I will be speaking at the 5th Annual Privacy & Data Protection Conference this year on the 27th of October. The theme for the event is “Data Protection: Global Compliance Management” and I will be speaking on “Building an Information Security Culture and Policy”. I will also be taking part in a panel discussion in information security.
The conference promises to be very informative and the organisers, Transatlantic Events, have brought together experts from the regulators, the lawmakers and the legal community from Ireland, the US, the EU, and the UK in order to debate the full range of issues that make up data protection compliance. The conference will enable you to hear from experts as well as debate in open forum a range of issues from multi-jurisdictional compliance to niche areas such as outsourcing, monitoring, cloud computing, children’s privacy and data security breach management.
I am looking forward to hearing many of the other speakers at the event and hopefully meeting with some of you as well.
The 21st annual report from the Data Protection Commissioner’s office has been released. As usual it makes for some very interesting reading. The report notes that the number of breaches reported to the office has doubled since the previous year. Most of these reported breaches are from organisations within the public sector. While the first reaction may be to say the public sector is not taking due care of the personal data entrusted to it, I would argue that the public sector is no better nor worse than the private sector.
One of the main reasons for the increased number of reported incidents from the public sector is most likely due to the guidance issued by the Department of Finance in late 2008 “encouraging” government departments to report breaches to the Data Protection Commissioner. See section 4 on page 23 of the guidance.
In my opinion the Data Protection Commissioner’s report reinforces the argument that Ireland should introduce mandatory data breach disclosure laws. My own thoughts on that particular issue are in this presentation that I gave at the last NITeS seminar;
I strongly urge that you take the time to read the report and to ask yourself the question, “How effective are my security controls in protecting the personal data entrusted to my organisation?” If you find it hard to determine how to answer the question there is a very good self assessment checklist available on the commissioner’s site.
I am often approached by owners of small businesses who ask me how can they be assured that they have taken the basic steps to protect their information assets. These companies often do not have any internal IT or information securty expertise and rely on external vendors or contractors to secure their systems. What these owners want is a list of questions that they can ask themselves and their IT/Information Security experts to ensure they have taken the appropriate steps. The following is what I recommend they check on and if they have any incomplete or negative responses then these areas need to be addressed;
People
Check Item
Answer
Responsibility
Does a director, or equivalent, have responsibility for information security?
Employee Buy-in
Have all members of staff given written acknowledgement that they have read, understood and accepted the information security policy?
Employee awareness
Do all users on your computer systems receive regular training on their security responsibilities and how to identify and deal with various security threats?
Training
Do staff members with specific security responsibilities receive proper and regular training to support their role?
Computer security policy
Have you a documented security policy, with associated operating procedures, signed off and fully supported by senior management?
Non-disclosure agreements
Does senior management authorise third party access to confidential and/or commercially sensitive information pending completion of appropriate confidentiality forms?
Process
Check Item
Answer
Audits
Are critical systems such as firewalls and routers regularly tested for vulnerabilities and are computers checked to ensure no copies of illegal software are present?
Incident Planning and response
Are documented and frequently tested plans in place, with clearly defined roles and responsibilities, to ensure the company can respond to any security breaches such as a virus attack, fraud or natural disasters such as fire?
Passwords
Are all default passwords on all systems reset from the default vendor installed passwords? Are users forced to use complex and hard to guess passwords?
Software patches
Is there a mechanism to ensure that critical security patches are deployed to systems in a timely and audited fashion?
Data Protection
Are systems and databases that store personal data secured properly to ensure compliance with regulatory and legal requirements such as the Data Protection Act?
Tech
Check Item
Answer
External Network Security
Are external connections, such as to the Internet, authorised by senior management, properly documented and secured using Firewalls?
Anti-Virus
Are all computer systems protected with the most up to date anti-virus software? Are users educated on how to identify and deal with suspect files that may contain computer viruses?
Content Monitoring
Do you properly monitor the content of emails and Internet browsing activity to protect your company from computer viruses, SPAM, or litigation due to the nature of the content?
Monitoring
Are the log files of important security devices actively monitored to detect potential security breaches?
Physical security
Are critical IT resources, such as file servers, located in a secured area that is protected from unauthorised access?
If you have any ideas on how to improve the above list please let me know via the comments.
The raft of data breaches involving lost laptops and mobile devices that occurred last year, both in the government and private sector, led to a rash of organisations running out to encrypt these mobile devices. While an effective tool in helping to secure data on mobile devices, encryption by itself is not a silver bullet nor the answer to the problem. You still need to ensure that people minimise the amount of sensitive data they store on mobile devices and most importantly that they are properly trained and educated in how to use the technology employed to protect that data.
This story from the Lancashire Evening Post is a prime example of where security is the effective combination of People, Process and Technology. The story reports on how a USB key containing medical details of over 6,300 prisoners was lost. The good news is that the USB key was encrypted, however the bad news is that the pass-phrase to decrypt the information was attached to the USB key. This in reality makes the encryption worthless and provides no security to that data.
So remember when deploying technology to enhance the security of your organisations remember to ensure that those who will be using that technology are properly trained in its use.
The 4th Annual Privacy & Data Protection Ireland 2009 seminar is due to be held on the 18th and 19th of February 2009. I will be giving and Interactive case study on Identity Theft at the seminar. As a speaker I am happy to be able to pass on a discounted rate to those of you who wish to register and attend the event. Up until the 1st of December you can register for one or both days of the seminar and achieve significant savings on the normal fees.
