Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data/Information Security, Not My Problem Or is it

Published byHubert Robertson Modified over 6 years ago

Similar presentations

Presentation on theme: "Data/Information Security, Not My Problem Or is it"— Presentation transcript:

1 Data/Information Security, Not My Problem Or is it
Data/Information Security, Not My Problem Or is it? Dave Baker Performance Plus Partnership The Way Ahead 2017

2 Who Am I? Why Am I Here? The Way Ahead 2017

3 Data or Information? The Way Ahead 2017

4 Information What is information? What is information security?
What is risk? Managing information security ISO 27001:2013 Information security responsibilities The Way Ahead 2017

5 What is Information? Information is an asset which, like other important business assets, has value to an organisation and consequently needs to be suitably protected The Way Ahead 2017

6 What is the Value of Information?
Coffee Shop Video Coffee Shop Video The Way Ahead 2017

7 Information exists in many forms
Printed or written on paper Stored electronically Transmitted by post or electronic means Visual e.g. videos, diagrams Published e.g. on the Web Aural e.g. conversations, phone calls Intangible e.g. knowledge, experience, expertise, ideas Within products Information can be… Created Owned (it is an asset) Stored Processed Transmitted/communicated Used (for proper or improper purposes) Modified or corrupted Shared or disclosed (whether appropriately or not) Destroyed or lost Stolen Controlled, secured and protected The Way Ahead 2017

8 What is Information Security?
Information security is what keeps valuable information ‘free of danger’ (protected, safe from harm) It is not necessarily something you buy, it is something you do It’s a process not a product It is achieved using a combination of suitable strategies and approaches: Determining the risks to information and treating them accordingly (proactive risk management) Protecting CIA (Confidentiality, Integrity and Availability) Avoiding, preventing, detecting and recovering from incidents Securing people, processes and technology … not just IT! The Way Ahead 2017

9 Information Security and Helpful People
Hacker Video Hacker Video The Way Ahead 2017

10 Information in the Organisation
PEOPLE PROCESSES TECHNOLOGY Staff & management Business activities IT, phones, paper … Information and People People who use or have an interest in your information security potentially include: Shareholders / owners Management & staff Customers / clients, suppliers & business partners Service providers, contractors, consultants & advisors Authorities and regulators Your biggest threats arise from people (social engineers, unethical competitors, hackers, fraudsters, careless workers, bugs, flaws …), and yet your biggest assets are your people (e.g. security-aware employees who spot trouble early)

11 Information in the Organisation
PEOPLE PROCESSES TECHNOLOGY Staff & management Business activities IT, phones, paper … Information and Processes Processes are work practices or workflows, the steps or activities needed to accomplish business objectives. Processes are described in procedures. Virtually all business processes involve and/or depend on information, so information is a critical business asset. Information security policies and procedures define how we secure information appropriately and repeatedly

12 Information in the Organisation
PEOPLE PROCESSES TECHNOLOGY Staff & management Business activities IT, phones, paper … Information and Technology Cabling, data/voice networks and… things! Telecommunications services (PABX, VoIP, ISDN, videoconferencing) Phones, cellphones, tablets Computer servers, desktops, laptops and associated data storage devices (disks, tapes, memory sticks) Operating system and application software Paperwork, files Security technologies Locks, barriers, card-access systems, CCTV, passwords

13 Information Security Matters because…
It protects information against various threats It ensures business continuity It minimises financial losses and other impacts It optimises return on investments It creates opportunities to do business safely It maintains privacy and compliance (thereby avoiding legal action and potential fines!) The Way Ahead 2017

14 Information Security Incidents cause…
IT downtime, business interruption Financial losses and costs Devaluation of intellectual property Breaking laws and regulations, leading to prosecutions, fines and penalties Reputation and brand damage leading to loss of customer, market, business partner or owners’ confidence and lost business Fear, uncertainty and doubt… and STRESS The Way Ahead 2017

15 What is Risk? The Way Ahead 2017 What is Risk?
Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organisation Threat: something that might cause harm Vulnerability: a weakness that might be exploited Impact: financial damage etc. The Way Ahead 2017

