§ Miss Emma NicholsonTo ask the Secretary of State for Social Security (1) how many instances have been detected in his Department of computer(a) hacking, (b) viruses, (c) logic bombs, (d) Trojan horses or (e) other types of computer misuse, whether perpetrated by authorised or unauthorised users of computers; and how many unsuccessful attempts have been recorded;
(2) if, in the light of his Department's computerisation, he will place in the Library a copy of the advice issued by his Department to the staff of regional and local social security officers on the threat of computer hacking;
(3) if he will make a statement on all recorded cases of unauthorised access to his Department's computer files;
(4) what measures his Department has taken to protect data in transit by electronic means;
(5) if he will give details of his Department's policy on review of the security of its computer files;
(6) if he can quantify the risk of damage by hackers to sensitive computerised files in his Department;
(7) whether staff are briefed about computer hacking and computer viruses; whether there are contingency plans to deal with computer downtime caused by unauthorised penetration; and what plans exist to deal with penetration of particularly sensitive systems.
§ Mr. Peter LloydI refer my hon. Friend to my reply to the hon. Member for Roxburgh and Berwickshire (Mr. Kirkwood) on 15 December 1988 at columns693–4.
In addition the following points may be of interest.
The Department's policy is to keep the security of its computer systems under continuous review to ensure the integrity, availability and confidentiality of these data and that the requirements of the Data Protection Act are met.
The Department takes advice from the appropriate Government authorities on security matters. In the case of sensitive data held on computers or transmitted by electronic means this includes the IT security and privacy group of the Central Computer and Telecommunications Agency. This advice is incorporated in the Department's formal computer security standards, which apply to all its computer systems. These standards include requirements for risk assessment, countermeasures, incident investigation and contingency planning. Staff who use computers are given appropriate security instruction. In the interests of security it would not be sensible to publish details of the security standards and procedures or of the training given in their use.
It is not the Government's policy to publish details and circumstances of computer security incidents, their perpetrators and their success or failure. Such information would be of assistance to potential attackers.