IT Governance Blog on IT governance, risk management, compliance and information security.

Praxis Care charity  lost a memory stick in August 2011,  containing  confidential data of 160 different people. The data that was held on the unencrypted stick contained personal information such as their mental health and care records.

Since losing the memory stick and coming under the wrath of the ICO for suffering the data breach, Praxis Care is now committed to improving its data protection standards.

Christopher Graham, the information commissioner, said: “Carrying people’s personal information around on an unencrypted memory stick is clearly unacceptable.”

To avoid a situation like the above, companies need to use a secure USB sitck with hardware encryption.

SafeXs is a secure USB stick with AES 256 bit hardware encryption and is FIPS 197-certified. Over 1 million of these sticks are now in use by the NHS, helping to keep patient data and other confidential data secure.

Simply plug in a SafeXs and within minutes you can be up and running. All you need do is set a password and any data placed on the SafeXs is encrypted.

Read more about the popular encrypted USB stick >>

The ICO have reported that the number of data breaches has risen by 58% in the last year. The breaches have come from a whole range of different companies and businesses, including local authorites, schools and estate agents.

According to Christopher Graham (Information Commissioner), businesses are taking the protection of their customer’s data more seriously and as a result, more breaches are being reported. There has also been a 26% rise in the number of companies who now understand the Data Protection Act’s requirements for keeping personal information secure.

However, 3 in every 4 people still do not believe their data is secure online. Graham stresses that the private sector “does not seem to be putting its knowledge to good use”. Although awareness has risen, implementation and follow-through still needs to be put in place for many businesses and local authorities.

Solution

If you are part of, or head of one of these businesses that are aware of data protection, but not quite sure on how to implement it, then IT Governance Ltd can help. We offer specialst services and solutions for companies in your position, covering topics such as information security, data protection and compliance. We have developed a range of tried and tested toolkits that are designed to easily and cost-effectively implement the requirements that the ICO and Data Protection Act ask for.

View our range of ISO 27001 (international information security standard) toolkits and decide which one is right for you.

ISO 27001 Toolkits >>

EBS shows you how…

Last month saw India’s second largest on-line payment provider, EBS, achieve the PCI DSS Standards of Compliance for Mastercard & Visa making it one of the most secure places to carry out online transactions. Despite of bad reputation of online card payments that resulted in data breaches (see CardSystems Solutions and Heartland Payment Systems); EBS proved that data can be actually kept safe when handled correctly.

Nowadays, you can buy practically anything through the Internet: from groceries to a house. With almost light speed credit card processing you can now more quickly purchase products or services and get your orders delivered to your doorstep. However, with millions of card transactions happening daily, the security of them has been under an immense risk. Organisations, which process them, need to be extra careful when handling customers’ data and make payments security their priority number one.

Protect your customers’ data – stay PCI DSS-compliant

Every organisation that accepts payment cards, i.e. Visa, Mastercard, Amex, in their business or on their website must comply with the PCI DSS. PCI DSS is enforced by the ‘acquiring bank’ through which organisations have their merchant accounts.  In October 2008, the PCI DSS was updated to version 1.2 and this is the version companies have to comply with.

What is PCI DSS?

• The Payment Card Industry Data Security Standard (PCI DSS) was put together by the PCI Security Standards Council.
• The members include Amex, JCB, MasterCard, Visa and Discover.
• The purpose of the PCI Standard is to decrease payment card fraud across the Internet and elsewhere and increase credit card data security.

You can get started straight away, by downloading PCI DSS: A Practical Guide to Implementing and Maintaining Compliance, Third edition and PCI DSS: A Pocket Guide, Second edition immediately or you can phone us (toll free) for more information on +(1)877 317 3454.

If you are looking for a concise, straightforward and reliable reference to PCI DSS compliance, then this is the book you need – Download now >>

One third of firms have banned social media sites such as Facebook and Twitter at work because of fears of suffering a data breach.

Security firm Clearswift conducted the report on UK companies this year , showing that over half of all managers (53%) now identify social media as an area of concern within their business.

Detrimental data breaches suffered this year (such as Sony and Epsilon) have made other UK companies nervous about their own security.

