IT Governance Blog on IT governance, risk management, compliance and information security.

On January 8 of this year, a billing manager with United HomeCare Services Inc. left a work laptop in her car for ten minutes. This was all it took for an opportunistic thief to smash the window and steal the device. While the billing manager had permission to take the laptop home with her, data regarding 13,617 clients was stolen. This information included names, social security numbers, dates of birth, home addresses, service dates, health plan numbers, and diagnoses, dating back as far as 2002. [Source: PHI Privacy]

It’s unclear whether the data was encrypted, or what other security measures are in place, but it’s obvious to see that – at the very least – five minutes of training could have prevented this breach. Of course, training alone isn’t going to protect your data: people’s memories slip, confidence erodes behavioural measures, and in (hopefully) rare cases, an employee might deliberately allow such an event to happen. In the event that a mobile device like a laptop, USB stick or mobile phone does go missing, you need to know that your data is as secure as it can possibly be.

The key facets that you need to control are:

• Authentication control
  Ideally using two keys (passwords, tokens, biometric).
• Encryption
  Wherever data is held – centrally, on mobile devices and in cloud storage.
• Access to data
  Control who has access to which data sets.
• Confidentiality, integrity and accessibility
  The cornerstone of data security – you need confidence in your data and protection measures.

In the event one of your devices goes missing, you need to know that the measures in place will keep your data safe, no matter whose hands it falls into. If you want to make sure your data is encrypted and as safe as possible, we recommend Sophos SafeGuard Enterprise. It covers the whole spectrum of data storage for your business, and is designed to integrate without reducing productivity or interfering with day-to-day business processes.

Find out more on our Security Products page, or pick up the phone and call +44 (0) 845 070 1750 to chat to us about what your organisation needs to be secure.

The Information Commissioner’s Office (ICO) is partly funded by a notification fee payable to him by all those who process personal information. Proposed new EU regulations will abolish notification fees and leave the ICO with a £15 million reduction in revenues. In addition to this, if the ICO was asked to take on the extra responsibilities outlined in the proposed EU data protection reforms, the estimated £26.3 million increase in costs would result in a total (worst case) shortfall of £42.8 million.

MPs have warned this shortfall may have to be paid for by the tax payer

Harsher penalties could be on the cards …

Chairman of the cross-party committee Lib Dem Sir Alan Beith said: “Taxpayers will have to pick up the tab for the information commissioner’s vital data protection work when new EU rules come into force unless the government can find a way of retaining a fee-based self-financing system.”

Sir Alan added: “We do not understand why the government has not adopted the recommendation made by us and other parliamentary committees that custodial sentences should be made available for breaches of section 55 of the Data Protection Act“.

So if tougher financial penalties are on the way, and prison sentences a very real threat for breaches of section 55 of the Data Protection Act, can you be 100% certain that your organisation is in compliance with the DPA?

How to achieve DPA Compliance:

• Understand what the DPA is how it affects your business
• Identify your current level of conformance to the DPA
• Identify gaps and steps to achieve compliance
• Document your DPA policies
• Understand how to react if you suffered a data breach
• Initiate DPA staff training

The Complete Data Protection Toolkit contains a collection of resources that have been carefully selected to give you all the information and tools you need to make yourself compliant with the DPA.

For less than £150, every UK organisation would benefit from purchasing this toolkit today.

Our next DPA Foundation Course is selling out fast. Covering all the essential of the Data Protection Act, you will not want to miss out. Book today!

The Government will today announce a new Anti-cyber threat centre following a successful pilot in 2012. The intiative will include experts from government communications body GCHQ, MI5, police and businesses with the aim of sharing information on cyber threats including the technical details of an attack, methods used in planning it and how to mitigate and deal with an attack.

The new London based centre will contain around 12-15 analysts to monitor attacks and provide details in real-time of who is being targeted.

Businesses are by far the biggest victims in terms of industrial espionage and intellectual property theft

Cabinet Office minister Francis Maude said: “We know cyber attacks are happening on an industrial scale and businesses are by far the biggest victims in terms of industrial espionage and intellectual property theft, with losses to the UK economy running into the billions of pounds annually.”

“This innovative partnership is breaking new ground through a truly collaborative partnership for sharing information on threats and to protect UK interests in cyberspace.”

How can businesses mitigate the threat of industrial espionage and intellectual property theft?

Companies are always nervous of revealing publicly when they have been attacked because of the potential impact on reputation and share price if they are seen as having lost valuable intellectual property or other information.

Rather than burying their head in sand or keeping this information secret, the Anti-cyber threat centre, I’m sure, will depend on organisations willingly sharing this information. The biggest problem though, is that many organisations don’t even know when they have been hacked, or even what their risk of attack actually is.

