What you should know about Data Protection<br />An Information Security Management System for SMEs<br />Copyright Octree L...
Copyright Octree Limited September 2011<br />2<br />Tony Richardson  CISSP<br />Tony.richardson@octree.co.uk<br />www.octr...
Foreward<br />“The blunt truth is that all organisations need to take the protection of customer data with the utmost seri...
Legal and Regulatory Obligations <br /><ul><li>The Data Protection 1998
PCI-DSS v2
Computer Misuse Act 1990
The ICO can issue fines up to £500,000</li></ul>Copyright Octree Limited September 2011<br />4<br />
Data Protection<br />Principles of the Data Protection Act 1998<br />The seventh principle:<br /><ul><li>should be subject...
The Solution – a 15 point plan<br /><ul><li>1 Risk Assessment</li></ul>    Risk:<br />	“the likelihood of a threat exploit...
Assess the potential threats to those assets – environmental, natural, human (internal and external / accidental and malic...
Determine the possible vulnerabilities in those assets
Consider, and deploy, the necessary countermeasures
Review</li></ul>Copyright Octree Limited September 2011<br />6<br />
The Solution – a 15 point plan<br /><ul><li>2 Governance
Develop a security policy document that everyone, from senior management to junior members of staff can “buy in to”.
Avoid ambiguity
Identify roles and responsibilities
State legal and regulatory obligations
Clearly state actions in the event of a policy breach (or suspected breach!)
Emphasise consequences
Upcoming SlideShare
Loading in …5
×

Best Practices For Information Security Management 2011

863 views

Published on

A best practices approach to information security management for the Small Medium Enterprise

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
863
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
19
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Best Practices For Information Security Management 2011

