BCS SFIA WorkshopProfessional Protection - The Skills Needed for Effective Data Protection

Andrea Simmons, MBCS CITP, CISM, CISSP, M.Inst.ISP, BA

BCS Professional Development Consultant

• Personal data • information relating to a living individual who can be identified• name, payroll number, NI number, date of birth, address

• Sensitive personal data • racial or ethnic origin• political opinions• religious beliefs• trade union membership• physical or mental health or condition• sexual life• commission of alleged commission of an offence (or proceedings)

What we mean by info

Includes any expression of opinion about the individual and any indication of the intentions of the data controller

• Applies to all organisations which hold and process (use) personal data (i.e. both public and private sector)

• Processing for domestic purposes is not covered• Small non-profit organisations are exempt from some of the Acts

requirements• Includes automatically processed data (e.g. CCTV, PCs)

What the DPA 1998 means

“An Act to make new provisions for the regulation or the processing of information relating to individuals, including the

obtaining, holding, use or disclosure of such information” pre-amble to 1998 Data Protection Act

Therefore

• DPA does not cover:– Information about the deceased– Aggregated data– Anonymised date

• Personal data does include– Coded data– Indirect references, where identity is obvious– Opinions or intentions towards an individual

• Personal data must say something about an individual• Personal data must have some biographical content• Incidental references will not be personal data (controversial)

Privacy applies a moral stance to the use of data

Legal issues

• Computer Misuse Act 1990• Anti-Terrorism, Crime and Security Act, Section 11 –

Retention of Communications Data 2001• Data Protection Act 1998• Defamation Act 1996• Copyright, Designs and Patents Act 1988• Human Rights Act 1998• Obscene Publications Act 1959 & 1964• Regulation of Investigatory Powers 2000• Waste Electrical & Electronics Equipment (WEEE)

directive (regulations)• Criminal Justice & Immigration Act 2008

Know the Law

• Protection of Children Act 1978 • Sexual Offences Act 2003

– It is illegal to possess, distribute, show and make indecent images of children

– Making of indecent images of children includes viewing them on the Internet.

You cannot be prosecuted for receipt

You can be prosecuted for distribution

The 8 DPA Principles

1. Processed FAIRly & lawfully (Fish)

2. Processed for specified and lawful purposes

(SPECIFIC) (Swim)

3. ADEQUATE, relevant & not excessive (All)

4. ACCURATE and up to date (Around)

5. not held indefinitely (RETENTION) (Reefs)

6. RIGHTS of data subject respected (Rocks)

7. SECURITY (organisational/technical) (Sunken)

8. international TRANSFERs (Treasures)

Data should be:

Criminal Justice & Immigration Act 2008

• A penalty for knowingly or recklessly failing to comply with the data protection principles so as to create a substantial risk that damage or distress will be caused to any person.

• A power for the Information Commissioner to inspect personal data and the circumstances surrounding its processing in order to assess whether or not any processing of the data is carried out in compliance with the Act.

• A power for the Information Commissioner to require a data controller to provide him with a report by a skilled person.

• Enhanced enforcement powers to enable the Information Commissioner to bring seriously unlawful processing to an immediate halt, to place formal undertakings on a statutory basis and to enable the Information Commissioner to take enforcement action to prevent breaches of the Act that are likely to occur.

• Individuals who negligently disclose personal data could be jailed for up to two years

• Clearly, the time for low data protection act compliance is past – it should now be a high priority for all organisations and individuals within organisations.

What’s wrong with this picture?

Well, 20 things, actually. Here is a view of a typical desk ….OK, maybe most are not this bad!

Can you find all the violations?

Clear Desk Policy… anyone…?!

It's not just untidy, it's unsafe

Proprietary Data

VIOLATIONS RISK SUGGESTED POLICY

Day planner 1 and Card Index or equivalent 2 left on desk.

Personal and professional information—including phone numbers, passwords, or notes on meeting times, places and subjects—is vulnerable.

Store day planners and notebooks in a locked drawer or take them when away from desk for extended periods of time, including overnight.

Personal Data

VIOLATIONS RISK SUGGESTED POLICY

Personal effects including a bank statement 3, chequebook 4 and mail 5 left on desk. Briefcase 6 left open near desk.

Bank statements include account numbers and other personal identifiers; mail carries home addresses and could reveal private information; chequebook contains a history of financial transactions. Unlocked briefcases can have items stolen from them if employee leaves the area.

• Lock briefcases and cabinets when away from desk for extended periods.

• Keep all personal effects in a locked briefcase or locked cabinet devoted to personal effects.