A penetration test or ‘pen test’ is the easiest, most effective way, to demonstrate that exploitable vulnerabilities in your Internet-facing resources are adequately patched, and that you have appropriate technical security controls in place to help protect against cyber-intrusions.

By utilising the services of an ‘ethical hacker’, organisations will be able to:

1. To find weaknesses in their information security system before someone else does, identifying vulnerabilities and quantifying their impact and likelihood of being exploited;
2. Produce evidence in the form of reports that their security measures are adequate and working, demonstrating that their IT spend is appropriate and cost-effective;
3. Ensure compliance with critical standards such as PCI DSS and ISO27001, the requirements of the Data Protection Act and other relevant privacy legislation/regulations;
4. Provide assurance to customers, both in a B2C and B2B context, that their data is being protected and that the organisation is not a weak link in their information security chain.

To provide your business with a complete solution, please see the IT Governance Penetration Testing Packages for further details.

To book your Penetration Testing service, or to discuss your requirements, – please call us now on 0845 070 1750 or email us.

Information Security and Data Protection are two issues which are of concern to all public sector organisations. Not only must you protect confidential data and transmit it safely, you must also ensure that you are gaining the maximum value from your IT systems.

Effective Information Security and Data Protection systems can help you achieve both these objectives.

For over a decade IT Governance has been assisting public sector organisations deliver information and data protection solutions. One of the most effective ways we have achieved this is through training which has:

• Helped organisations understand their security and compliance obligations
• Helped organisations realise the benefits and cost savings that security and compliance can bring
• Helped organisations plan and implement their projects

Our Foundation courses offer fantastic value and are the perfect place to start an information security or compliance project.

ISO27001 Certified ISMS Foundation Training Course Delegates will understand why ISO27001 is the world’s information security standard, what the huge benefits it brings     are, and how to start planning an information security project within their own organisationNext courses: 8 April in Manchester  – reduced by £148 15 April in London Limited Availability. Book today >>>

DPA Foundation Training Course From attending this course, delegates will be in a position of knowledge to review and understand their current data processes and how to plan a project to ensure compliance with the DPA.Next courses: 15 May in London Limited Availability. Book today >>>

Need more information first? These handy pocket guides will provide you with the essential background knowledge you need to get started.

Data Protection Compliance in the UK ISO27001/ISO27002 A Pocket Guide An Introduction to Information Security and ISO 27001

We’ve all experienced it…usually just when you’re about to settle down for a slap up mixed grill or slide into a deep bath… the phone rings and someone is trying to sell you something.

You wonder how they got your number, not too difficult it seems these days, and try not to use too many expletives in ending the call.

Well this week the Information Commissioner’s Office (ICO) dealt one of these infuriating organisations, DM Design, a big fat £90,000 slap in the face. The ICO and the Telephone Preference Service (TPS) have received nearly 2,000 complaints about DM Design. In a clear breach of the law, DM Design consistently called people who had opted out of receiving marketing calls, and responded to only a handful of complaints made against them.

The ICO cites one instance where a DM Design employee removed the complaint of an individual from the company’s system and instead threatened to “continue to call at more inconvenient times like Sunday lunchtime”.  They sound like a lovely bunch.

The ICO have informed two more companies that they are intending to impose similar fines in the coming weeks.

Information Commissioner, Christopher Graham, said:

“Today’s action sends out a clear message to the marketing industry that this menace will not be tolerated. This company showed a clear disregard for the law and a lamentable attitude toward the people whose day they were disturbing. This is not good enough.

“This fine will not be an isolated penalty. We know other companies are showing a similar disregard for the law and we’ve every intention of taking further enforcement action against companies that continue to bombard people with unlawful marketing texts and calls.”

Marketers take note.

A recent survey commissioned by the Information Commissioner’s Office (ICO) has found there to be something of a ‘laissez faire’ attitude when allowing staff to use their own personal devices at work.

BYOD (Bring Your own Device) is a growing trend as it allows organisations a more flexible workforce and employee’s a better work-life balance. The ICO survey, conducted by YouGov, found that 47% of all UK adults now use their personal smartphone, laptop or tablet computer for work purposes.

However, only 3 in 10 are provided with guidance on how to use these devices in a work capacity. This raises huge questions about how personal and sensitive information is accessed, stored and transmitted on these devices.

The survey found that the most common work activity carried out on personal devices was email (55%), editing work documents (37%) and storing work documents (36%).

The ICO’s Simon Rice commented:

“The rise of smartphones and tablet devices means that many of the common daily tasks we would have previously carried out on the office computer can now be worked on remotely. While these changes offer significant benefits to organisations, employers must have adequate controls in place to make sure this information is kept secure.”

“The cost of introducing these controls can range from being relatively modest to quite significant, depending on the type of processing being considered, and might even be greater than the initial savings expected. Certainly the sum will pale into insignificance when you consider the reputational damage caused by a serious data breach. This is why organisations must act now.”

