In the comments at Charlie Stross‘s blog, a horrible detail about the latest misbegotten monster database. It seems that you can be employed in “controlled”, as opposed to “regulated”, activities even if you are on the Independent Safeguarding Authority’s list of kiddy-fiddlers, so long as “safeguards” are in place. What are “controlled” activities?
• Frequent or intensive support work in general health settings, the NHS and further education. (Such work includes cleaners, caretakers, shop workers, catering staff, car park attendants and receptionists.)
• Individuals working for specified organisations (e.g. a local authority) who have frequent access
to sensitive records about children and vulnerable adults.
• Support work in adult social care settings. (Such jobs include day centre cleaners and those with access to social care records)
What are “safeguards”? It doesn’t say. This has a real smell of disaster to it; a nasty XV230 ring. If you depend on the observation of rules for your safety, you therefore make the exceptions to the rules highly critical. There will always be exceptions; as Bruce Schneier tirelessly points out, this is why things like discretion, response, and audit are as important if not more than locks and alarms. But there is no mention in this document of what “safeguards” are, what “sufficient” ones might be, or how they intend to guarantee that the safeguards are, in fact, sufficient.
This is really quite dangerous, and probably makes the ISA a net security reduction.
The XV230 accident occurred in part because the RAF traditionally relied on the responsibility of senior engineers, who were in a different chain of command to the operational units, to certify its aircraft as airworthy, rather than on a set of formal requirements as the CAA does. In a sense, it was a system in which everything was an exception that had to be signed-off by an engineer. This wasn’t necessarily disastrous – the railways worked like this pre-Railtrack, relying on the engineers who were individually responsible for each section of track or signalling rather than having a central asset register.
Over time, however, this had been eroded; it was no longer true that the engineering unit which signed off the Nimrods as airworthy was always headed by an engineer, for example, nor were they as senior as they had been. This meant they were both less technically aware and less able to resist pressure from the operational chain of command to keep ’em flying no matter what.
Now, if I read it right, the ISA is suggesting that the same organisation that chooses to hire someone despite their coming up database-positive would be responsible for the “safeguards”. The advantage of separate lines of responsibility is lost. Worse, the inevitable dominance of false positive over true positive results means that this procedure will inevitably be used a lot. It’s already started…
Much less seriously, what on earth is this agency doing with a domain name like “isa-gov.org.uk”? It seems to be pretending to have a .gov.uk domain; I can’t imagine why it shouldn’t. But this looks more like a phishing site than a real one. It seems spammy; I wouldn’t send it confidential information without checking the WHOIS record. Hold on…
Domain name:
isa-gov.org.ukRegistrant:
Andrew HenningRegistrant type:
UK Limited Company, (Company number: 3420895)Registrant’s address:
Quay House
The Quay
Poole
Dorset
BH15 1HA
United KingdomRegistrar:
GX Networks Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.ukRelevant dates:
Registered on: 22-Aug-2007
Renewal date: 22-Aug-2009Registration status:
Registered until renewal date.Name servers:
ns.123-reg.co.uk
ns2.123-reg.co.ukWHOIS lookup made at 15:03:14 26-Jul-2009
Is that it? Fortunately, they don’t seem to be trying to get people to submit reports directly to the Web site, which would have been almost criminally insecure as there is no SSL anywhere on it.