Access Tools

VIOLATIONS RISK SUGGESTED POLICY

Keys 7, mobile phone 8, PDA 9 and building access card 10 left on desk.

Mobile phones can be stolen or have their call histories compromised. Stolen keys give intruders access to restricted areas of the office. PDAs contain sensitive personal and professional data. Stolen access cards can be used for continued access to the building.

• Keep devices with you, and lock mobile phones and PDAs with a pass code.

• Never leave your access cards or keys out anywhere; always keep them with you.

• Notify security staff immediately if access cards or keys are missing.

IT Tools

VIOLATIONS RISK SUGGESTED POLICY

Applications left open on computer 11, CD left in computer 12, passwords on sticky note displayed on monitor stand 13, printouts left in printer 14.

Access to personal or sensitive corporate e-mail or passwords can allow ongoing access and intrusion. CD left in drive and data on printouts can be stolen. Cache files for applications and printer can yield sensitive data one might have thought wasn't preserved.

• Close applications and turn off your monitor when you leave your desk.

• Do not leave portable media such as CDs or floppy disks in drives.

• Enable a password-protected screen saver.

• Turn off your computer when you leave for extended periods.

• Never write your passwords on a sticky note nor try to hide them anywhere in your office.

• Remove printouts from printers before leaving the office.

• Shred sensitive printouts when you are done with them.

• Clear cache files on computer and memory on devices like printers regularly.

Spatial Misconfigurations

VIOLATIONS RISK SUGGESTED POLICY

Desk positioned so it's partially exposed to window and view from the hallway 15. Whiteboard with sensitive data on it viewable from hallway and window 16.

Window exposure could enable spying from other buildings. Hallway exposure could allow unauthorized access if data, such as a password, is written on a whiteboard.

• Desks and furniture should be positioned so that sensitive material is not visible from either the windows or the hallway.

• Close blinds on windows.• Use a screen filter to

minimize the viewing angle on a computer monitor.

• Erase whiteboards; if data on whiteboards needs to be saved, use electronic whiteboards or employ shutters.

Beyond the Desk

VIOLATIONS RISK SUGGESTED POLICY

File cabinet drawer open 17 and keys left in lock 18. Trash bin contains loose-leaf paper 19. Bookshelf contains binders with sensitive information 20.

Folders in cabinet are eminently stealable. Keys allow for ongoing access and the ability to return files, so it's hard to detect theft. E-mails, other sensitive paper in trash bin can be stolen after-hours or found in the Dumpster outside. Binders on shelf, clearly marked as sensitive, are also available for "borrowing," making the theft of the information hard to detect.

• Do not use bookshelves to store binders with sensitive information. Label those binders prosaically and lock them up.

• Arrange folders in file cabinets so that the least sensitive are in front, most sensitive in back.

• Keep file cabinets closed and locked. Do not leave keys in their locks.

• Shred paper on site before having it recycled.

• If appropriate, lock your office door when you're gone for extended periods.

Mitigating the business

• It’s important to act quickly• Consider the value of pursuing investigations• Seek to prevent escalation by implementing robust Incident

Management• Find the evidence• Apply ongoing risk assessment (culture change required)• Create policies that hold evidential weight and have a

supporting (HR) enforcement process

When things go wrong…

There are criminal offences for obtaining and disclosing data..

The Information Commissioner can take “enforcement action”

Individuals can go to the court

There may be bad publicity….

When things go right…

There should be increased customer and employee trust

Good publicity

And an avoidance of prosecution

What can you do?

Ensure appropriate policies and procedures are in place

Recognise subject access requests and data protection complaints

Ensure you are always in the loop Always treat others personal information as you would like others to treat yours … fairly!

Be professional ……

DP in SFIA

• Strategy and planning – Information Strategy (IRMG) – Level 5

• Service Provision– Security administration (SCAD)

• Includes the investigation of unauthorised access, compliance with data protection and performance of other administrative duties relating to security management.

– Data Protection (DPRO)• Level 5 Maintains an inventory of information subject to

data protection legislation• Level 6 - Develops strategies for complying with data

protection legislation

DP Recap

• Fish• Swim• All • Around• Reefs• Rocks and• Sunken • Treasures

= Fair= Specific= Adequate= Accurate= Rights= Retention= Security= Transfers

Questions/Comments

Andrea Simmons, CISSP, MBCS CITP, M.Inst.ISP, BA

Professional Development Consultant

BCS

Phone: 01905 356268

Mobile: 07961 508775

Email: andrea.simmons@bcs.org.uk

Web: www.bcs.org/security

Amongst other things!