  1. 1. What you should know about Data Protection<br />An Information Security Management System for SMEs<br />Copyright Octree Limited September 2011<br />1<br />
  2. 2. Copyright Octree Limited September 2011<br />2<br />Tony Richardson CISSP<br />Tony.richardson@octree.co.uk<br />www.octree.co.uk<br />www.securapro.co.uk<br />T: 08456 171819<br />M: 07967 033487<br />Octree Limited<br />The lloyds Building<br />Birds Hill<br />Letchworth<br />Herts. SG6 1JE<br />
  3. 3. Foreward<br />“The blunt truth is that all organisations need to take the protection of customer data with the utmost seriousness. I have made clear publicly on several occasions over the past year that organisations holding individuals’ data must in particular take steps to ensure that it is adequately protected from loss or theft. There have been several high-profile incidents of data loss in public and private sectors during that time which have highlighted that some organisations could do much better. The coverage of these incidents has also raised public awareness of how lost or stolen data can be used for crimes like identity fraud. Getting data protection wrong can bring commercial, reputational, regulatory and legal penalties. Getting it right brings rewards in terms of customer trust and confidence”.<br /> Richard Thomas – Information Commissioner (2008)<br />Copyright Octree Limited September 2011<br />3<br />
  4. 4. Legal and Regulatory Obligations <br /><ul><li>The Data Protection 1998
  5. 5. PCI-DSS v2
  6. 6. Computer Misuse Act 1990
  7. 7. The ICO can issue fines up to £500,000</li></ul>Copyright Octree Limited September 2011<br />4<br />
  8. 8. Data Protection<br />Principles of the Data Protection Act 1998<br />The seventh principle:<br /><ul><li>should be subject to appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data, or the accidental loss, destruction, or damage to personal data;</li></ul>Copyright Octree Limited September 2011<br />5<br />
  9. 9. The Solution – a 15 point plan<br /><ul><li>1 Risk Assessment</li></ul> Risk:<br /> “the likelihood of a threat exploiting a vulnerability in an information asset, and the resulting impact on the business.”<br /><ul><li>Identify all your information assets
  10. 10. Assess the potential threats to those assets – environmental, natural, human (internal and external / accidental and malicious)
  11. 11. Determine the possible vulnerabilities in those assets
  12. 12. Consider, and deploy, the necessary countermeasures
  13. 13. Review</li></ul>Copyright Octree Limited September 2011<br />6<br />
  14. 14. The Solution – a 15 point plan<br /><ul><li>2 Governance
  15. 15. Develop a security policy document that everyone, from senior management to junior members of staff can “buy in to”.
  16. 16. Avoid ambiguity
  17. 17. Identify roles and responsibilities
  18. 18. State legal and regulatory obligations
  19. 19. Clearly state actions in the event of a policy breach (or suspected breach!)
  20. 20. Emphasise consequences
  21. 21. Modify infrequently
  22. 22. Develop specific policies to address:
  23. 23. Passwords
  24. 24. USB devices
  25. 25. Remote Access
  26. 26. Acceptable use of computer resources
  27. 27. Whatever else is considered necessary!</li></ul>Copyright Octree Limited September 2011<br />7<br />
  28. 28. The Solution – a 15 point plan<br /><ul><li>3 Training and Awareness
  29. 29. Make everybody aware of the risks
  30. 30. Innovative and regular training programmes (induction, etc.)
  31. 31. Wall posters
  32. 32. Screensavers
  33. 33. Newsletters
  34. 34. Security intranet portal </li></ul>Copyright Octree Limited September 2011<br />8<br />
  35. 35. The Solution – a 15 point plan<br /><ul><li>4 Servers, Desktops and laptops
  36. 36. If customer data is stored on a Laptop, Desktop, or a File Server you need to have the following security precautions in place :
  37. 37. Properly configured Firewall
  38. 38. Antivirus and Antispyware Software
  39. 39. Full Disk Encryption</li></ul> <br /><ul><li>Removable Device Encryption</li></ul>Copyright Octree Limited September 2011<br />9<br />
  40. 40. The Solution – a 15 point plan<br /><ul><li>5 Password protection
  41. 41. Password protection of all computers is essential!!!
  42. 42. At least 8 characters long, containing letters, numbers, capitals and other symbols i.e. P@nD4b34R!
  43. 43. Easy to remember but hard to guess
  44. 44. Avoid any word in the dictionary, personal information such as a child or partner’s name or a football team, common names and slang.
  45. 45. Try playing on normal words such as England – 3nG1@Nd!
  46. 46. Do not write passwords down and do not tell anyone else your passwords
  47. 47. Change your password every 90 days at the very least!
  48. 48. Do not use the same password for multiple sites and applications!</li></ul>Copyright Octree Limited September 2011<br />10<br />
  49. 49. The Solution – a 15 point plan<br />6 Email security<br />All emails containing customer data must be secure. <br />Avoid spam and email borne viruses and malware<br /> Police your email usage policy to avoid data leakage and litigation.<br />  <br />Copyright Octree Limited September 2011<br />11<br />
  50. 50. The Solution – a 15 point plan<br /><ul><li>7 Physical Security
  51. 51. Physical security is a key factor in securing your data.
  52. 52. Your servers, and external storage devices containing confidential data, should all be kept in a locked cabinet within a secure room to prevent casual access.
  53. 53. Environmental considerations such as battery backup, fire prevention, and air-conditioning need to be made.
  54. 54. Know and control who has access to your offices and when.</li></ul>Copyright Octree Limited September 2011<br />12<br />
  55. 55. The Solution – a 15 point plan<br /><ul><li>8 Backups
  56. 56. Full backups of all critical data should be standard practice:
  57. 57.  
  58. 58. Backup media should be locked away securely while not in use.
  59. 59. Only authorized personnel should have access to backup media.
  60. 60. Backup media should be held off site for disaster recovery.
  61. 61. If the media is held off site it should be transported and stored securely i.e. a lock box or safe.</li></ul>Copyright Octree Limited September 2011<br />13<br />
  62. 62. The Solution – a 15 point plan<br /><ul><li>9 Access Control
  63. 63. Users should only have permission to access to confidential information they need to do their job.
  64. 64.  
  65. 65. You should review access permissions for every user at regular intervals.
  66. 66. Each employee should have their own logon account.
  67. 67. Employee’s access should be revoked as soon as they leave the company or are suspended.
  68. 68. Locations where sensitive or confidential information is stored should be audited.
  69. 69.  </li></ul>Copyright Octree Limited September 2011<br />14<br />
  70. 70. The Solution – a 15 point plan<br /><ul><li>10 Data Transfer
  71. 71. Any movement of data outside of your secure environment, e.g. USB or CD, needs to follow these guidelines:
  72. 72. Encrypt all portable media using a suitable encryption technique.
  73. 73. Use device control software to control and detect unauthorized access to external media such as CDs and USB devices.
  74. 74. Keep a record of all of these devices and which personnel are allowed to use them and for which purpose.
  75. 75.  </li></ul>Copyright Octree Limited September 2011<br />15<br />
  76. 76. The Solution – a 15 point plan<br />11 Asset management <br /><ul><li>keep a record of all computers, laptops, USB devices, external hard drives printers, network devices, wireless devices, etc. that exist in your business.
  77. 77. maintain a record of all data copied onto media moving outside your secure environment, and the reason for doing so.</li></ul>Copyright Octree Limited September 2011<br />16<br />
  78. 78. The Solution – a 15 point plan<br /><ul><li>12 Data destruction
  79. 79. Data removal and destruction is an important part of keeping your clients’ information secure.
  80. 80. Paper records need to be shredded in house or by an approved agency that must be vetted.
  81. 81. Hard drives should be disposed of securely ensuring all data is destroyed.
  82. 82. Certificates should be obtained from agencies confirming destruction of data from hard drives and recycled computer systems</li></ul>Copyright Octree Limited September 2011<br />17<br />
  83. 83. The Solution – a 15 point plan<br /><ul><li>13 Remote access
  84. 84. Remote access to your network needs to be secure.
  85. 85. Remote access and VPN software needs to be configured properly for the highest possible security level.
  86. 86. Home workers need to ensure that any wireless network is encrypted to the highest possible standards.
  87. 87. Home workers need to prevent unauthorised access to their computer systems through password protection at least.</li></ul>Copyright Octree Limited September 2011<br />18<br />
  88. 88. The Solution – a 15 point plan<br /><ul><li>14 Staff recruitment
  89. 89. Where legally possible carry out every background check on staff who will be exposed to confidential information:
  90. 90. credit references
  91. 91. CRB checks
  92. 92. CIFAS staff fraud database.
  93. 93. References
  94. 94. CV validation
  95. 95. Assess regularly if staff in higher-risk positions may be susceptible to coercion.</li></ul>Copyright Octree Limited September 2011<br />19<br />
  96. 96. The Solution – a 15 point plan<br /><ul><li>15 Internet access
  97. 97. Implement monitoring controls for email and internet activity to identify potential data leakage and defamatory / illegal content.
  98. 98. Implement filtering to protect against web borne malware and viruses.
  99. 99. Filter access to content that allows web based communication such as webmail (Hotmail, Gmail, Yahoo, MSN instant messaging), social networking sites like Facebook and Myspace
  100. 100. Restrict or block access to file sharing sites.</li></ul>Copyright Octree Limited September 2011<br />20<br />
  101. 101. The business risks and penalties<br />Data Loss damages corporate reputation<br />Data loss results in major financial loss<br />Data loss compromises competitive advantage<br />Data loss can affect compliance<br />Data loss or non-compliance can result in fines or closure<br />Copyright Octree Limited September 2011<br />21<br />

×