Posts Tagged ‘data security’

SECURITY AUDIT FOR MICRO AND SMALL BUSINESSES

Thursday, July 29th, 2010

There are basic security essentials that Peninsular Business Services can help you to understand and implement.

Every organisation no matter how small, should make sure it’s data is protected – data at rest, data in motion and data at end point.

There are obligations to fulfil … not least a duty of care to your clients and customers.  In a worst case scenario, you could be fined by the Information Commissioners Office for neglecting to protect data that you hold.  You may need help to stay out of trouble …. continued.

 

PhotoCredit: Fotolia ©Vladislav Kochelaevs

Tags: , , , , , , , , , , , ,
Posted in Business Advice & Tips, Data Security, Legal, Services | No Comments »

Data Security – is it an issue for SMEs?

Wednesday, July 14th, 2010

It should be an issue but all too often it seems business owners are too busy or too scared of the technology to get a plan together for tackling data security.

I recently posted a question on a professional forum on LinkedIn:

“How do we get the message out to those who need it most”?

I’ve selected two of the respondents answers, two great responses by top-notch individuals within the IT industry in UK.

Oli Rhys, a Business ICT Advisor for one of the Welsh local councils and Tomasz Bergiel, business owner of a web design company The Mint Factory.

Read the full script here.

Tags: ,
Posted in Business Advice & Tips, Data Security, Services | No Comments »

Guest Blog courtesy of Sam Raincock

Sunday, June 6th, 2010

Samantha Raincock Digital Forensic Consultant and Expert Witness

INFORMATION SECURITY MANAGEMENT

& SOCIAL MEDIA POLICIES

Sam Raincock, BSc, MSc, CCE, MBCS, CEng MIET

Sam Raincock Consultancy

Sam Raincock is an IT security consultant specialising in providing expert witness services in IT and telecommunications as well as information security management implementation, assessments and auditing.

Sam has produced over 250 expert reports/statements in IT and telecommunications cases for courts in the UK and Ireland principally in serious crimes. She is instructed in the investigation of complex computer cases particularly involving elaborate defences and network/security issues. In the forensic telecommunications field, she provides opinions in cases involving the evaluation of information on mobile devices, connection patterns and cell site analysis.

So what is information security? Can anything be 100% secure?Security is about reducing the risks of something happening and managing the outcomes. Hence, information security is about minimising and managing the risks to information. This means that it doesn’t just include how you use your computer to store your files but also how your computer is stored. Information security management considers the security of your data from your USB memory stick to your building.
The remainder of this very thought-provoking article can be read here.

Tags: , , , ,
Posted in Data Security, Social Media | No Comments »

Data Security

Thursday, December 3rd, 2009

Compliance with the Data Protection Act 1998

Data controllers must comply with the provisions of the 1998 Act even if they are exempt from notification.

Ask yourself this question:  what might be the consequence if you or your employee lost personal data that you were holding in a client or customer database? It might be on a disk, in a folder, on a flash stick or on your phone.

It would largely depend on your Professional Indemnity Insurance cover – so it is just as well to check your cover because not all policies will provide for the loss or theft of the data.  If the policy doesn’t include this you leave yourself open to a claim against you for neglience.

 

There are eight data protection principles.  In summary, they require that data shall be:

  1. fairly and lawfully processed;
  2. processed for limited purposes;
  3. adequate, relevant and not excessive;
  4. accurate;
  5. not kept longer than necessary;
  6. processed in accordance with the data subject’s rights;
  7. secure; and
  8. not transferred to countries outside the European Economic Area without adequate protection.

I quote this list directly from the Information Commissioner’s Office.

This Act places obligations on all organisations and individuals who use personal information and gives individuals certain rights.  It clearly states that those who record and use personal information must be open and transparent about how that information is used and must follow the eight principles of ‘good information handling’ listed above.

