allow anything access to the network except authorised machines. And those machines would all be granted by the Garda IT department. They'd have the best protection money can buy. Those machines have to have encrypted drives, and on the very rare occasions that information has to be taken on a USB key, it should only be placed on a hardware encrypted device by an authorised person. And that information should never be allowed be taken home or anything like that. If a Garda needs to work from home he does so using a garda laptop on a VPN.

Even encryption isn't safe now, but simply put, you have to enforce this basic leven of security.

I'm not a hacker, but give me 5 minutes access to one of their personal laptops and I'll give you everything they ever did or ever will do on that laptop. Even without direct access, it's not that hard to get remote access.

monkeypants · 07-03-2013 11:28AM

Dravokivich wrote: »

Measures can be implemented for data to be encyrpted, with tools such as Truecrypt. It makes it very easy to do, not so much to undo.

I have PGP installed on all my staff machines, plus on the USB key that I occasionally use. There's nothing customer related on the USB key anyway. There's a whole new level of pain associated with going down that route.

Should Gardai have permission to use their own personal laptops ?

Comments