260 likes | 490 Views
Information Security Brief for Charity Personnel. October 2011. Information Security. Introduction The purpose of this presentation is to give those employees of charities a basic understanding of Information Security issues relevant to charities and other charitable bodies. .
E N D
Information Security Brief for Charity Personnel October 2011 Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security Introduction The purpose of this presentation is to give those employees of charities a basic understanding of Information Security issues relevant to charities and other charitable bodies. Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security & CIA Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security C I A Information Security & CIA Information Security is the means of protecting information and information systems from: • Unauthorised Access • Disruption • Modification • Destruction The aim of Information Security is to protect Information’s • Confidentiality • Integrity • Availability Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security To illustrate the CIA principle, let us take an IT System owned by a charity which holds a database containing personal and financial details of the donors to the charity CHARITY DONORS RECORD Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security • Let us say that this IT System is connected to the Internet without a Firewall and no password for access to the database. Because of these security weaknesses a hacker gains access to both the IT System and database. • As such, it can be said that the CONFIDENTIALITY of the information on the database has been compromised. C I A Compromised Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security • If the hacker makes changes to the donor database which could include: • Amending records; • Deleting records; • Adding records • then it can be said that the database’s INTREGRITY has been changed. In other words the database’s details can no longer be ‘trusted and relied upon’ C I A AMENDMENTS Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security If the hacker decides to delete the database from the IT System, then the AVAILABILITY of the information is no longer available to the charity staff who want to access the database. C I A File not found Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Data Protection Act 1988 Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security Data Protection Act 1988 The processing of information by a charity, especially data relating to individuals known as ‘personal data”, is covered by the Data Protection Act (DPA) 1988 legislation. Personal data can be simply defined as “Data which relate to a living individual who can be identified from the such data” The DPA’s purpose is to provide the framework for safeguarding personal data. Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security A charity will hold ‘personal information’ on volunteers, staff members, donors and Clients Volunteer/Supporter Donor Client Staff member Name: Address: Telephone Number: Data of Birth: Staff Number: Pay Roll Number: Name: Address: Telephone Number: Email address: Bank Account Details: Standing Order Details: Name: Address: Telephone Number: Data of Birth: Name: Address: Telephone Number: Client No: Comments: Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security • Personnel information held by a charity whether held on hard copy i.e. manual records or electronically i.e. database is covered by the DPA • All those working for the charity have a responsibility under the DPA to protect held personal information • The DPA has 8 data protection principles; • The Information Commissioner’s Office (ICO) issues advice on the DPA and investigates breaches such as information losses • In the past several charities have been investigated by the ico for losses of laptops containing personal information about clients • For any charity any incident where personal information has been compromised will be a embarrassment and possibly a loss of reputation • In addition ICO can find up an organisation £500,0000 for data breaches Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security • The DPA 8 Data Protection principles are: 1. Personal data shall be processed fairly and lawfully 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Online Threats Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security Phishing • Phishing is example of an online threat and a Fraud. It is used to obtain sensitive information usually online banking User ID & password • An email is sent purporting to from an organisation such as a Bank • The receiver will be asked to click on a link and provide password details. • The link will be to a fake web site, created to look like organisation’s true web site. • If passwords and security details are given, they will be used to make unauthorised withdrawals/transfers. Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security Viruses • A Computer virus is a computer program that can replicate itself. • The effect on the IT System which is infected will depend on what the virus has been created to do; • Some viruses will cause the IT System to become slow, on-screen messages to appear, re-direction of web browsing software to malicious web pages etc. • Some viruses will cause IT System to become a “Zombie” and perform malicious activities • Common causes of introduction of viruses are on removable media such as CD-ROMs, DVDs, or USB drives & browsing infected web pages; • One way to avoid charity IT Systems being infected with viruses is to virus check CD-ROMs and USB devices when inserted and plugged into an IT System. • Staff should be aware of the virus threat visiting certain web pages that allow downloading of pirated content such as music and video files Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Online Conduct Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security Online Conduct • Charity staff have a responsibility when using charity IT systems to access the Internet, to conduct themselves in a safe and correct manner. • In particular staff should not: • Download or share pirated content; • Visit web pages containing inappropriate content; • Send emails containing messages which could or will cause offence; • Reply to emails which ask for passwords and/or account details; • Post messages on social networking, chat rooms, or forums which could or will lead to the reputation of the charity to suffer. • Install software or other applications unless authorised to do so by line manager and/or IT support • However staff should: • Be aware of online scams; • Read the charity’s Internet Usage policy; • Respect and conform with existing security network measures • Understand what is acceptable and unacceptable online behaviour; • Have understand how to virus check using installed anti-virus software Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Social Network Sites Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security Social Networking Sites • Examples of Social Networking Sites are Twitter, Facebook & MySpace • Many Charities will have a Facebook site and a Twitter Account • Staff using a charity’s Social Networking Website should act responsibly when posting messages online. In particular no • Comments which could cause offence or distress • Negative comments about other individuals or organisations • Statements which would cause the reputation of the charity to suffer • Individuals have been sued for comments they have made on Twitter and Facebook Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Portable Data Storage& IT Systems Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security Portable Data Storage An item which holds data and which by the nature of its design is portable i.e. can be moved, examples include: • CD/DVD-ROM • USB Memory Device • Portable hard drive These devices as they are portable could be taken outside the charity and be lost or mislaid Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security • Past data breaches by charities investigated by ICO have been where Laptops or portable data storage devices containing personal data about clients and staff have been lost or stolen outside charity’s premises • To lesson the possible compromise of personal data, encryption of a Laptop’s hard drive or other portable electronic data storage device should be considered, especially if carried or sent outside the charity premises. Encrypted Laptop Client’s personal’s Details Client’s personal’s details encrypted Name: Jane Smith Address:17 New Road, Croydon, CR1 4ND Telephone Number: 01203 406444 Client No: 23-001 Comments: Next meeting with charity is on 14/07/2011 A88***3338888JAS K)))***3338888JASDF??/…**0xxxppssse0 (((4499(33(((3££££££££££((((((JS Nll**\zXSDOO(**%$% ^^””***3338888JASDF??/…**00LLL<<<CCCCCCC Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Password Security Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Information Security Password Strength • Password Strength can be measured as the effectiveness in resisting attack • In general passwords with small number of characters are easier to ‘crack’ • Passwords which have larger number of characters and incorporate upper case, numbers, special characters i.e. *, & etc., are harder to crack Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk
Questions Charity Security Awareness v0.1 Oct 2011 www.charityinfosecawareness.co.uk