Information security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Information Security PowerPoint PPT Presentation


  • 164 Views
  • Uploaded on
  • Presentation posted in: General

Information Security. A4e Provider Workshop Information Security (London) 22 March 2011. Topics. Why information security? Legal Obligations Data Protection Act Regulation and Enforcement Contract Requirements ISO27001. Why Information Security?.

Download Presentation

Information Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Information security

Information Security

A4e Provider Workshop

Information Security

(London)

22 March 2011


Information security

Topics

  • Why information security?

  • Legal Obligations

  • Data Protection Act

    • Regulation and Enforcement

  • Contract Requirements

  • ISO27001


Information security

Why Information Security?

  • Data Protection and Information Security is not a product it is a process.

  • Focussed upon auditing and monitoring of the entire business security process.

  • Not limited to computers; steer the convergence of:

    • Data Protection

    • Physical Security

    • Computer Security

    • Document Security

    • Personnel Security

    • Environmental Security 


Information security

Why Information Security?

The key tenets supporting an effective Information Security Management System are:

  • Confidentiality – Restricting access to authorised individuals

  • Integrity – The assurance of information quality and accuracy.

  • Availability – Ensuring the availability of information to those whom have a business need.


Information security

Legal Obligations

  • Data Protection Act 1998

  • Privacy and Electronic Communications Regulation 2003

  • Regulation of Investigatory Powers Act 2000

  • Lawful Business Practice Regulations 2000

  • Crime and Disorder Act 1998

  • Human Rights Act 1998

  • Defamation Act 1996


Information security

Data Protection Principles

  • Fairly and lawfully

    • The use of privacy notices / statements on websites;

    • Declaration / Enrolment Forms.

      2. Specified & lawful purpose

    • Clearly articulated reason for gathering the data.

      3. Adequate, relevant & not excessive

    • Do not ask for more data than required; eg Vehicle Registration for visitors, when you are not managing the car park;

    • National Insurance Numbers on CVs.

      4. Accurate & up to date

    • How do you make sure that you that the information you hold is accurate?


Information security

Data Protection Principles

5. Not kept for longer than is necessary

  • Ensure you have a data retention and disposal process

    6. Rights of data subjects

  • Ensure that you have a process for managing requests from customers, for access to their data.

    7. Security

  • An effective and communicated security plan.

    8. Overseas transfers

  • Rules and prohibitions on the storage and processing of data outside of the EEA.


Information security

Principle 7 - Security

  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.


Information security

Principle 7 - Security

  • Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—

  • (a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and

  • (b) the nature of the data to be protected.


Information security

Principle 7 - Security

  • Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—

    • (a) the processing is carried out under a contract—

      • (i) which is made or evidenced in writing, and

      • (ii) under which the data processor is to act only on instructions from the data controller, and

    • (b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.


Information security

Regulation and Enforcement

  • Information & Enforcement Notices

  • Criminal Offence -

    • £5,000 max fine (Summary)

    • £Unlimited (Indictment)

  • Post 6 Apr 2010

  • Criminal Offence S55

    • 6 months imprisonment + £5,000 max (Summary)

    • 2 years imprisonment + £unlimited (indictment)

  • Breach of Principles - Monetary Penalty max£500,000


Information security

Regulation and Enforcement

  • Nov 2010 – Hertfordshire County Council – Faxed data to wrong recipient – Monetary Penalty £100,000

  • Nov 2010 – A4e – Loss of an unencrypted laptop – Monetary penalty £60,000

  • Feb 2011 – Ealing Council – Loss of unencrypted laptop- Monetary penalty £80,000

  • Feb 2011 - Hounslow Council – Loss of unencrypted laptop - Monetary penalty £70,000

  • 21 Feb 2011 - IPS (Identity and Passport Office) loses renewal applications for 21 individuals.

  • 23 Feb 2011 – Cambridge County Council breached DPA – lost unencrypted memory stick – min 6 individuals


Information security

Contract Requirements

  • Framework of security based upon ISO27001/2 (Information Security Management System - ISMS)

  • DWP contract security plan mapped to ISO controls

  • A4e plan mapped to contract controls

  • More than 100 controls in entire plan (cross over)

  • Balanced against the risk of harm/damage to individuals and business


Information security

What is ISO27001?

An information systems security standard.

Intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small organisations.

An amalgamation of good business practices, from a number of disciplines (Project Management, HR, Software Development, et al), into a single standard.

15


Information security

Security Policy

Organisation of Information Security

Asset Management

Human Resources Security

Physical and Environmental Security

Communications and Operations Management

Access Controls

Information Systems Acquisition, Development and Maintenance

Information Security Incident Management

Business Continuity Management

Compliance

ISO27001 - Sections


Information security

There is, at present no requirement for any organization to be ISO27001 certified. However, your Security Plan would benefit from being consistent with the structure of this standard.

The DWP Security requirements place a specific and non-negotiable emphasis on the protection of Personal Data. As a result even if you or an organization you contract with, has ISO27001 certification, there is still a risk that you may not satisfy the DWP requirements.

ISO27001 - Sections


Information security

Must Haves

  • Like any good wardrobe, games room, house, car, etc, there are a number of things that it must have for it to be what you want it to be. In the case of the Security Plan, the DWP lists these as:

    • Penetration Testing;

    • Incident Management;

    • Encryption (both data at rest and intransit);

    • Restrictions on the use of Offshoring;

    • Staff screening processes (BPSS, CRB etc);

    • Policies & procedures embedded in working practice (with evidence of training, etc); and

    • Subject Access Request Processes (including notification to Partners and the DWP).


Information security

Summary

  • Public & private sector data losses

  • Privacy related issues

  • Associated legislation (HRA’98 – DPA’98)

  • Government insisted on tighter control in departments, partners and 3rd parties

  • Information Security should be seen as a business enabler not an inhibitor

  • New contract engagements – security is key


Information security

Questions

Thank you

“Security is not a dirty word – it’s a state of mind”


  • Login