Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
Published byModified over 6 years ago
Presentation on theme: "Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal."— Presentation transcript:
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal Compliance) Information Security
Is about ISO 27001 Websites Data Protection Act Freedom of Information Act Case studies What does this mean for you?
Information Security is about: Confidentiality: protecting information from unauthorised access and disclosure Integrity: safeguarding the accuracy and completeness of information and processing methods Availability: ensuring that information and associated services are available to authorised users when required
ISO 27001 In addition, the Deputy Registrar’s Office is consulting on the Information Security Policy 2008/2009 which contains procedures/guidance on areas such as : –Data retention –Anti-virus protection –Password best practice This is due to be considered by the Information Policy and Strategy Committee (IPSC) in June 2009
Websites –http://www2.warwick.ac.uk/services/infosecurity/ or go/infosecurity –http://www2.warwick.ac.uk/services/gov or go/governance
Data Protection The Data Protection Act 1998 “An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.” Personal Data Includes “any personal information about an individual from whom you are collecting or utilising..data, the compromise, loss or theft of which could cause distress or harm to that individual” (DWP) How it should be processed 1.Personal data shall be processed fairly and lawfully 2.Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3.Personal data shall be adequate, relevant and not excessive 4.Personal data shall be accurate and, where necessary, kept up to date. 5.Personal data processed shall not be kept for longer than is necessary 6.Personal data shall be processed in accordance with the rights of data subjects 7.Appropriate technical and organisational measures shall be taken to ensure the security of the information 8.Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Ref: go/governance
Freedom of Information Act The Freedom of Information Act 2000 gives the general right to request any information held by public authorities Freedom of Information (FOI) requests must be in writing, with contact details, but a request does not need to state that it falls under the FOI Act The University of Warwick is obliged to respond within 20 working days, once the nature of the request is established, unless an exemption applies University will have general duty to advise and assist, but can refuse on certain grounds, e.g. commercial sensitivity, breach of security, vexatious etc FOI requests should be referred to the Deputy Registrar’s Office for action Ref: go/governance
Case Studies In December 2007 Norwich Union Life was fined £1.26 million by the FSA for ‘not having effective systems and controls in place to protect customers’ confidential information’ HM Government ‘Managing Information Risk’ In May 2008 the Information Commissioners' Office was given powers to fine organisations that lose personal data. In the worse case scenario the fines could run into millions. The Guardian In March 2007 TK Maxx had 45.7 million credit and debit cards details stolen over an18 month period. As well as financial data, thieves were able to copy customer's personal information including names, addresses driving licence and other identification data. If PCI DSS had been in force they would have lost their ability to process debit/credit information. BBC
What does this mean for you ? Our network and the Internet were designed to share not protect information Greater awareness of how data should be stored, processed and transmitted (in paper and electronic form). Understand the DPA and PCI DSS Know how to deal with FOI and DPA requests Be aware of the consequences of non-compliance Information Security is everyone’s responsibility. Please take ownership of the data you collect.