200 likes | 461 Views
Information Security. A4e Provider Workshop Information Security (London) 22 March 2011. Topics. Why information security? Legal Obligations Data Protection Act Regulation and Enforcement Contract Requirements ISO27001. Why Information Security?.
E N D
Information Security A4e Provider Workshop Information Security (London) 22 March 2011
Topics • Why information security? • Legal Obligations • Data Protection Act • Regulation and Enforcement • Contract Requirements • ISO27001
Why Information Security? • Data Protection and Information Security is not a product it is a process. • Focussed upon auditing and monitoring of the entire business security process. • Not limited to computers; steer the convergence of: • Data Protection • Physical Security • Computer Security • Document Security • Personnel Security • Environmental Security
Why Information Security? The key tenets supporting an effective Information Security Management System are: • Confidentiality – Restricting access to authorised individuals • Integrity – The assurance of information quality and accuracy. • Availability – Ensuring the availability of information to those whom have a business need.
Legal Obligations • Data Protection Act 1998 • Privacy and Electronic Communications Regulation 2003 • Regulation of Investigatory Powers Act 2000 • Lawful Business Practice Regulations 2000 • Crime and Disorder Act 1998 • Human Rights Act 1998 • Defamation Act 1996
Data Protection Principles • Fairly and lawfully • The use of privacy notices / statements on websites; • Declaration / Enrolment Forms. 2. Specified & lawful purpose • Clearly articulated reason for gathering the data. 3. Adequate, relevant & not excessive • Do not ask for more data than required; eg Vehicle Registration for visitors, when you are not managing the car park; • National Insurance Numbers on CVs. 4. Accurate & up to date • How do you make sure that you that the information you hold is accurate?
Data Protection Principles 5. Not kept for longer than is necessary • Ensure you have a data retention and disposal process 6. Rights of data subjects • Ensure that you have a process for managing requests from customers, for access to their data. 7. Security • An effective and communicated security plan. 8. Overseas transfers • Rules and prohibitions on the storage and processing of data outside of the EEA.
Principle 7 - Security • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Principle 7 - Security • Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to— • (a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and • (b) the nature of the data to be protected.
Principle 7 - Security • Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless— • (a) the processing is carried out under a contract— • (i) which is made or evidenced in writing, and • (ii) under which the data processor is to act only on instructions from the data controller, and • (b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.
Regulation and Enforcement • Information & Enforcement Notices • Criminal Offence - • £5,000 max fine (Summary) • £Unlimited (Indictment) • Post 6 Apr 2010 • Criminal Offence S55 • 6 months imprisonment + £5,000 max (Summary) • 2 years imprisonment + £unlimited (indictment) • Breach of Principles - Monetary Penalty max£500,000
Regulation and Enforcement • Nov 2010 – Hertfordshire County Council – Faxed data to wrong recipient – Monetary Penalty £100,000 • Nov 2010 – A4e – Loss of an unencrypted laptop – Monetary penalty £60,000 • Feb 2011 – Ealing Council – Loss of unencrypted laptop- Monetary penalty £80,000 • Feb 2011 - Hounslow Council – Loss of unencrypted laptop - Monetary penalty £70,000 • 21 Feb 2011 - IPS (Identity and Passport Office) loses renewal applications for 21 individuals. • 23 Feb 2011 – Cambridge County Council breached DPA – lost unencrypted memory stick – min 6 individuals
Contract Requirements • Framework of security based upon ISO27001/2 (Information Security Management System - ISMS) • DWP contract security plan mapped to ISO controls • A4e plan mapped to contract controls • More than 100 controls in entire plan (cross over) • Balanced against the risk of harm/damage to individuals and business
What is ISO27001? An information systems security standard. Intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small organisations. An amalgamation of good business practices, from a number of disciplines (Project Management, HR, Software Development, et al), into a single standard. 15
Security Policy Organisation of Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Controls Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance ISO27001 - Sections
There is, at present no requirement for any organization to be ISO27001 certified. However, your Security Plan would benefit from being consistent with the structure of this standard. The DWP Security requirements place a specific and non-negotiable emphasis on the protection of Personal Data. As a result even if you or an organization you contract with, has ISO27001 certification, there is still a risk that you may not satisfy the DWP requirements. ISO27001 - Sections
Must Haves • Like any good wardrobe, games room, house, car, etc, there are a number of things that it must have for it to be what you want it to be. In the case of the Security Plan, the DWP lists these as: • Penetration Testing; • Incident Management; • Encryption (both data at rest and intransit); • Restrictions on the use of Offshoring; • Staff screening processes (BPSS, CRB etc); • Policies & procedures embedded in working practice (with evidence of training, etc); and • Subject Access Request Processes (including notification to Partners and the DWP).
Summary • Public & private sector data losses • Privacy related issues • Associated legislation (HRA’98 – DPA’98) • Government insisted on tighter control in departments, partners and 3rd parties • Information Security should be seen as a business enabler not an inhibitor • New contract engagements – security is key
Questions Thank you “Security is not a dirty word – it’s a state of mind”