IT Governance has just launched the BYOD Policy Template Toolkit. This in-expensive tool (currently just £20) will help you create an effective approach to BYOD and is fully aligned with the official guidance from the ICO.

This toolkit will help you create a BYOD policy: where staff will easily be able to understand what is and what isn’t allowed; how to maximise the benefits of BYOD; and how to safeguard your information assets with effective BYOD policies.

Learn more about the BYOD Policy Toolkit >>>

Internet giant Google has just launched a new website designed to help the recovery of hacked websites.

The site, complete with step-by-step video instructions and security tips, is aimed primarily at smaller websites without direct access to technical support.

Google already notifies website owners (and, indeed, search engine users – your customers) when websites appear to have been compromised with spam or malware, but this new site takes that further with some simple, practical guidance on recovery.

Of course, it goes without saying that the ideal scenario is one where your site isn’t compromised in the first place. Would you click through to a site that is preceded with a warning like this?

Cybercrime is one of the biggest risks facing organisations today. Hackers and cybercriminals are increasingly sophisticated, increasingly well-resourced and increasingly greedy.

The latest methodologies proliferate quickly through the web, and subsequently through networks, and can be deployed indiscriminately at high volumes.

IT Governance has a wide range of products and services that can help to keep your website and web-based applications secure.

Our Penetration Testing service finds your weaknesses before it’s too late to fix them. Our ethical hackers can assess your systems to make sure they are as secure as possible, and make sure you are compliant with best practice and international standards such as ISO 27001 or PCI DSS.

A penetration test should be conducted on a quarterly basis, as a minimum, and should form part of a wider IT Health Check testing your:

• Web applications – especially those that are externally-facing – which are amongst the most commonly attacked areas.
• Network testing – for vulnerabilities and flaws within hardware, software configuration or operations.
• Wireless Networks – without the correct protection in place, WiFi and Bluetooth pose a significant vulnerability.
• PCI DSS – any organisation handling payment card information must make sure they meet the security standards set out by the Payment Card Industry Data Security Standard.

Don’t fall victim to the hackers. Make sure your systems are secure from external threats.

The Information Commissioner’s Office (ICO), announced yesterday that it has prosecuted a former receptionist at a GP surgery in Southampton for unlawfully obtaining sensitive medical information relating to her es-husband’s new wife.

Marcia Philips was fined £750 and ordered to pay £15 victim surcharge and £400 prosecution costs following her prosecution under section 55 of the Data Protection Act. Some would argue that she got off lightly as the maximum fine that a Magistrates Court can currently issue is £5000 – and is unlimited in a Crown Court.

The ICO seem to agree

The ICO must think this fine is not enough. They continue to call for more effective deterrent sentences, including jail terms, to stop the unlawful use of personal information.

“We continue to urge the Government to press ahead with the introduction of tougher penalties to enforce the Data Protection Act. Without these unscrupulous individuals will continue to break the law. Action to replace the section 55 ‘fine only’ regime with an effective deterrent is long overdue.”
David Smith – Deputy Commissioner and Director of Data Protection.

This week the Information Commissioner’s Office held their annual Data Protection conference, setting out their corporate plans for the next three years.

Introducing the conference Christopher Graham, the Information Commissioner said:

“An old Chinese curse says ‘may you live in interesting times’. Ladies and gentlemen, we are condemned to live in interesting times. Data protection is centre stage, with data driving so much of what we all do and how we all do it. In Europe, the greatest reform to data protection law in two decades is in prospect, while at home Lord Justice Leveson’s report on media standards signals more change still. This conference can rarely have fallen at such a decisive moment for the data protection sector.

The conference gathered together 800 data protection officers in Manchester and the keynote speaker was none other than European Commission’s Françoise Le Bail, who spoke about the data protection landscape in the EU.

The key themes of information security, data protection and information rights are applicable to every organisation and every individual. As the UK’s independent authority set up to uphold information rights, the ICO is at the forefront of supporting these themes.

There was a lot to digest from the conference but some of the key talking points included:

• Deputy Commissioner David Smith stating the ICO is “strongly against division of public and private sectors” in reference to EU data protection and privacy regulation reform.
• Francoise Le Bail says fines of 2% of turnover are justified (for data breach), but should be proportional to the breach
• ICO commissioner stating ICO aims remain unchanged upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals
• A political agreement this year would mean a new EU data regulatory framework would be up and running by 2016
• ICO highlighted funding challenges over the next 3 years, especially if the proposed new EU data directive goes ahead

So nothing ground breaking coming out of the conference, but plenty simmering underneath. As the Information Commissioner said in his opening address, these are indeed very interesting and challenging times. It’s a case of watch this space…

Read all about the Conference on the ICO’s Official Website >>>