Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andrea Simmons, MBCS CITP, CISM, CISSP, M.Inst.ISP, BA

Similar presentations

Presentation on theme: "Andrea Simmons, MBCS CITP, CISM, CISSP, M.Inst.ISP, BA"— Presentation transcript:

1 BCS SFIA Workshop Professional Protection - The Skills Needed for Effective Data Protection
Andrea Simmons, MBCS CITP, CISM, CISSP, M.Inst.ISP, BA BCS Professional Development Consultant

2 What we mean by info Personal data Sensitive personal data
information relating to a living individual who can be identified name, payroll number, NI number, date of birth, address Sensitive personal data racial or ethnic origin political opinions religious beliefs trade union membership physical or mental health or condition sexual life commission of alleged commission of an offence (or proceedings) Includes any expression of opinion about the individual and any indication of the intentions of the data controller

3 What the DPA 1998 means “An Act to make new provisions for the regulation or the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information” pre-amble to 1998 Data Protection Act Applies to all organisations which hold and process (use) personal data (i.e. both public and private sector) Processing for domestic purposes is not covered Small non-profit organisations are exempt from some of the Acts requirements Includes automatically processed data (e.g. CCTV, PCs)

4 Therefore DPA does not cover: Information about the deceased
Aggregated data Anonymised date Personal data does include Coded data Indirect references, where identity is obvious Opinions or intentions towards an individual Personal data must say something about an individual Personal data must have some biographical content Incidental references will not be personal data (controversial) Privacy applies a moral stance to the use of data

5 Legal issues Computer Misuse Act 1990
Anti-Terrorism, Crime and Security Act, Section 11 – Retention of Communications Data 2001 Data Protection Act 1998 Defamation Act 1996 Copyright, Designs and Patents Act 1988 Human Rights Act 1998 Obscene Publications Act 1959 & 1964 Regulation of Investigatory Powers 2000 Waste Electrical & Electronics Equipment (WEEE) directive (regulations) Criminal Justice & Immigration Act 2008 The term hacker relates back to an original term used at universities. The original hackers were users inquisitive into the uses of software and played around with computers in their spare time. The term has since come to mean people of questionable ethics abusing computer systems and networks for their own ends. Types of hacker: The malicious hacker is the most likely to mount a denial of service attack. They will have no interest in obtaining your confidential data or secrets but will enjoy sabotaging your systems and causing headaches for administrators. The academic hacker is only interested in gaining knowledge. Again, they will have no interest in your data but instead enjoys the challenge of penetrating your defences. He will not intentionally damage systems but could do so inadvertently. Industrial espionage is another possible motive for attacking your systems. The object here is to compromise the system, take copies of data and then get out without leaving any trace of the visit. The ex-employee can be a formidable foe. He will have inside knowledge of your security provisions and logins that were certainly once valid. Access to hacking knowledge and technical expertise is getting better, in addition there is an increase in downloadable cracking, intrusion and general tools all with the potential to gain access.

6 Know the Law Protection of Children Act 1978 Sexual Offences Act 2003
It is illegal to possess, distribute, show and make indecent images of children Making of indecent images of children includes viewing them on the Internet. You cannot be prosecuted for receipt You can be prosecuted for distribution

7 The 8 DPA Principles Data should be:
Processed FAIRly & lawfully (Fish) Processed for specified and lawful purposes (SPECIFIC) (Swim) ADEQUATE, relevant & not excessive (All) ACCURATE and up to date (Around) not held indefinitely (RETENTION) (Reefs) RIGHTS of data subject respected (Rocks) SECURITY (organisational/technical) (Sunken) international TRANSFERs (Treasures) Data should be:

8 Criminal Justice & Immigration Act 2008
A penalty for knowingly or recklessly failing to comply with the data protection principles so as to create a substantial risk that damage or distress will be caused to any person. A power for the Information Commissioner to inspect personal data and the circumstances surrounding its processing in order to assess whether or not any processing of the data is carried out in compliance with the Act. A power for the Information Commissioner to require a data controller to provide him with a report by a skilled person. Enhanced enforcement powers to enable the Information Commissioner to bring seriously unlawful processing to an immediate halt, to place formal undertakings on a statutory basis and to enable the Information Commissioner to take enforcement action to prevent breaches of the Act that are likely to occur. Individuals who negligently disclose personal data could be jailed for up to two years Clearly, the time for low data protection act compliance is past – it should now be a high priority for all organisations and individuals within organisations.

9 What’s wrong with this picture?
Well, 20 things, actually. Here is a view of a typical desk ….OK, maybe most are not this bad! Can you find all the violations? Clear Desk Policy… anyone…?!

10 It's not just untidy, it's unsafe

Day planner 1 and Card Index or equivalent 2 left on desk. Personal and professional information—including phone numbers, passwords, or notes on meeting times, places and subjects—is vulnerable. Store day planners and notebooks in a locked drawer or take them when away from desk for extended periods of time, including overnight.

