1 / 27

Data Protection webinar: Data Protection & Information Security

5 th November 2014. Data Protection webinar: Data Protection & Information Security. Welcome. We’re just making the last few preparations for the webinar to start at 11.00 . Keep your speakers or headphones turned on and you will shortly hear a voice!.

mauricea
Download Presentation

Data Protection webinar: Data Protection & Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 5th November 2014 Data Protection webinar:Data Protection & Information Security Welcome. We’re just making the last few preparations for the webinar to start at 11.00. Keep your speakers or headphones turned on and you will shortly hear a voice!

  2. This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

  3. What Data Protection is about Prevent harm to the individuals whose data we hold, or other people Keep information in the right hands Hold good quality data Protecting data Protecting people   3

  4. Security (Principle 7) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The Information Commissioner can impose a penalty of up to £ for gross breaches of security. “ ” 500,000 4

  5. Penalties for security breaches £80,000 £70,000 • Ealing & Hounslow councils were jointly responsible for the theft of an unencrypted laptop containing 1700 clients’ details from an employee’s house • Worcs. County Council e-mailed highly sensitive data about a large number of vulnerable people to 23 unintended recipients • Powys County Council mixed up two child protection reports and posted part of one to someone who recognised the people involved • An Aberdeen social worker, working from home, inadvertently allowed her computer to upload confidential documents to an unprotected web site • The poorly-secured British Pregnancy Advisory Service website was hacked into and 9,700 highly confidential messages stolen £80,000 £130,000 £100,000 £200,000

  6. Basis of a security policy • Prevent breaches, loss, etc, as far as reasonably possible • Minimise the damage if/when a breach happens • Special attention to data in transit • Use available guidance, such as: • Cyber Essentials • Information Commissioner guidance • OWASP Top Ten • ISO 27001

  7. Cyber Essentials • Government scheme, introduced June 2014 • Controls for common internet-based security threats • Two levels of assessment (both paid for) • Focus on: • Firewalls & gateways • Secure configuration • Access control • Malware protection • Patch management

  8. Information Commissioner guidance • May 2014 report – Protecting personal data in online services: learning from the mistakes of others • Common vulnerabilities identified: • Software updates • SQL injection • Unnecessary services • Decommissioning of software or services • Password storage • Configuration of SSL and TLS • Inappropriate locations for processing data • Default credentials

  9. OWASP Top Ten Open Web Application Security Project Identifies main web-based threats and how to address them Updated every three years (most recent 2013) More technical than Cyber Essentials or ICO guidance

  10. ISO 27000 series • International Standard: ISO 27000 • from British Standards Institute (ISO27001:2005) • can be self-assessed but less reliable than certified • credentials of certifying company matter • relevance & scope matters (ISO 27000 Statement of Applicability) • Accreditation not usually recommended for small charities • Sets out key ‘controls’ • Underlying principle ‘least privilege’ ... • ... but must be balanced with operational efficiency

  11. Control A.5: Security policy • The InfoSec policy must be properly approved and publicised • It must be reviewed at appropriate intervals • Suggestion: • base the policy around ISO 27000 • sample

  12. Control A.6: Organisation of information security • Management commitment • Coordination across the organisation • Allocation of responsibilities • Independent review • Identification of external risks (customers, third parties, etc.)

  13. Control A.7: Asset management • Includes information as well as tangible assets • Inventory: know what you’ve got • ‘Ownership’ = management responsibility • Acceptable use policy • Information classification • New government scheme: Official, Secret, Top secret • Official can be sub-divided • Information labelling & handling

  14. Control A.8: Human resources – the problem • Most people are trustworthy – but you can’t always know who isn’t • Human beings are usually your weakest security point • Charities are not immune from fraud and other misbehaviour

  15. Control A.8: Human resources – the solution • Roles & responsibilities defined & documented • Screening/vetting in proportion to the risk • Contract terms & conditions set out clear responsibilities • Manage performance • Promote awareness, education & training • Disciplinary process must apply • Termination responsibilities • Return of assets • Removal of access rights

  16. Deliberate misbehaviour • Criminal offence, under DPA, committed by individual: • Knowingly or recklessly accessing data without authorisation • Knowingly or recklessly allowing another person unauthorised access • Selling data accessed without authorisation 16

  17. Examples In October 2005 a private detective was fined £6,250 plus £600 costs for unlawfully obtaining information relating to “vulnerable women” from medical centres, as well as misrepresenting himself to Her Majesty’s Revenue & Customs. In July 2004 a “bored” computer operator working for Gwent Police was fined £400 for using control room computers to investigate people she knew. In December 2012 a bank employee was fined £500 plus a £15 victim surcharge and £1,410.80 prosecution costs for having accessed bank statements of her partner’s ex-wife. She also left her job.

  18. Control A.9: Physical & environmental security • Security of premises and entry controls • Environmental threats – fire, flood, etc. • Equipment siting, and supporting utilities & cables • Equipment maintenance • Security of equipment off premises • Secure disposal • Removal of property

  19. Control A.10.1 to A.10.6: Comms and operations management • Operational procedures & responsibilities • Third party service delivery • NB: Data Processor contracts • System planning & acceptance • Protection against malicious and mobile code • Back-up • Network security • “Bring Your Own Disaster”

  20. Control A.10.7: Media handling • Management of removable media • Information Commissioner expects all removable media (including laptops) to be: • Password protected • Encrypted

  21. Control A.10.8 to A.10.10: Comms and operations management • Exchange of information (data in transit) • Electronic commerce services • Payment Card Industry Data Security Standard • Cloud computing • Bring Your Own Device policy • Monitoring • Including logging of activity

  22. Bring Your Own Device • Key risks include: • Lax access controls • Multiple users on the same device • Data leakage through rogue or malicious apps • Insecure transfer to and from the device • Delay in reporting or managing loss or theft • Responsibility for maintenance and backup

  23. Control A.11: Access control • Access control policy • User access management • User responsibilities • Passwords • Unattended equipment • Clear desk, etc. • Network access • Operating system access • Application and information access • Remote working

  24. Access control: Managers’ role Set up the right roles Make sure you only grant access to people you are sure about Allocate people to the right roles Induct and train them fully in their obligations Follow up on any anomalies or suspicions Remove people’s access promptly when they no longer need it

  25. Remaining controls • A.12: Information systems acquisition, development and maintenance • A.13: Information security incident management • A.14: Business continuity management • A.15: Compliance (legal & standards) and audit

  26. Key security measures • Clear information ownership and policies (A.7) • Select & manage staff appropriately (A.8) • Physical access controls (A.9) • Data Processor contracts (A.10.2) • Backup (A.10.5) • Network security (A.10.6) • Website security – ‘OWASP top ten’ • Data in transit (A.10.8) • Bring Your Own Device policy (A.10.10) • Access control to systems (A.11)

  27. Many thanks • Please complete the short evaluation questionnaire (link in follow-up e-mail) which has a link to this presentation and other resources • Contact me if there is anything else: paul@paulticher.com

More Related