1BCS SFIA Workshop Professional Protection - The Skills Needed for Effective Data Protection Andrea Simmons, MBCS CITP, CISM, CISSP, M.Inst.ISP, BABCS Professional Development Consultant
2What we mean by info Personal data Sensitive personal data information relating to a living individual who can be identifiedname, payroll number, NI number, date of birth, addressSensitive personal dataracial or ethnic originpolitical opinionsreligious beliefstrade union membershipphysical or mental health or conditionsexual lifecommission of alleged commission of an offence (or proceedings)Includes any expression of opinion about the individual and any indication of the intentions of the data controller
3What the DPA 1998 means“An Act to make new provisions for the regulation or the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information”pre-amble to 1998 Data Protection ActApplies to all organisations which hold and process (use) personal data (i.e. both public and private sector)Processing for domestic purposes is not coveredSmall non-profit organisations are exempt from some of the Acts requirementsIncludes automatically processed data (e.g. CCTV, PCs)
4Therefore DPA does not cover: Information about the deceased Aggregated dataAnonymised datePersonal data does includeCoded dataIndirect references, where identity is obviousOpinions or intentions towards an individualPersonal data must say something about an individualPersonal data must have some biographical contentIncidental references will not be personal data (controversial)Privacy applies a moral stance to the use of data
5Legal issues Computer Misuse Act 1990 Anti-Terrorism, Crime and Security Act, Section 11 – Retention of Communications Data 2001Data Protection Act 1998Defamation Act 1996Copyright, Designs and Patents Act 1988Human Rights Act 1998Obscene Publications Act 1959 & 1964Regulation of Investigatory Powers 2000Waste Electrical & Electronics Equipment (WEEE) directive (regulations)Criminal Justice & Immigration Act 2008The term hacker relates back to an original term used at universities. The original hackers were users inquisitive into the uses of software and played around with computers in their spare time. The term has since come to mean people of questionable ethics abusing computer systems and networks for their own ends.Types of hacker:The malicious hacker is the most likely to mount a denial of service attack. They will have no interest in obtaining your confidential data or secrets but will enjoy sabotaging your systems and causing headaches for administrators.The academic hacker is only interested in gaining knowledge. Again, they will have no interest in your data but instead enjoys the challenge of penetrating your defences. He will not intentionally damage systems but could do so inadvertently.Industrial espionage is another possible motive for attacking your systems. The object here is to compromise the system, take copies of data and then get out without leaving any trace of the visit.The ex-employee can be a formidable foe. He will have inside knowledge of your security provisions and logins that were certainly once valid.Access to hacking knowledge and technical expertise is getting better, in addition there is an increase in downloadable cracking, intrusion and general tools all with the potential to gain access.
6Know the Law Protection of Children Act 1978 Sexual Offences Act 2003 It is illegal to possess, distribute, show and make indecent images of childrenMaking of indecent images of children includes viewing them on the Internet.You cannot be prosecuted for receiptYou can be prosecuted for distribution
7The 8 DPA Principles Data should be: Processed FAIRly & lawfully (Fish)Processed for specified and lawful purposes (SPECIFIC) (Swim)ADEQUATE, relevant & not excessive (All)ACCURATE and up to date (Around)not held indefinitely (RETENTION) (Reefs)RIGHTS of data subject respected (Rocks)SECURITY (organisational/technical) (Sunken)international TRANSFERs (Treasures)Data should be:
8Criminal Justice & Immigration Act 2008 A penalty for knowingly or recklessly failing to comply with the data protection principles so as to create a substantial risk that damage or distress will be caused to any person.A power for the Information Commissioner to inspect personal data and the circumstances surrounding its processing in order to assess whether or not any processing of the data is carried out in compliance with the Act.A power for the Information Commissioner to require a data controller to provide him with a report by a skilled person.Enhanced enforcement powers to enable the Information Commissioner to bring seriously unlawful processing to an immediate halt, to place formal undertakings on a statutory basis and to enable the Information Commissioner to take enforcement action to prevent breaches of the Act that are likely to occur.Individuals who negligently disclose personal data could be jailed for up to two yearsClearly, the time for low data protection act compliance is past – it should now be a high priority for all organisations and individuals within organisations.
9What’s wrong with this picture? Well, 20 things, actually. Here is a view of a typical desk ….OK, maybe most are not this bad!Can you find all the violations?Clear Desk Policy… anyone…?!
11Proprietary Data VIOLATIONS RISK SUGGESTED POLICY Day planner 1 and Card Index or equivalent 2 left on desk.Personal and professional information—including phone numbers, passwords, or notes on meeting times, places and subjects—is vulnerable.Store day planners and notebooks in a locked drawer or take them when away from desk for extended periods of time, including overnight.
