News broke today about a civil servant working in the Department of Family and Social Affairs who used his access to the department’s computer systems to get sensitive personal information on a number of individuals.  This information was then passed onto his criminal brother who subsequently allegedly used that information to burgle one individual and attempted to extort money from others.

This story should highlight to those who believe that privacy is something we need not worry about.  These people maintain the “if you have nothing to hide then your have nothing to fear” argument by giving personal information to government agencies in the fight against crime/terrorism/fascism/communism (delete where appropriate).  As the four victims found out in this case you have your personal safety to fear if your privacy is breached by those agencies you trust with your personal data. 

This story apparently also only came to light after persistent Freedom of Information requests from journalists who broke the story and highlights the need in Ireland for a Data Security Breach Disclosure law which I called upon the government to introduce as part of this year’s Global Security Week. 

This story points out a whole lot of issues that I believe organisations need to look at when handling sensitive information;
Identify where all your sensitive information is, be that at rest or in transit and implement appropriate controls to secure it.

  • Implement data classification schemes to identify what information is sensitive, what can be released to the public and what cannot.
  • Create roles and profiles for each type of user on the system and ensure the appropriate access permissions are granted to those roles and profiles.
  • Ensure staff have access to information that they only “need to know” to do their job.  Granting blanket access to all information is leaving the system open to be abused.
  • If possible ensure that all security checks for staff handling sensitive data include whether there is a potential risk from known acquaintances or family members.
  • Have comprehensive logs recording access to all sensitive pieces of information.  This should include, but not be limited to, who accessed what items at what time and from where.
  • Check and review the logs regularly, ideally have real time alerts for specific events.
  • Invest in mechanisms to prevent sensitive information from being copied or downloaded into insecure formats such as spreadsheets or personal databases.
  • Have your email filtering software configured to filter outgoing emails and to quarantine any suspected emails with attachments that may contain sensitive information.
  • Regularly review your security controls to ensure they remain effective and up to date against current threats.
     

The above is not a comprehensive list but are only a number of steps that you should look at when securing sensitive data.  

About the Author: bhimport

Let’s Talk

Please leave your contact details and a member of our team will be in touch shortly.

Name*