§ Mr. KirkwoodTo ask the Secretary of State for Social Security (1) if he will list in theOfficial Report the types of intrusion he is trying to prohibit in designing his departmental computer security systems;
(2) what steps are being taken to protect departmental computer systems against theft of data, malicious damage or illegal tampering with data;
696W(3) whether encryption techniques are being employed in his departmental security systems;
(4) what plans he has to deal with the safety of back-up storage facilities for computer data in his departmental security systems;
(5) what plans he has to control access to information held in individual files in his departmental computer systems;
(6) whether his computer security system will restrict access to the originator of the data;
(7) what recovery procedures are available to a security supervisor of his departmental computer system when pass words are forgotten;
(8) if there is any system for monitoring terminal usage in his departmental computer system;
(9) what procedures exist to remove protection in particular files to make a computer data available for general release;
(10) whether the Department's security system includes physical devices such as keys to protect computer data.
§ Mr. Peter LloydThe Department has a large number of information technology systems in use and a wide range of measures are provided to safeguard them. Most of the existing computer systems are batch-processing systems, which are not susceptible to many of the threats of on-line systems. However, the Department has now begun to implement its operational strategy, a major programme of computerisation which will provide on-line services for all social security offices. In devising the strategy, we have taken great care to ensure the security of the system.
Entry to a system will be limited to those terminals which have authorised access to the system. The use of terminals will be carefully monitored. External users are unable to dial directly into a system. A dial-back facility will be imposed which ensures that only authorised external users are allowed entry.
Access to a system is limited to authorised users by means of passwords and personal identification devices. Passwords are changed regularly and whenever a password is compromised or forgotten the individual must be re-introduced to the system by an authorised officer.
Most computer data files record the personal details of individuals. These records are treated confidentially and are not avilable for general release. Access to data will be controlled by a system of access permissions which will ensure that officers address only those data needed to perform their work. All transactions will be audited to enable management to monitor access to data and to ensure attempted breaches of security are recognised and reported. Where appropriate, data will be encrypted. Back-up copies of data will be held separately and securely for all systems.