Presentation on theme: "Information Security and Common Sense Richard Henson University of Worcester October 2008."— Presentation transcript:
Information Security and Common Sense Richard Henson University of Worcester October 2008
Why has Data Security become such a problem? n End User Computing n Advances in Technology n Confusion about the Data Protection Act n Lack of policy or inconsistent implementation of policy n Data handling training issues
The Rise of End User Computing n In the 1980s, organisational data was kept either in: –centralised computers –secure filing cabinets n The PC offered the possibility of organisational data in the hands of non professionals… –network administrators predicted there would be big problems… –few people listened… THEY SHOULD HAVE!
Where are we now with Information Technology? n Days of mainframe or centralised computing… comparable to mass transport systems (e.g. stage coach, railways, bus) –professional drivers –people driven about
Another e.g. of Technological Change bringing about Cultural Change… n Coming of the motor car…
The Coming of the Personal Computer… –In technology/society terms, the equivalent of the motor car…
Result of the motor car cultural change… n Transport became personalised –those handling motor vehicles were often a menace to other road users –many accidents, injuries, lives lost n Only controlled through the use of legislation (e.g. Highway Code) –and then more legislation (e.g. Driving Test)… »and yet more legislation!!! (e.g. National Speed Limit)
Are roads safe today? n UK Road deaths been falling consistently for many years n So a cultural problem CAN be brought under control… n What about the perils of end user computing…
Digital Data and the Law n What do we have for keeping computer users in order? –the Data Protection Act n Problem… dates back to 1984 –BEFORE end user computing n Update in 1998 –did not address the problems associated with putting the end user in control »e.g. digital data can be easily carried around
The New Law n Finally (2008) legislation is being updated to acknowledge the problem –New offence of Data Recklessness –Information Commissioners Office (ICO) has increased powers.. »further changes expected during the 2008-9 Parliamentary Session Information Commissioner Richard Thomas
Why such a long wait? n Again… back to the motor car n Highways Act? –became law in 1835 –only substantially updated in… 1959 –Why then? had become »a matter of public concern n Equally, Data Protection is now A MATTER OF PUBLIC CONCERN –latest surveys; people now as concerned about their privacy as they are about terrorism!
What are the consequences for Organisations? They need to get serious about data protection, or risk the wrath of the Information Commissioners OfficeThey need to get serious about data protection, or risk the wrath of the Information Commissioners Office first to suffer was…first to suffer was… Richard Branston, Virgin Media (3383 customer records went missing)Richard Branston, Virgin Media (3383 customer records went missing) Would you want to be next???Would you want to be next???
What to do? n Apply common sense! –establish, or update the organisations Information Security Policy –key role: Data Controller - make sure all employees are aware of the law… »make sure systems are in place to make sure that policy works at operational (end user) level »make sure the systems are auditable, and regularly audited
Dont Know where to start? n There is now an International Standard: –ISO 27001 –based on British Standard BS7799 »UK leading the world in design… »but not implementation! –any organisation achieving this quality standard gains in two crucial ways: »unlikely to lose data through recklessness »can use the ISO 27001 kitemark to show potential customers that their personal data is being properly looked after
Is getting ISO 27001 cost-effective? n BIG question –even before… »credit crunch arrived »data recklessness became law n Cost overhead of ISO 27001 quantifiable –intensive, highly focussed courses –paperwork deliberately customisable to meet the needs of large and small organisations n If data is lost, what of the cost overhead of: –bad press? –disgruntled customers? –hefty fines?
Is good Information Security Common Sense? n YES… –just as driving safely is common sense n BUT… n What would the roads be like today if: –1835 Highways Act was still in force unchanged? –no-one had to pass a driving test? n QUESTIONS???