Your SlideShare is downloading. ×
  • Like
  • Save
Data Protection & Information Security
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Data Protection & Information Security


Data Protection & Information Security - Paul Ticher - Where It's At 2013

Data Protection & Information Security - Paul Ticher - Where It's At 2013

Published in Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Data Protection &Information SecurityWhere IT’s @, 12th June 2013
  • 2. This presentation is intended to help youunderstand aspects of the Data ProtectionAct 1998 and related legislation.It is not intended to provide detailed adviceon specific points, and is not necessarily a fullstatement of the law.
  • 3. 3What Data Protection is aboutPrevent harm to the individuals whose data we hold,or other peopleKeep information in the right handsHold good quality dataProtecting peopleProtecting data
  • 4. 4Clear boundariesData Protection and Confidentiality overlapa lot, but they are not the sameData Protection Confidentiality
  • 5. Appropriate technical and organisational measuresshall be taken against unauthorised or unlawfulprocessing of personal data and againstaccidental loss or destruction of, or damage to, personaldata.5Security (Principle 7)The Information Commissioner canimpose a penalty of up to £for gross breaches of security.“”500,000
  • 6. Penalties for security breachesHerts. County Council twice faxed details of child abuse cases to thewrong peopleEaling & Hounslow councils were jointly responsible for the theft of anunencrypted laptop containing 1700 clients’ details from an employee’shouseWorcs. County Council e-mailed highly sensitive data about a largenumber of vulnerable people to 23 unintended recipientsPowys County Council mixed up two child protection reports andposted part of one to someone who recognised the people involvedA lawyer’s website was hacked and details of at least 6000 peopleleaked
  • 7. Basis of a security policyPrevent breaches, loss, etc, as far as reasonablypossibleMinimise the damage if/when a breach happensSpecial attention to data in transit
  • 8. ISO 27000 seriesInternational Standard: ISO 27000from British Standards Institute (ISO27001:2005)self-assessed less reliable than certifiedcredentials of certifying company matterrelevance & scope matters (ISO 27000 Statement of Applicability)(also used by HMG)Accreditation not usually recommended for smallcharitiesSets out key ‘controls’Underlying principle ‘least privilege’ ...... but must be balanced with operational efficiency
  • 9. Control A.5: Security policyThe InfoSec policy must be properly approved andpublicisedIt must be reviewed at appropriate intervalsSuggestion:base the policy around ISO 27000, without necessarilygoing for full compliance
  • 10. Control A.6: Organisation ofinformation securityManagement commitmentCoordination across the organisationAllocation of responsibilitiesIndependent reviewIdentification of external risks (customers, thirdparties, etc.)
  • 11. Includes information as well as tangible assetsInventory: know what you’ve got‘Ownership’ = management responsibilityAcceptable use policyInformation classificationInformation labelling & handlingControl A.7: Asset management
  • 12. Control A.8: Human resources –the problemMost people are trustworthy – but you can’t alwaysknow who isn’tHuman beings are usually your weakest security pointCharities are not immune from fraud and othermisbehaviour
  • 13. Control A.8: Human resources –the solutionRoles & responsibilities defined & documentedScreening/vetting in proportion to the riskContract terms & conditions set out clearresponsibilitiesManage performancePromote awareness, education & trainingDisciplinary process must applyTermination responsibilitiesReturn of assetsRemoval of access rights
  • 14. Deliberate misbehaviourCriminal offence, under DPA, committed by individual:Knowingly or recklessly accessing data withoutauthorisationKnowingly or recklessly allowing another personunauthorised accessSelling data accessed without authorisation14
  • 15. ExamplesIn October 2005 a private detective wasfined £6,250 plus £600 costs for unlawfullyobtaining information relating to“vulnerable women” from medical centres,as well as misrepresenting himself to HerMajesty’s Revenue & Customs.In December 2012 a bank employee wasfound to have unlawfully accessed bankstatements of her partner’s ex-wife. Shewas fined £500 and had to pay a £15victim surcharge and £1,410.80prosecution costs. She also left her job.In July 2004 a “bored” computeroperator working for GwentPolice was fined £400 for usingcontrol room computers toinvestigate people she knew.
  • 16. Control A.9: Physical &environmental securitySecurity of premises and entry controlsEnvironmental threats – fire, flood, etc.Equipment siting, and supporting utilities & cablesEquipment maintenanceSecurity of equipment off premisesSecure disposalRemoval of property
  • 17. Control A.10.1 to A.10.6: Commsand operations managementOperational procedures & responsibilitiesThird party service deliveryCloud provisionData Processor contractsSystem planning & acceptanceProtection against malicious and mobile codeBack-upNetwork security
  • 18. Control A.10.7: Media handlingManagement of removable mediaBYOD policyInformation Commissioner expects all removablemedia (including laptops) to be:Password protectedEncrypted
  • 19. Control A.10.8 to A.10.10: Commsand operations managementExchange of information (data in transit)Electronic commerce servicesPayment Card Industry Data Security StandardMonitoringIncluding logging of activity
  • 20. Control A.11: Access controlAccess control policyUser access managementUser responsibilitiesPasswordsUnattended equipmentClear desk, etc.Network accessOperating system accessApplication and information accessRemote working
  • 21. Access control: Managers’ roleSet up the right rolesMake sure you only grant access to people you aresure aboutAllocate people to the right rolesInduct and train them fully in their obligationsFollow up on any anomalies or suspicionsRemove people’s access promptly when they nolonger need it
  • 22. Remaining controlsA.12: Information systems acquisition, developmentand maintenanceA.13: Information security incident managementA.14: Business continuity managementA.15: Compliance (legal & standards) and audit
  • 23. Key security measuresClear information ownership and policies (A.7)Select & manage staff appropriately (A.8)Physical access controls (A.9)Data Processor contracts (A.10.2)Backup (A.10.5)Network security (A.10.6)Website security – ‘OWASP top ten’Data in transit (A.10.8)Access control to systems (A.11)
  • 24. Many thanksSee the list of my me if there is anything