Personal effects including a bank statement 3, chequebook 4 and mail 5 left on desk. Briefcase 6 left open near desk. Bank statements include account numbers and other personal identifiers; mail carries home addresses and could reveal private information; chequebook contains a history of financial transactions. Unlocked briefcases can have items stolen from them if employee leaves the area. Lock briefcases and cabinets when away from desk for extended periods. Keep all personal effects in a locked briefcase or locked cabinet devoted to personal effects.

Keys 7, mobile phone 8, PDA 9 and building access card 10 left on desk. Mobile phones can be stolen or have their call histories compromised. Stolen keys give intruders access to restricted areas of the office. PDAs contain sensitive personal and professional data. Stolen access cards can be used for continued access to the building. Keep devices with you, and lock mobile phones and PDAs with a pass code. Never leave your access cards or keys out anywhere; always keep them with you. Notify security staff immediately if access cards or keys are missing.

Applications left open on computer 11, CD left in computer 12, passwords on sticky note displayed on monitor stand 13, printouts left in printer 14. Access to personal or sensitive corporate or passwords can allow ongoing access and intrusion. CD left in drive and data on printouts can be stolen. Cache files for applications and printer can yield sensitive data one might have thought wasn't preserved. Close applications and turn off your monitor when you leave your desk. Do not leave portable media such as CDs or floppy disks in drives. Enable a password-protected screen saver. Turn off your computer when you leave for extended periods. Never write your passwords on a sticky note nor try to hide them anywhere in your office. Remove printouts from printers before leaving the office. Shred sensitive printouts when you are done with them. Clear cache files on computer and memory on devices like printers regularly.

15 Spatial Misconfigurations
VIOLATIONS RISK SUGGESTED POLICY Desk positioned so it's partially exposed to window and view from the hallway 15. Whiteboard with sensitive data on it viewable from hallway and window 16. Window exposure could enable spying from other buildings. Hallway exposure could allow unauthorized access if data, such as a password, is written on a whiteboard. Desks and furniture should be positioned so that sensitive material is not visible from either the windows or the hallway. Close blinds on windows. Use a screen filter to minimize the viewing angle on a computer monitor. Erase whiteboards; if data on whiteboards needs to be saved, use electronic whiteboards or employ shutters.

File cabinet drawer open 17 and keys left in lock 18. Trash bin contains loose-leaf paper 19. Bookshelf contains binders with sensitive information 20. Folders in cabinet are eminently stealable. Keys allow for ongoing access and the ability to return files, so it's hard to detect theft. s, other sensitive paper in trash bin can be stolen after-hours or found in the Dumpster outside. Binders on shelf, clearly marked as sensitive, are also available for "borrowing," making the theft of the information hard to detect. Do not use bookshelves to store binders with sensitive information. Label those binders prosaically and lock them up. Arrange folders in file cabinets so that the least sensitive are in front, most sensitive in back. Keep file cabinets closed and locked. Do not leave keys in their locks. Shred paper on site before having it recycled. If appropriate, lock your office door when you're gone for extended periods.

17 Mitigating the business
It’s important to act quickly Consider the value of pursuing investigations Seek to prevent escalation by implementing robust Incident Management Find the evidence Apply ongoing risk assessment (culture change required) Create policies that hold evidential weight and have a supporting (HR) enforcement process

18 When things go wrong… There are criminal offences for obtaining and disclosing data.. The Information Commissioner can take “enforcement action” Individuals can go to the court There may be bad publicity…. Training Tips What happens if we get it wrong? Do not dwell on the negative aspects of non-compliance, but make it clear that there are serious consequences for the organization Explain how employees may sometimes be criminally liable if they use the organization’s data for their own purposes or deliberately act outside policies and procedures Give examples of things that have gone wrong in the past

19 When things go right… There should be increased customer and employee trust Good publicity And an avoidance of prosecution  Training Tips Stress the positive benefits for the organization !!

20 What can you do? Ensure appropriate policies and procedures are in place Recognise subject access requests and data protection complaints Ensure you are always in the loop  Always treat others personal information as you would like others to treat yours … fairly! Be professional …… Training Tips End the session by stressing that all staff share responsibility for data protection compliance!

21 DP in SFIA Strategy and planning Service Provision
Information Strategy (IRMG) – Level 5 Service Provision Security administration (SCAD) Includes the investigation of unauthorised access, compliance with data protection and performance of other administrative duties relating to security management. Data Protection (DPRO) Level 5 Maintains an inventory of information subject to data protection legislation Level 6 - Develops strategies for complying with data protection legislation

22 All Around DP Recap Fish Swim All Around Reefs Rocks and Sunken
Treasures Fair Specific Adequate Accurate Rights Retention Security Transfers

23 Questions/Comments Andrea Simmons, CISSP, MBCS CITP, M.Inst.ISP, BA
Professional Development Consultant BCS Phone: Mobile: Web: Amongst other things!

Download ppt "Andrea Simmons, MBCS CITP, CISM, CISSP, M.Inst.ISP, BA"

Similar presentations

Ads by Google