Impressive display of security clue from the Student Loans Company

2009-02-05 13:45
fanf: (Default)
[personal profile] fanf

The Student Loan Company executive management board minutes from a meeting just over a year ago says the following in section 6, "update on data security processes":

RSJ provided an update on Data Security and advised that information which was being received from external sources confirmed that the transfer of data on removable media devices was now unacceptable. He stated that there was a need to consult with HEI’s as to the method of transferring Attendance Confirmation Reports as SLC now had PGP encryption software available which could replace the previous method of transferring the data via CD’s. He also stated that the PGP software which SLC were using should be checked to ensure that it was on the US Government list of standard encryption as HEI’s are only permitted to use PGP software from this list.

Not shipping media is good. Using end-to-end encryption is good. (Unlike banks which seem to like SMTP over TLS, which provides no additional security for inter-domain communication.) I wonder why the choice of PGP instead of S/MIME - I believe that PGP usually requires an add-on whereas S/MIME is often built in to MUAs. Perhaps they've been nobbled by a vendor.

  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2009-02-05 14:06 (UTC)
uitlander: (Default)
From: [personal profile] uitlander
I saw the PGP thing come through on a mailing list this morning. Now, does this mean that we will need to provide PGP to the University?

Date: 2009-02-05 14:09 (UTC)
fanf: (Default)
From: [personal profile] fanf
This should only affect a few staff in the Old Schools, if I understand correctly.

Date: 2009-02-05 14:21 (UTC)
From: [identity profile] hilarityallen.livejournal.com
Which might make it MISD's problem.

Date: 2009-02-05 16:03 (UTC)
From: [identity profile] bellinghwoman.livejournal.com
Depends if Attendance Confirmation Reports are submitted by the individual Colleges or not - I believe I'm right in thinking (although I can't be certain) that each College has its own relationship with the SLC. If ACRs are submitted by the Colleges, MISD wouldn't be involved; if they are submitted by PRAO or SRS they might be.

Date: 2009-02-05 16:22 (UTC)
simont: A picture of me in 2016 (Default)
From: [personal profile] simont
I'm idly wondering why UK higher education institutions are constrained to use crypto from the US government's standard list. I mean, it'd make sense to use such products when talking to US institutions, fair enough, but for domestic use surely they ought to be able to use their own judgment?

Date: 2009-02-05 16:26 (UTC)
fanf: (Default)
From: [personal profile] fanf
The context is communication with the SLC. It looks to me like they have
sensibly decided to follow someone else's security standards for encrypted email,
rather than drawing up their own. The requirements only apply to the very small
number of University or college staff who need to send attendance confirmation
reports to the SLC.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

fanf: (Default)
fanf
dotat.at

December 2025

S M T W T F S
 123456
78910111213
14151617181920
21222324 252627
28293031   

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated 2025-12-31 02:36
Powered by Dreamwidth Studios