There are 100′s of thousands of businesses that need to be aware of this legislation:  the list would probably run the length of the UK two or three times.   Accountants, Solicitors, Bankers, HR departments, secretaries, PA’s and VA’s are just some of those who need to complete a risk assessment.  The mind boggles to think of all the different organisations, SME’s included, who are handling sensitive personal information that should never find it’s way into the public domain.   What percentage of them have taken action to address the risk.

Under the Act every organisation (data controller) that processes personal information (personal data) must notify the Information Commissioner’s Office of the type of information they process.  Failure to notify is a criminal offence.

Data controllers are required to inform the ICO of certain details about their processing of personal information.  The Commissioner uses these details to make an entry describing the processing in the register, which is available to the public at www.ico.gov.uk.

What exactly is the purpose for the register?   The main purpose is reported to be ‘notification to the public register to promote openness in the use of personal information’.    I believe the emphasis is skewed.  Openness is one thing, but more weight should be given to the notion of  ’protection’ and I have seen no reference made to this by the ICO.  We all need to take on board the acute necessity to protect personal information from identity theft/crime.

In my opinion the ICO does not go far enough to emphasise the necessity to protect information.   I guess it is from fear of being labelled a patronising ‘big brother’.  Surely it is blatantly obvious to organisations the steps they need to take to protect data.   If it isn’t clear then why should people think it condescending to be told.

It ought to be obvious to high ranking government officers, that taking a laptop home which contains thousands of private personal records is a No-No, but still they are taken out of the office, and still they leave them on trains, or back seats of cars only to be stolen while the owner pops into the shop on the way home from work.  When organisations have banned the practise of taking laptops home, people have taken paper records instead and left them on trains and on buses too!

So down to the practicalities, if you hadn’t already thought it through here’s a quick check list.

 

 

Does your office, at home or within an organisation, have the following security in place:

  • Is there physical security of the room in which the computer/boxfiles etc live?
  • Are laptops allowed to leave the building? Why is this necessary when it is much more secure for people to login to the server remotely if they need to work from home?
  • If laptops leave the building routinely they need fail-safe protection in the form of a ‘remote destruct device’ in case they become lost or stolen [my preferred provider is Backstopp and Leakstopp].
  • Is there Antivirus protection and Firewall protection loaded onto the computer or laptop?
  • Have passwords been set?
  • If your children use your home computer for chatrooms and games do you have protection set for them [my preferred provider is CrispThinking]?
  • Are other users of the computer in the home environment as enlightened as you are? Perhaps you should spend some time briefing them.
  • Are all paper records containing personal information, shredded before being disposing of?
  • If it is absolutely necessary to pass information via text e.g. account numbers, DON’T send the complete number in one text send it in two halves like this – 1st text contains 12345***, 2nd text contains *****678.
  • Don’t risk losing your data due to a lightening strike. There is nothing that you can do to stop lightening travelling down a BT cable and into your home computer. This will destroy your hard disk.  So the answer is to  make sure you have a back-up procedure in place.  Back-up your disk to a remote server [my preferred product is Carbonite where I have unlimited storage space and the whole process happens automatically].
  • Check the cover on your Professional Indemnity Insurance.
  • Finally, if you take folders containing personal information out of the office environment there should be a reporting system which records the fact that that folder has left the filing cabinet, who has it in their possession, where it is being taken to and when it will be returned.

Does all of this sound rather ‘over the top’?  You won’t think so when you take a look at MobileBozos.

Mobilebozos show examples of data loss in the UK and USA.   Look at the example of a woman working at her laptop while travelling by train, with a bunch of papers alongside her machine ….. she leaves the whole scene unprotected while she goes off to the buffet carriage.

Footnote:

Fees for Registration to ICO are currently set at:

  • For organisations with up to 250 employees £35.00
  • For organisations with over 250 employees £500.00
  • All Charity organisations pay £35.00

Contact by telephone: ICO 01625 545 745

http:www.ico.gov.uk

Tags: , , , , , , , , , , , , , ,
Posted in Data Security | No Comments »