Log in

No account? Create an account


Impressive display of security clue from the Student Loans Company

« previous entry | next entry »
5th Feb 2009 | 13:45

The Student Loan Company executive management board minutes from a meeting just over a year ago says the following in section 6, "update on data security processes":

RSJ provided an update on Data Security and advised that information which was being received from external sources confirmed that the transfer of data on removable media devices was now unacceptable. He stated that there was a need to consult with HEI’s as to the method of transferring Attendance Confirmation Reports as SLC now had PGP encryption software available which could replace the previous method of transferring the data via CD’s. He also stated that the PGP software which SLC were using should be checked to ensure that it was on the US Government list of standard encryption as HEI’s are only permitted to use PGP software from this list.

Not shipping media is good. Using end-to-end encryption is good. (Unlike banks which seem to like SMTP over TLS, which provides no additional security for inter-domain communication.) I wonder why the choice of PGP instead of S/MIME - I believe that PGP usually requires an add-on whereas S/MIME is often built in to MUAs. Perhaps they've been nobbled by a vendor.

| Leave a comment |

Comments {5}

The Uitlander

from: uitlander
date: 5th Feb 2009 14:06 (UTC)

I saw the PGP thing come through on a mailing list this morning. Now, does this mean that we will need to provide PGP to the University?

Reply | Thread

Tony Finch

from: fanf
date: 5th Feb 2009 14:09 (UTC)

This should only affect a few staff in the Old Schools, if I understand correctly.

Reply | Parent | Thread

(Deleted comment)


from: bellinghwoman
date: 5th Feb 2009 16:03 (UTC)

Depends if Attendance Confirmation Reports are submitted by the individual Colleges or not - I believe I'm right in thinking (although I can't be certain) that each College has its own relationship with the SLC. If ACRs are submitted by the Colleges, MISD wouldn't be involved; if they are submitted by PRAO or SRS they might be.

Reply | Parent | Thread

Simon Tatham

from: simont
date: 5th Feb 2009 16:22 (UTC)

I'm idly wondering why UK higher education institutions are constrained to use crypto from the US government's standard list. I mean, it'd make sense to use such products when talking to US institutions, fair enough, but for domestic use surely they ought to be able to use their own judgment?

Reply | Thread

Tony Finch

from: fanf
date: 5th Feb 2009 16:26 (UTC)

The context is communication with the SLC. It looks to me like they have
sensibly decided to follow someone else's security standards for encrypted email,
rather than drawing up their own. The requirements only apply to the very small
number of University or college staff who need to send attendance confirmation
reports to the SLC.

Reply | Parent | Thread