The Information Commissioner’s Office (ICO) has criticised the Metropolitan Police Service (MPS) over its continued use of Windows XP, amongst other factors that it said “limited” the level of assurance that personal data was handled securely.
The ICO carried out an audit of the MPS’ compliance with the Data Protection Act earlier this year, with the MPS’ consent, and found there was “considerable scope for improvement” in its arrangements.
It praised the MPS on several points, including guidance given to staff in the MPS security manual and METSEC code, the presence of an Information Assurance Unit with an internal audit plan and visible reminders to staff of policies such as clear desk and clear screen requirements.
But it said the service’s use of Windows XP on some desktop and laptop computers mean there was a “residual risk to personal data” due to the fact that critical patches are no longer available for the platform.
Some business continuity plans are incomplete or overdue for review, with some not having been tested and lacking information on how to maintain or recover records if required.
The database used to store business continuity plans is unsupported and isn’t backed up, the ICO said.
The ICO also noted weaknesses in MPS’ procedures for removing access to applications and buildings once they’re no longer required, creating the risk of unauthorised access to buildings.
“There is a limited level of assurance that processes and procedures are in place and delivering data protection compliance,” the ICO said in an executive summary of its findings.
The Met responded that it is currently undertaking to renew its IT infrastructure and equipment such as desktop computers, but said upgrades were complicated by the use of specialised applications that might not necessarily be supported on newer platforms.
“Replacements or remediation for this software that are compatible with a more modern operating system have to be ready before the roll-out is completed to ensure continued operational effectiveness,” the MPS stated.
The force added that it has upgraded more than 17,000 devices to Windows 8.1, reducing the number of desktops running Windows XP to about 10,000.
The NHS has also been criticised for its ongoing reliance on Windows XP, but security experts said this fact didn’t contribute to disruption caused by the recent WannaCry ransomware worm, with 97 percent of the systems affected running Windows 7.
Windows XP remained largely unaffected by the worm, since the attack technique used by WannaCry failed to cause an infection, merely causing the platform to crash, researchers found.
Do you know all about security in 2017? Try our quiz!
CEO Andy Jassy tells Amazon staff that the recent 5-day in-office mandate is not meant…
Tech giant Apple could be facing another hefty financial penalty, amid a report the EU…
Victory of Donald Trump in the US Presidential election and the potential implications for the…
Worrying development. Cyberattack on third party supplier disables tracking systems and panic alarms in Serco…
Chinese owner of Scottish fabless semiconductor firm FTDI ordered to sell majority stake, due to…
British competition regulator provisionally finds Vodafone, CMA merger can proceed, if 'remedies' on pricing and…