Be Aware Webinar - Una mirada profunda a advance threat protection
Data Protection webinar: Data Protection & Information Security 5 th November 2014 Welcome. We’re...
-
Upload
wesley-owen-parker -
Category
Documents
-
view
214 -
download
0
Transcript of Data Protection webinar: Data Protection & Information Security 5 th November 2014 Welcome. We’re...
Data Protection webinar: Data Protection & Information Security
5th November 2014
Welcome. We’re just making the last few preparations for the webinar to start at 11.00. Keep your speakers or headphones turned on
and you will shortly hear a voice!
This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.
3
What Data Protection is about
Prevent harm to the individuals whose data we hold, or other people Keep information in the right hands Hold good quality data
Protecting people
Protecting data
4
Security (Principle 7)
The Information Commissioner can impose a penalty of up to £ for gross breaches of security.
“
”
Appropriate technical and organisational measures
shall be taken against unauthorised or unlawfulprocessing of personal data and against
accidental loss or destruction of, or damage to, personal data.
500,000
Penalties for security breaches
Ealing & Hounslow councils were jointly responsible for the theft of an unencrypted laptop containing 1700 clients’ details from an employee’s house
Worcs. County Council e-mailed highly sensitive data about a large number of vulnerable people to 23 unintended recipients
Powys County Council mixed up two child protection reports and posted part of one to someone who recognised the people involved
An Aberdeen social worker, working from home, inadvertently allowed her computer to upload confidential documents to an unprotected web site
The poorly-secured British Pregnancy Advisory Service website was hacked into and 9,700 highly confidential messages stolen
Basis of a security policy
Prevent breaches, loss, etc, as far as reasonably possible
Minimise the damage if/when a breach happens Special attention to data in transit Use available guidance, such as:
Cyber Essentials Information Commissioner guidance OWASP Top Ten ISO 27001
Cyber Essentials
Government scheme, introduced June 2014 Controls for common internet-based security
threats Two levels of assessment (both paid for) Focus on:
Firewalls & gateways Secure configuration Access control Malware protection Patch management
Information Commissioner guidance
May 2014 report – Protecting personal data in online services: learning from the mistakes of others
Common vulnerabilities identified: Software updates SQL injection Unnecessary services Decommissioning of software or services Password storage Configuration of SSL and TLS Inappropriate locations for processing data Default credentials
OWASP Top Ten
Open Web Application Security Project Identifies main web-based threats and how
to address them Updated every three years (most recent
2013) More technical than Cyber Essentials or ICO
guidance
ISO 27000 series
International Standard: ISO 27000 from British Standards Institute (ISO27001:2005) can be self-assessed but less reliable than certified credentials of certifying company matter relevance & scope matters (ISO 27000 Statement of
Applicability)
Accreditation not usually recommended for small charities
Sets out key ‘controls’ Underlying principle ‘least privilege’ ... ... but must be balanced with operational
efficiency
Control A.5: Security policy
The InfoSec policy must be properly approved and publicised
It must be reviewed at appropriate intervals
Suggestion: base the policy around ISO 27000 sample
Control A.6: Organisation of information security
Management commitment Coordination across the organisation Allocation of responsibilities Independent review Identification of external risks (customers,
third parties, etc.)
Control A.7: Asset management
Includes information as well as tangible assets Inventory: know what you’ve got ‘Ownership’ = management responsibility Acceptable use policy Information classification
New government scheme: Official, Secret, Top secret Official can be sub-divided
Information labelling & handling
Control A.8: Human resources – the problem
Most people are trustworthy – but you can’t always know who isn’t
Human beings are usually your weakest security point
Charities are not immune from fraud and other misbehaviour
Control A.8: Human resources – the solution
Roles & responsibilities defined & documented Screening/vetting in proportion to the risk Contract terms & conditions set out clear
responsibilities Manage performance Promote awareness, education & training Disciplinary process must apply Termination responsibilities
Return of assets Removal of access rights
Deliberate misbehaviour
Criminal offence, under DPA, committed by individual: Knowingly or recklessly accessing data without
authorisation Knowingly or recklessly allowing another
person unauthorised access Selling data accessed without authorisation
16
Examples
In October 2005 a private detective was fined £6,250 plus £600 costs for unlawfully obtaining information relating to “vulnerable women” from medical centres, as well as misrepresenting himself to Her Majesty’s Revenue & Customs.
In December 2012 a bank employee was fined £500 plus a £15 victim surcharge and £1,410.80 prosecution costs for having accessed bank statements of her partner’s ex-wife. She also left her job.
In July 2004 a “bored” computer operator working for Gwent Police was fined £400 for using control room computers to investigate people she knew.
Control A.9: Physical & environmental security
Security of premises and entry controls Environmental threats – fire, flood, etc. Equipment siting, and supporting utilities &
cables Equipment maintenance Security of equipment off premises Secure disposal Removal of property
Control A.10.1 to A.10.6: Comms and operations
management
Operational procedures & responsibilities Third party service delivery
NB: Data Processor contracts System planning & acceptance Protection against malicious and mobile code Back-up Network security “Bring Your Own Disaster”
Control A.10.7: Media handling
Management of removable media
Information Commissioner expects all removable media (including laptops) to be: Password protected Encrypted
Control A.10.8 to A.10.10: Comms and operations
management
Exchange of information (data in transit) Electronic commerce services
Payment Card Industry Data Security Standard Cloud computing Bring Your Own Device policy Monitoring
Including logging of activity
Bring Your Own Device
Key risks include: Lax access controls Multiple users on the same device Data leakage through rogue or malicious apps Insecure transfer to and from the device Delay in reporting or managing loss or theft Responsibility for maintenance and backup
Control A.11: Access control
Access control policy User access management User responsibilities
Passwords Unattended equipment Clear desk, etc.
Network access Operating system access Application and information access Remote working
Access control: Managers’ role
Set up the right roles Make sure you only grant access to people
you are sure about Allocate people to the right roles Induct and train them fully in their obligations Follow up on any anomalies or suspicions Remove people’s access promptly when they
no longer need it
Remaining controls
A.12: Information systems acquisition, development and maintenance
A.13: Information security incident management
A.14: Business continuity management A.15: Compliance (legal & standards) and
audit
Key security measures
Clear information ownership and policies (A.7) Select & manage staff appropriately (A.8) Physical access controls (A.9) Data Processor contracts (A.10.2) Backup (A.10.5) Network security (A.10.6) Website security – ‘OWASP top ten’ Data in transit (A.10.8) Bring Your Own Device policy (A.10.10) Access control to systems (A.11)
Many thanks
Please complete the short evaluation questionnaire (link in follow-up e-mail) which has a link to this presentation and other resources
Contact me if there is anything else:[email protected]