1 / 10

Information Security

Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal Compliance). Information Security. Information Security. Is about ISO 27001 Websites Data Protection Act

christina-stathis
Download Presentation

Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal Compliance) Information Security

  2. Information Security • Is about • ISO 27001 • Websites • Data Protection Act • Freedom of Information Act • Case studies • What does this mean for you?

  3. Information Security is about: • Confidentiality: protecting information from unauthorised access and disclosure • Integrity: safeguarding the accuracy and completeness of information and processing methods • Availability: ensuring that information and associated services are available to authorised users when required

  4. ISO 27001 • In addition, the Deputy Registrar’s Office is consulting on the Information Security Policy 2008/2009 which contains procedures/guidance on areas such as : • Data retention • Anti-virus protection • Password best practice • This is due to be considered by the Information Policy and Strategy Committee (IPSC) in June 2009

  5. Websites • http://www2.warwick.ac.uk/services/infosecurity/ or go/infosecurity • http://www2.warwick.ac.uk/services/gov or go/governance

  6. Data Protection The Data Protection Act 1998 “An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.” Personal Data Includes “any personal information about an individual from whom you are collecting or utilising..data, the compromise, loss or theft of which could cause distress or harm to that individual” (DWP) How it should be processed Personal data shall be processed fairly and lawfully Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Personal data shall be adequate, relevant and not excessive Personal data shall be accurate and, where necessary, kept up to date. Personal data processed shall not be kept for longer than is necessary Personal data shall be processed in accordance with the rights of data subjects Appropriate technical and organisational measures shall be taken to ensure the security of the information Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Ref: go/governance

  7. Freedom of Information Act The Freedom of Information Act 2000 gives the general right to request any information held by public authorities Freedom of Information (FOI) requests must be in writing, with contact details, but a request does not need to state that it falls under the FOI Act The University of Warwick is obliged to respond within 20 working days, once the nature of the request is established, unless an exemption applies University will have general duty to advise and assist, but can refuse on certain grounds, e.g. commercial sensitivity, breach of security, vexatious etc FOI requests should be referred to the Deputy Registrar’s Office for action Ref: go/governance

  8. Case Studies • In December 2007 Norwich Union Life was fined £1.26 million by the FSA for ‘not having effective systems and controls in place to protect customers’ confidential information’ HM Government ‘Managing Information Risk’ • In May 2008 the Information Commissioners' Office was given powers to fine organisations that lose personal data. In the worse case scenario the fines could run into millions. The Guardian • In March 2007 TK Maxx had 45.7 million credit and debit cards details stolen over an18 month period. As well as financial data, thieves were able to copy customer's personal information including names, addresses driving licence and other identification data. If PCI DSS had been in force they would have lost their ability to process debit/credit information. BBC

  9. What does this mean for you ? • Our network and the Internet were designed to share not protect information • Greater awareness of how data should be stored, processed and transmitted (in paper and electronic form). Understand the DPA and PCI DSS • Know how to deal with FOI and DPA requests • Be aware of the consequences of non-compliance • Information Security is everyone’s responsibility. Please take ownership of the data you collect.

  10. Contacts Duncan Woodhouse Tel: ext 50681 Email: Duncan.Woodhouse@warwick.ac.uk Web: go/infosecurity Helen Wollerton Tel: ext 50949 Email: H.Wollerton@warwick.ac.uk Web: go/governance

More Related