Data Protection & Information Security


Published on

Data Protection & Information Security - Paul Ticher - Where It's At 2013

Published in: Business, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Data Protection & Information Security

  1. 1. Data Protection &Information SecurityWhere IT’s @, 12th June 2013
  2. 2. This presentation is intended to help youunderstand aspects of the Data ProtectionAct 1998 and related legislation.It is not intended to provide detailed adviceon specific points, and is not necessarily a fullstatement of the law.
  3. 3. 3What Data Protection is aboutPrevent harm to the individuals whose data we hold,or other peopleKeep information in the right handsHold good quality dataProtecting peopleProtecting data
  4. 4. 4Clear boundariesData Protection and Confidentiality overlapa lot, but they are not the sameData Protection Confidentiality
  5. 5. Appropriate technical and organisational measuresshall be taken against unauthorised or unlawfulprocessing of personal data and againstaccidental loss or destruction of, or damage to, personaldata.5Security (Principle 7)The Information Commissioner canimpose a penalty of up to £for gross breaches of security.“”500,000
  6. 6. Penalties for security breachesHerts. County Council twice faxed details of child abuse cases to thewrong peopleEaling & Hounslow councils were jointly responsible for the theft of anunencrypted laptop containing 1700 clients’ details from an employee’shouseWorcs. County Council e-mailed highly sensitive data about a largenumber of vulnerable people to 23 unintended recipientsPowys County Council mixed up two child protection reports andposted part of one to someone who recognised the people involvedA lawyer’s website was hacked and details of at least 6000 peopleleaked
  7. 7. Basis of a security policyPrevent breaches, loss, etc, as far as reasonablypossibleMinimise the damage if/when a breach happensSpecial attention to data in transit
  8. 8. ISO 27000 seriesInternational Standard: ISO 27000from British Standards Institute (ISO27001:2005)self-assessed less reliable than certifiedcredentials of certifying company matterrelevance & scope matters (ISO 27000 Statement of Applicability)(also used by HMG)Accreditation not usually recommended for smallcharitiesSets out key ‘controls’Underlying principle ‘least privilege’ ...... but must be balanced with operational efficiency
  9. 9. Control A.5: Security policyThe InfoSec policy must be properly approved andpublicisedIt must be reviewed at appropriate intervalsSuggestion:base the policy around ISO 27000, without necessarilygoing for full compliance
  10. 10. Control A.6: Organisation ofinformation securityManagement commitmentCoordination across the organisationAllocation of responsibilitiesIndependent reviewIdentification of external risks (customers, thirdparties, etc.)
  11. 11. Includes information as well as tangible assetsInventory: know what you’ve got‘Ownership’ = management responsibilityAcceptable use policyInformation classificationInformation labelling & handlingControl A.7: Asset management
  12. 12. Control A.8: Human resources –the problemMost people are trustworthy – but you can’t alwaysknow who isn’tHuman beings are usually your weakest security pointCharities are not immune from fraud and othermisbehaviour
  13. 13. Control A.8: Human resources –the solutionRoles & responsibilities defined & documentedScreening/vetting in proportion to the riskContract terms & conditions set out clearresponsibilitiesManage performancePromote awareness, education & trainingDisciplinary process must applyTermination responsibilitiesReturn of assetsRemoval of access rights
  14. 14. Deliberate misbehaviourCriminal offence, under DPA, committed by individual:Knowingly or recklessly accessing data withoutauthorisationKnowingly or recklessly allowing another personunauthorised accessSelling data accessed without authorisation14
  15. 15. ExamplesIn October 2005 a private detective wasfined £6,250 plus £600 costs for unlawfullyobtaining information relating to“vulnerable women” from medical centres,as well as misrepresenting himself to HerMajesty’s Revenue & Customs.In December 2012 a bank employee wasfound to have unlawfully accessed bankstatements of her partner’s ex-wife. Shewas fined £500 and had to pay a £15victim surcharge and £1,410.80prosecution costs. She also left her job.In July 2004 a “bored” computeroperator working for GwentPolice was fined £400 for usingcontrol room computers toinvestigate people she knew.
  16. 16. Control A.9: Physical &environmental securitySecurity of premises and entry controlsEnvironmental threats – fire, flood, etc.Equipment siting, and supporting utilities & cablesEquipment maintenanceSecurity of equipment off premisesSecure disposalRemoval of property
  17. 17. Control A.10.1 to A.10.6: Commsand operations managementOperational procedures & responsibilitiesThird party service deliveryCloud provisionData Processor contractsSystem planning & acceptanceProtection against malicious and mobile codeBack-upNetwork security
  18. 18. Control A.10.7: Media handlingManagement of removable mediaBYOD policyInformation Commissioner expects all removablemedia (including laptops) to be:Password protectedEncrypted
  19. 19. Control A.10.8 to A.10.10: Commsand operations managementExchange of information (data in transit)Electronic commerce servicesPayment Card Industry Data Security StandardMonitoringIncluding logging of activity
  20. 20. Control A.11: Access controlAccess control policyUser access managementUser responsibilitiesPasswordsUnattended equipmentClear desk, etc.Network accessOperating system accessApplication and information accessRemote working
  21. 21. Access control: Managers’ roleSet up the right rolesMake sure you only grant access to people you aresure aboutAllocate people to the right rolesInduct and train them fully in their obligationsFollow up on any anomalies or suspicionsRemove people’s access promptly when they nolonger need it
  22. 22. Remaining controlsA.12: Information systems acquisition, developmentand maintenanceA.13: Information security incident managementA.14: Business continuity managementA.15: Compliance (legal & standards) and audit
  23. 23. Key security measuresClear information ownership and policies (A.7)Select & manage staff appropriately (A.8)Physical access controls (A.9)Data Processor contracts (A.10.2)Backup (A.10.5)Network security (A.10.6)Website security – ‘OWASP top ten’Data in transit (A.10.8)Access control to systems (A.11)
  24. 24. Many thanksSee the list of my me if there is anything