Data Protection webinar: Data Protection & Information Security

5th November 2014

Welcome. We’re just making the last few preparations for the webinar to start at 11.00. Keep your speakers or headphones turned on

and you will shortly hear a voice!

This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

3

What Data Protection is about

Prevent harm to the individuals whose data we hold, or other people Keep information in the right hands Hold good quality data

Protecting people

Protecting data

4

Security (Principle 7)

The Information Commissioner can impose a penalty of up to £ for gross breaches of security.

“

”

Appropriate technical and organisational measures

shall be taken against unauthorised or unlawfulprocessing of personal data and against

accidental loss or destruction of, or damage to, personal data.

500,000

Penalties for security breaches

Ealing & Hounslow councils were jointly responsible for the theft of an unencrypted laptop containing 1700 clients’ details from an employee’s house

Worcs. County Council e-mailed highly sensitive data about a large number of vulnerable people to 23 unintended recipients

Powys County Council mixed up two child protection reports and posted part of one to someone who recognised the people involved

An Aberdeen social worker, working from home, inadvertently allowed her computer to upload confidential documents to an unprotected web site

The poorly-secured British Pregnancy Advisory Service website was hacked into and 9,700 highly confidential messages stolen

Basis of a security policy

Prevent breaches, loss, etc, as far as reasonably possible

Minimise the damage if/when a breach happens Special attention to data in transit Use available guidance, such as:

Cyber Essentials Information Commissioner guidance OWASP Top Ten ISO 27001

Cyber Essentials

Government scheme, introduced June 2014 Controls for common internet-based security

threats Two levels of assessment (both paid for) Focus on:

Firewalls & gateways Secure configuration Access control Malware protection Patch management

Information Commissioner guidance

May 2014 report – Protecting personal data in online services: learning from the mistakes of others

Common vulnerabilities identified: Software updates SQL injection Unnecessary services Decommissioning of software or services Password storage Configuration of SSL and TLS Inappropriate locations for processing data Default credentials

OWASP Top Ten

Open Web Application Security Project Identifies main web-based threats and how

to address them Updated every three years (most recent

2013) More technical than Cyber Essentials or ICO

guidance

ISO 27000 series

International Standard: ISO 27000 from British Standards Institute (ISO27001:2005) can be self-assessed but less reliable than certified credentials of certifying company matter relevance & scope matters (ISO 27000 Statement of

Applicability)

Accreditation not usually recommended for small charities

Sets out key ‘controls’ Underlying principle ‘least privilege’ ... ... but must be balanced with operational

efficiency

Control A.5: Security policy

The InfoSec policy must be properly approved and publicised

It must be reviewed at appropriate intervals

Suggestion: base the policy around ISO 27000 sample

Control A.6: Organisation of information security

Management commitment Coordination across the organisation Allocation of responsibilities Independent review Identification of external risks (customers,

third parties, etc.)

Control A.7: Asset management

Includes information as well as tangible assets Inventory: know what you’ve got ‘Ownership’ = management responsibility Acceptable use policy Information classification

New government scheme: Official, Secret, Top secret Official can be sub-divided

Information labelling & handling

Control A.8: Human resources – the problem

Most people are trustworthy – but you can’t always know who isn’t

Human beings are usually your weakest security point

Charities are not immune from fraud and other misbehaviour

Control A.8: Human resources – the solution

Roles & responsibilities defined & documented Screening/vetting in proportion to the risk Contract terms & conditions set out clear

responsibilities Manage performance Promote awareness, education & training Disciplinary process must apply Termination responsibilities

Return of assets Removal of access rights

Deliberate misbehaviour

Criminal offence, under DPA, committed by individual: Knowingly or recklessly accessing data without

authorisation Knowingly or recklessly allowing another

person unauthorised access Selling data accessed without authorisation

16

Examples

In October 2005 a private detective was fined £6,250 plus £600 costs for unlawfully obtaining information relating to “vulnerable women” from medical centres, as well as misrepresenting himself to Her Majesty’s Revenue & Customs.

In December 2012 a bank employee was fined £500 plus a £15 victim surcharge and £1,410.80 prosecution costs for having accessed bank statements of her partner’s ex-wife. She also left her job.

In July 2004 a “bored” computer operator working for Gwent Police was fined £400 for using control room computers to investigate people she knew.

Control A.9: Physical & environmental security

Security of premises and entry controls Environmental threats – fire, flood, etc. Equipment siting, and supporting utilities &

cables Equipment maintenance Security of equipment off premises Secure disposal Removal of property

Control A.10.1 to A.10.6: Comms and operations

management

Operational procedures & responsibilities Third party service delivery

NB: Data Processor contracts System planning & acceptance Protection against malicious and mobile code Back-up Network security “Bring Your Own Disaster”

Control A.10.7: Media handling

Management of removable media

Information Commissioner expects all removable media (including laptops) to be: Password protected Encrypted

Control A.10.8 to A.10.10: Comms and operations

management

Exchange of information (data in transit) Electronic commerce services

Payment Card Industry Data Security Standard Cloud computing Bring Your Own Device policy Monitoring

Including logging of activity

Bring Your Own Device

Key risks include: Lax access controls Multiple users on the same device Data leakage through rogue or malicious apps Insecure transfer to and from the device Delay in reporting or managing loss or theft Responsibility for maintenance and backup

Control A.11: Access control

Access control policy User access management User responsibilities

Passwords Unattended equipment Clear desk, etc.

Network access Operating system access Application and information access Remote working

Access control: Managers’ role

Set up the right roles Make sure you only grant access to people

you are sure about Allocate people to the right roles Induct and train them fully in their obligations Follow up on any anomalies or suspicions Remove people’s access promptly when they

no longer need it

Remaining controls

A.12: Information systems acquisition, development and maintenance

A.13: Information security incident management

A.14: Business continuity management A.15: Compliance (legal & standards) and

audit

Key security measures

Clear information ownership and policies (A.7) Select & manage staff appropriately (A.8) Physical access controls (A.9) Data Processor contracts (A.10.2) Backup (A.10.5) Network security (A.10.6) Website security – ‘OWASP top ten’ Data in transit (A.10.8) Bring Your Own Device policy (A.10.10) Access control to systems (A.11)

Many thanks

Please complete the short evaluation questionnaire (link in follow-up e-mail) which has a link to this presentation and other resources

Contact me if there is anything else:paul@paulticher.com