https://insidehmcts.blog.gov.uk/2016/09/01/digital-defence-data-security-survey/

Digital defence – Data security survey


[English] - [Cymraeg]

On 28 July 2016 at the National Digital Practitioners’ Working Group we presented a session that sought views of defence practitioners in relation to two-factor (strong) authentication. An example of this is that when you log into the Common Platform system using your username and password, you are required to provide a further passcode, which is delivered to an app on your smartphone. The presentation is below.

IdAM - Strong Authentication Presentation

We confirmed it will be possible to implement a higher level of security assurance to practitioners accessing the Common Platform from a court building. This will reduce the need to use two-factor authentication process.
The custom built mobile phone application to facilitate two-factor authentication will need to work on all smart phone devices that are currently being used by defence practitioners. As such, if you are a member of the defence practitioner community, we need to find out the devices you and your staff are using - please complete this survey.

During the session practitioners also made the following comments:

  • Practitioners’ preference was for two-factor authentication to be available on a device that is already in their possession. They would be against needing to carry another physical item or token.
  • Not all court houses have a reliable signal, so the solution would need to work without reliance on a mobile signal.
  • At the moment everyone in an organisation has access to papers/cases, they aren’t locked down, but there is a professional obligation to keep them confidential. This should be the rationale that is applied on the Common Platform.
  • Any solution needs to be user friendly and proportionate. An example of information that would benefit from two-factor authentication were video interviews of vulnerable witnesses.

We also identified further questions that we would like your input, these include:

  1. What should be deemed to be sensitive?
  2. How often should second factor authentication be used?
  3. How long does a session last for?
  4. What will cause a session to time out?
  5. What does it apply to?
  6. Is it applied to cases or specific items of data?

On 25 August 2016 at the National Digital Practitioners’ Working Group we presented a session on the importance of security and how the Common Platform will address the questions above. The session encouraged attendees to provide ideas of the appropriate security to be applied to the data held within the Common Platform. The presentation is below.

CPP Security Update - Defence Practitioners Presentation

Defence practitioner involvement is needed in this work, alongside the other agencies in the Criminal Justice System. We’ve been able to secure the involvement of practitioners, the Law Society and the Bar Council. This blog will be used to keep you updated on the progress of the work and the decision points, and provides you with an opportunity to be part of the solution that is developed for the Common Platform.

If you have any questions or comments in relation to the presentations, please use the comments section below or contact me directly by email.


[English] - [Cymraeg]

Amddiffyn Digidol – Arolwg Diogelu Data

Ar 28 Gorffennaf 2016 yng Ngweithgor Cenedlaethol yr Ymarferwyr Digidol, cyflwynodd ni sesiwn a oedd yn ceisio barn ymarferwyr yr amddiffyniad mewn perthynas â dilysu dau ffactor (cryf). Enghraifft o hyn yw pan rydych yn mewngofnodi i’r system Platfform Cyffredin drwy ddefnyddio eich enw defnyddiwr a chyfrinair, mae gofyn ichi ddarparu cyfrinair ychwanegol, sydd yna'n cael ei anfon i ap ar eich ffôn clyfar. Gweler y cyflwyniad isod.

IdAM - Strong Authentication Presentation

Cadarnhawyd y bydd yn bosibl gweithredu lefel uwch o sicrwydd diogelwch i ymarferwyr sy’n mewngofnodi i’r system Platfform Cyffredin o adeilad llys. Bydd hyn yn lleihau’r angen i ddefnyddio proses dilysu dau ffactor. Bydd angen i’r rhaglen ffôn symudol a wnaed ar fesur cwsmer, hwyluso’r broses dilysu dau ffactor ar bob dyfais ffôn clyfar a ddefnyddir ar hyn o bryd gan ymarferwyr yr amddiffyniad. Fel y cyfryw, os ydych yn aelod o gymuned ymarferwyr yr amddiffyniad, mae arnom angen gwybod pa ddyfeisiadau rydych chi a’ch staff yn eu defnyddio – llenwch yr arolwg hwn os gwelwch yn dda.

Yn ystod y sesiwn, gwnaed y sylwadau canlynol gan yr ymarferwyr hefyd:

  • Byddai’n well gan yr ymarferwyr gael y broses dilysu dau ffactor ar y ddyfais sydd eisoes yn eu meddiant. Byddent yn erbyn gorfod cario eitem neu docyn corfforol arall.
  • Nid oes gan bob llys signal dibynadwy, felly byddai angen i’r datrysiad weithio heb orfod dibynnu ar signal ffôn symudol.
  • Mae gan bawb mewn sefydliad fynediad at bapurau/achosion ar hyn o bryd, nid ydynt wedi’u pennu, ond mae rhwymedigaeth broffesiynol i’w cadw’n gyfrinachol. Dylai hyn fod yn sail resymegol sy’n cael ei chynnwys ar y Platfform Cyffredin.
  • Mae angen i unrhyw ddatrysiad fod yn hawdd ei ddefnyddio ac yn gymesur. Enghraifft o wybodaeth a fyddai’n elwa o’r broses dilysu dau ffactor oedd cyfweliadau fideo o dystion bregus.

Rydym hefyd wedi nodi rhagor o gwestiynau yr hoffem gael eich barn arnynt, mae’r rhain yn cynnwys:

  1. Beth ddylai gael ei ystyried yn sensitif?
  2. Pa mor aml y dylid defnyddio’r broses dilysu dau ffactor?
  3. Beth yw hyd y sesiynau?
  4. Beth fyddai’n achosi sesiwn i ddod i ben?
  5. I beth y mae’n berthnasol iddo?
  6. A yw’n berthnasol i achosion neu eitemau data penodol?

Ar 25 Awst 2016 yng Ngweithgor Cenedlaethol yr Ymarferwyr Digidol, cyflwynodd ni sesiwn ar bwysigrwydd diogelwch a sut bydd y rhaglen Platfform Cyffredin yn mynd i’r afael â’r cwestiynau uchod. Roedd y sesiwn yn annog mynychwyr i ddarparu syniadau o ba fesurau diogelwch priodol y dylid eu cyflwyno mewn perthynas â’r data a gedwir o fewn y Platfform Cyffredin. Gweler y cyflwyniad isod.

CPP Security Update - Defence Practitioners Presentation

Mae arnom angen ymarferwyr yr amddiffyniad i fod ynghlwm wrth y gwaith hwn, ochr yn ochr ag asiantaethau eraill yn y System Cyfiawnder Troseddol. Rydym wedi llwyddo i sicrhau cyfraniad yr ymarferwyr, Cymdeithas y Cyfreithwyr a Chyngor y Bar. Bydd y blog hwn yn cael ei ddefnyddio i roi’r wybodaeth ddiweddaraf i chi am gynnydd y gwaith a’r pwyntiau pwysig, a bydd yn rhoi’r cyfle i chi fod yn rhan o’r datrysiad a ddatblygwyd ar gyfer y Platfform Cyffredin.

Os oes gennych unrhyw gwestiynau neu sylwadau mewn perthynas â’r cyflwyniadau, defnyddiwch yr adran sylwadau isod neu cysylltwch â mi yn uniongyrchol drwy e-bost.

Leave a comment