16 Information Security Threats
Threat type Example Human error Typo, wrong attachment/ address, lost phone etc Intellectual property Piracy, industrial espionage Deliberate act Unauthorised access/trespass, data theft, extortion, blackmail, sabotage, vandalism, terrorist/criminal activity Fraud Identity theft, expenses fraud System/network attack Viruses, worms, Trojans, hacks Service issue Power cuts, network outages Force of nature Fire, flood, storm, earthquake, lightning, tsunami, volcanic eruption Hardware issue Power supply failure, lack of capacity Software issue Bugs or design flaws, data corruption The Way Ahead 2017

17 What’s That GDPR Thing All About?
GDPR – What’s That? GDPR – the EU General Data Protection Regulation Comes into force on 25th May 2018 It’s an EU Regulation so it will immediately supersede existing local laws and the UK will still be an EU member on the 25th May 2018 It affects you if: you store and/or process personal information you are registered with the ICO under the UK Data Protection Act you control personal information (and someone else processes it for you) If you’re in charge then the responsibility is yours You really ought to start thinking about it now GDPR – Sanctions GDPR will be enforced by the ICO in the UK and will replace the Data Protection Act of 1998 The potential fine for breaching the GDPR is up to 4% of your total, worldwide annual turnover or €20million whichever is the greater! The significant risk (I believe) is not the headline fine but the fact that GDPR makes it far easier for the individual Data Subject to bring a private prosecution against a Data Controller or Data Processor and claim compensation for distress or inconvenience Go to for a helpful GDPR guide The Way Ahead 2017

18 “OK, I get it! Now what do I do about it?”
The GDPR states that: “Organisations may use an approved certification scheme as an element to demonstrate compliance with the requirement (of the Regulation)…” ISO27001 is the International Standard for Data & information Security (i.e. an approved certification scheme) The Way Ahead 2017

19 ISO 27001:2013 What is it and Why would you want it?
Concerns the management of information security, not just IT/technical security Formally specifies a management system Formally identifies Information Assets and employs risk based strategies to achieve, maintain and improve information security Covers all types of organisations (e.g. commercial companies, government agencies, not-for-profit organisations) and all sizes Thousands of organisations worldwide have been certified compliant Becoming a common tender requirement ISO 27001:2013 Benefits Demonstrable commitment to security by the organisation Legal and regulatory compliance Better risk management Commercial credibility, confidence, and assurance Reduced costs Clear employee direction and improved awareness The Way Ahead 2017

20 ISO 27001:2013 The Basic Principles
Identify the Information Assets Identify and Quantify the Risks Define the Risk Appetite Determine and Implement Controls/Procedures to Minimise Risks Educate and Communicate Maintain and Improve the System The Way Ahead 2017

21 Cyber Security etc. Cloud Video The Way Ahead 2017 Cyber Security etc.
Access control and passwords Common sense (often lacking!) Memory sticks BYOD Cyber Essentials scheme The Cloud Go to for a helpful password guide The Way Ahead 2017

22 Information security is everyone’s responsibility
Whose problem is it? The Organisation’s? The CEO’s? The Information Security or Data Protection Officer’s? The IT Manager’s? The Employees’? Information security is everyone’s responsibility

23 Thank you for your attention Dave Baker Performance Plus Partnership More information at: The Way Ahead 2017

Download ppt "Data/Information Security, Not My Problem Or is it"

Similar presentations

Innovation or Necessity? ISM 158 By: Sepehr Saeb.

Innovation or Necessity? ISM 158 By: Sepehr Saeb.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Managing Information Systems Information Systems Security and Control Part 1 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 1 Dr. Stephania Loizidou Himona ACSC 345.
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.

Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius 4444 50% Hiscox 33 50% to May 2010, replaced.

BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius % Hiscox 33 50% to May 2010, replaced.
Wonga example Register Question- What risks do you think businesses face due to IT developments?

Wonga example Register Question- What risks do you think businesses face due to IT developments?
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.

CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Program Objective Security Basics

Program Objective Security Basics
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
General Awareness Training

General Awareness Training
Defining Security Issues

Defining Security Issues
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
ISO27001 Introduction to Information Security. Who has day-to-day responsibility? All of us! Why Information Security? Control risk, limit liability What.

ISO27001 Introduction to Information Security. Who has day-to-day responsibility? All of us! Why Information Security? Control risk, limit liability What.
© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.

© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.
Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.

Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, 2014 -WITH THANKS TO.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Similar presentations

Ads by Google