If you book early for one day the fee will be €400, after the 1st of December that will rise to €575. If you book for both days before the 1st of December the cost to you will be €750 instead of the normal €950. There are some excellent speakers addressing the event and if you have an interest in data protection and/or privacy then you should attend. Booking forms and more information is available at the seminar’s website.
It has been an interesting week to say the least with regards to information security breaches in Ireland. First we heard of the responses to Ruairi Quinn’s question as to how many portable devices belonging to government departments have gone missing this year. So far over 45 devices have been lost. Damien Mulley has a breakdown as to what was lost. Then on Friday the HSE reports that it lost another laptop which reports claim leaves the personal details of thousands of HSE staff at risk of identity theft.
To cap it all the Irish Timesreports that the Minister for Justice Dermot Ahern is now considering introducing mandatory breach disclosure laws. Having been an advocate for the introduction of such laws I welcome these moves. However, as Digital Rights Irelandpoints out the proposed laws appear to have a number of shortcomings such as being restricted to only portable devices. This means that breaches such as the exposure of people’s CVs on the Jobs.ie website earlier this year would not need to be reported. Also it appears the minister wants to concentrate on major breaches. It will be interesting to see what a major breach is defined as. Will that be dependent on the type of data exposed or the number of records?
I attended the Irish ISACA Chapter’s conference on Friday and a number of people asked me for my reaction to the above. So let me take this post as an opportunity to share my thoughts on breach disclosure;
Today’s Sunday Independent ran a piece in their business supplement on what companies should be doing to protect the data stored on various devices such as PCs and laptops. I am quoted in the article and highlight that companies need to develop their data classification and handling policy and educate their staff in same before rushing out to solve the problem using technology alone. I have said it before and I will say it again, technology is only part of the solution, people and processes are equally, if not, more important.
By the way in case you read the article and are wondering what document I am holding in the picture, it is the ISO 27001 Information Security Standard. Quite appropriate for the topic being discussed.
Today’s Irish Independent has an article “The Perils of Identity Theft” citing me on some of the issues that staff need to be aware of when dealing with sensitive personal information belonging to the customers of their employer. We all need to be careful with the data we access in order to do our job and we need to handle that data accordingly.
When it comes to cash companies are quick to ensure staff know exactly what they are and are not supposed to do when handling that cash. Unfortunately when it comes to data many companies do not take the time to either identify what data is sensitive, how they should protect that data, who should have access to it and how those with access should treat that data. Very often companies rely on employees to “do the right thing” or that IT will have that covered.
Without a comprehensive, unambiguous and well communicated data handling and classification policy your company will be doomed to have a data breach at some stage. If you are a manager reading this and your company does not have such a policy in place then I recommend you look into this as soon as possible. Take it one step further and consider implementing the ISO 27001 Information Security Standard in your organisation. A key element of the standard is data classification and handling. By implementing the standard you will also have the confidence that your company has taken appropriate steps to make that data more secure.
If you are an employee and you are not sure what your company’s data classification and handling policy is then you should ask. If there is not one in place then insist that you are told exactly what you are supposed to do with the information you are working with.
Remember that some industries have regulatory and/or legal requirements for certain types of data and in any event the Data Protection Act places certain obligations on how companies deal with data.
Thanks to Digitial Rights Ireland for pointing me in the direction of today’s Irish Time’s editorial calling for the introduction of Data Breach Disclosure laws. It is good to see this issue get such a public platform and raise the awareness as to why I and Digital Rights Ireland have been calling for such laws to be introduced.
The editorial was written by Karlin Lillington. If you have not visited her Blog I recommend you do, Karlin provides some excellent coverage on technical issues and their implications to society.
Following on from last week’s announcement that the office of the Comptroller Auditor General lost a laptop containing sensitive data at a bus stop, today the CAG announced that it lost a laptop in April 2007that contained information from the Department of Social and Family Affairs on over 380,000 welfare recipients. The laptop was stolen from the office of the CAG and to compound the problem further, while the data was send to the CAG from the Department of Social and Family Affairs in encrypted format it was subsequently stored on the CAG laptop in plaintext form. The compromised data included personal details such as bank account numbers, names and addresses of people, in fact the perfect data an identity thief would pay a lot of money for.
Questions have to be asked why did it take so long for those affected to be informed of the breach? It is nearly 17 months since the laptop was stolen but details are only being made public now. Why were those affected not made aware that they were at risk of identity theft? And by the way the argument that the data has not yet been abused is not a valid one.
Yet again this is another example of why we need mandatory breach disclosure laws in this country. While we have had a number of good examples of how to deal with breaches too often we have had too many bad examples. The time of people relying on organisations to do the right thing is over and we need to introduce regulations organisations that mandate the appropriate steps an organisation should take in the event it suffers a breach.
Digital Rights Ireland have a post that covers some of the legal aspects regarding this breach. If you feel as strongly about breach disclosure as I do then they also have details on how you can add your voice to the debate.
The raft of data breaches involving lost laptops and mobile devices that occurred last year, both in the government and private sector, led to a rash of organisations running out to encrypt these mobile devices. While an effective tool in helping to secure data on mobile devices, encryption by itself is not a silver bullet nor the answer to the problem. You still need to ensure that people minimise the amount of sensitive data they store on mobile devices and most importantly that they are properly trained and educated in how to use the technology employed to protect that data. 