FSA’s data hypocrisy

I had a fascinating conversation with a group of information security professionals yesterday. 

We
were talking around the issues of data leakage and covered a wide
variety of subjects from accidental leakage to deliberate theft, from
human frailties to ISO27001 standards, from the challenges of ensuring
users find it easy to get the information they need to the issue of
blocking unauthorised access and implementing layers of security, and
so on.   To be honest, we could have debated for days rather than an
hour and a half.

During the conversation, there was one moment that really surprised me.   

One
of the banks had been severely beaten up by the UK’s regulator, the
Financial Services Authority (FSA), over their lackadaisical approach
to data security.  As a result, this firm has really tightened up their
policies.  They don't allow any laptops or systems on or off the
premises without security checks, all PC's and laptops have their USB
ports blocked to stop any data leakage through memory sticks, and all
email is sent using secure servers and high levels of encryption.

The
email systems they use, in fact, are based upon PGPU, the PGP Universal
Gateway.  If you're not familiar with PGPU here's the write up from
their website:

"Unprotected
email poses a critical risk to an enterprise’s most sensitive data:
customer information, financial data, trade secrets, and other
proprietary information. Exposure of this information can result in
financial loss, legal ramifications, and brand damage.  PGP Universal
Gateway Email provides centrally managed, standards-based email
encryption to secure email communications with customers and partners.
By encrypting data at the gateway, PGP Universal Gateway Email ensures
data is protected from unauthorized access in transit over the public
Internet and at rest on a recipient’s mail server. With PGP Universal
Gateway Email, organizations can minimize the risk of a data breach and
comply with partner and regulatory mandates for information security
and privacy."

Excellent. 

After all, the biggest exposure for data loss is surely as you move files of information around between organisations?

Trouble
is that the FSA cannot receive PGPU emails because their systems aren't
up-to-date enough to allow such emails through their internal mail
servers. 

So the bank set up a bank-hosted secure server
which could hold their FSA directed emails.  The idea being that FSA
staff could access the bank’s server to download emails.  However, that
didn't work because the FSA's firewall blocked staff from accessing the
bank's secure server!

I thought this couldn't be true, but the story was backed up by other banks in the room who use PGPU encrypted email systems.

In
other words, the FSA beats up these banks about their tardy internal
data security standards, so the banks overhaul everything to conform
and kowtow, only to find they can't tell the FSA about what they've
done because the FSA is unable to communicate with their newly secure
bank servers.

Smacks a bit of regulatory hypocrisy if you ask
me.  Mind you, with so many data leaks from government departments, is
it that surprising?

Maybe the FSA should give themselves a fine.