12Personal Data VIOLATIONS RISK SUGGESTED POLICY Personal effects including a bank statement 3, chequebook 4 and mail 5 left on desk. Briefcase 6 left open near desk.Bank statements include account numbers and other personal identifiers; mail carries home addresses and could reveal private information; chequebook contains a history of financial transactions. Unlocked briefcases can have items stolen from them if employee leaves the area.Lock briefcases and cabinets when away from desk for extended periods.Keep all personal effects in a locked briefcase or locked cabinet devoted to personal effects.
13Access Tools VIOLATIONS RISK SUGGESTED POLICY Keys 7, mobile phone 8, PDA 9 and building access card 10 left on desk.Mobile phones can be stolen or have their call histories compromised. Stolen keys give intruders access to restricted areas of the office. PDAs contain sensitive personal and professional data. Stolen access cards can be used for continued access to the building.Keep devices with you, and lock mobile phones and PDAs with a pass code.Never leave your access cards or keys out anywhere; always keep them with you.Notify security staff immediately if access cards or keys are missing.
14IT Tools VIOLATIONS RISK SUGGESTED POLICY Applications left open on computer 11, CD left in computer 12, passwords on sticky note displayed on monitor stand 13, printouts left in printer 14.Access to personal or sensitive corporate or passwords can allow ongoing access and intrusion. CD left in drive and data on printouts can be stolen. Cache files for applications and printer can yield sensitive data one might have thought wasn't preserved.Close applications and turn off your monitor when you leave your desk.Do not leave portable media such as CDs or floppy disks in drives.Enable a password-protected screen saver.Turn off your computer when you leave for extended periods.Never write your passwords on a sticky note nor try to hide them anywhere in your office.Remove printouts from printers before leaving the office.Shred sensitive printouts when you are done with them.Clear cache files on computer and memory on devices like printers regularly.
15Spatial Misconfigurations VIOLATIONSRISKSUGGESTED POLICYDesk positioned so it's partially exposed to window and view from the hallway 15. Whiteboard with sensitive data on it viewable from hallway and window 16.Window exposure could enable spying from other buildings. Hallway exposure could allow unauthorized access if data, such as a password, is written on a whiteboard.Desks and furniture should be positioned so that sensitive material is not visible from either the windows or the hallway.Close blinds on windows.Use a screen filter to minimize the viewing angle on a computer monitor.Erase whiteboards; if data on whiteboards needs to be saved, use electronic whiteboards or employ shutters.
16Beyond the Desk VIOLATIONS RISK SUGGESTED POLICY File cabinet drawer open 17 and keys left in lock 18. Trash bin contains loose-leaf paper 19. Bookshelf contains binders with sensitive information 20.Folders in cabinet are eminently stealable. Keys allow for ongoing access and the ability to return files, so it's hard to detect theft. s, other sensitive paper in trash bin can be stolen after-hours or found in the Dumpster outside. Binders on shelf, clearly marked as sensitive, are also available for "borrowing," making the theft of the information hard to detect.Do not use bookshelves to store binders with sensitive information. Label those binders prosaically and lock them up.Arrange folders in file cabinets so that the least sensitive are in front, most sensitive in back.Keep file cabinets closed and locked. Do not leave keys in their locks.Shred paper on site before having it recycled.If appropriate, lock your office door when you're gone for extended periods.
17Mitigating the business It’s important to act quicklyConsider the value of pursuing investigationsSeek to prevent escalation by implementing robust Incident ManagementFind the evidenceApply ongoing risk assessment (culture change required)Create policies that hold evidential weight and have a supporting (HR) enforcement process
18When things go wrong…There are criminal offences for obtaining and disclosing data..The Information Commissioner can take “enforcement action”Individuals can go to the courtThere may be bad publicity….Training TipsWhat happens if we get it wrong?Do not dwell on the negative aspects of non-compliance, but make it clear that there are serious consequences for the organizationExplain how employees may sometimes be criminally liable if they use the organization’s data for their own purposes or deliberately act outside policies and proceduresGive examples of things that have gone wrong in the past
19When things go right…There should be increased customer and employee trustGood publicityAnd an avoidance of prosecution Training TipsStress the positive benefits for the organization !!
20What can you do?Ensure appropriate policies and procedures are in placeRecognise subject access requests and data protection complaintsEnsure you are always in the loop Always treat others personal information as you would like others to treat yours … fairly!Be professional ……Training TipsEnd the session by stressing that all staff share responsibility for data protection compliance!
21DP in SFIA Strategy and planning Service Provision Information Strategy (IRMG) – Level 5Service ProvisionSecurity administration (SCAD)Includes the investigation of unauthorised access, compliance with data protection and performance of other administrative duties relating to security management.Data Protection (DPRO)Level 5 Maintains an inventory of information subject to data protection legislationLevel 6 - Develops strategies for complying with data protection legislation
22All Around DP Recap Fish Swim All Around Reefs Rocks and Sunken TreasuresFairSpecificAdequateAccurateRightsRetentionSecurityTransfers
23Questions/Comments Andrea Simmons, CISSP, MBCS CITP, M.Inst.ISP, BA Professional Development ConsultantBCSPhone:Mobile:Web:Amongst other things!