When restricting employees with social media, it is very easy to take a heavy handed approach. Manager of Stonesoft, Ash Patel,  warned that strict policies were necessary to protect confidential company information, but it is important not to demoralise staff using such a tough approach. There is a very thin line between the two.

However, cracking down on social media can also have a negative effect to how an organisation works and operates. Many businesses use social media to ‘speak’ to their customers, so clamping down on how you use social media in the workplace can have an adverse effect.

It is important to govern social media in the approproate way. The Social Media Governance Toolkit contains a comprehensive suite of documents and templates that will help you develop, implement, monitor and improve social media activities across your organisation. It will help you identify appropriate objectives, assign roles and responsibilities and reduce risks, whilst integrating social media into marketing, communication and positioning strategies.

Download the Social Media Governance toolkit >>

France has just announced that any electronic communication service provider operating in France must notify people if they incur a data breach.

Service providers that fail to comply with these new laws could face up to 5 years in prison and a fine of €300,000.

This new law has come in place after a recommendation from the European Union’s ePrivacy Directive (2002). Germany and Spain already have similar laws in place for ISP’s and telcos, but their fixed fines are just €1,000, which is only 0.33% of what France can now fine.

Keeping up to date with different laws within EU countries can be a complicated and time-consuming process. Although most European countries comply with the European Data Protection Directive, each individual country has it’s own laws which must be obeyed.

To gain a thorough understanding of operating within the EU, read  Data Protection: A Practical Guide to UK and EU Law, Third Edition. This invaluable handbook offers practical solutions to issues arising in relation to UK and EU data protection laws.

Look no further, Groupon India has it all revealed!

300,000 email addresses and passwords – check!

Computer – check!

Internet – check!

That’s all you need to get hold of one of the biggest databases ever published (“accidentally”) online by an organisation. Wednesday 29th June 2011 turned out to be pretty unlucky for subscribers to the Indian subsidiary of online deals giant, Groupon. In a statement sent to a global news agency, AFP, Groupon “was alerted to a security issue”affecting its sosasta.com subsidiary last Friday and that it “corrected the problem immediately”.

“We have begun notifying our subscribers and advising them to change their Sosasta passwords as soon as possible. We will keep our subscribers fully informed as we learn more”, it added.

Sosasta, an online discount portal acquired in January 2011 posted a notice on Facebook saying it had fixed a security issue and that no financial information, including bank details were compromised.

What a relief!

It was one man who discovered the fatal mistake and prevented data from getting into wrong hands.  Daniel Grzelak, founder of the Internet security website shouldichangemypassword.com accidentally discovered this security breach when running a Google search for private-account data exposed by hackers including email addresses and passwords.

Grzelak was surprised when Groupon’s data came up in search results:

“I started scrolling, and scrolling and I couldn’t get to the bottom of the file. Then I realized how big it actually was”, he told Risky.biz.

Aren’t all these “gaffes” too frequent lately? Sony, Google, Nintendo and Travelodge have been headlining media with security breaches to their customer databases. Why don’t companies learn on each other’s mistakes and start implementing some solid security planning, following the good old “plan-do-check-act” rule?

Is YOUR corporate data safe? Are YOUR staff aware of incorrect use of company’s database? Do YOU know how to protect your corporate assets?

If you answered ‘no’ to any of the questions above it’s time to act NOW!

Our Data breaches: Trends, costs and best practices (PDF E-report) is a real eye-opener and will help you protect your corporate information from getting stolen.

	Data breaches: Trends, costs and best practices (PDF E-report) This timely and authoritative report is aimed at executives, information security managers, risk managers, auditors, compliance managers, stakeholders and data controllers worldwide. It assesses the reality in today’s data breach landscape, recognises the real, damaging trends that affect businesses, stakeholders and individuals and identifies current and emerging best practice in controlling the risks – and costs – arising from inadequate security in relation to personal data. Download your copy today to get the latest information on securing personal and corporate data and responding to data breaches.

During my experience as an assessor, auditor, practitioner and consultant, I find that documentation is a real pain for organisations.  Too often I see organisations who have ended up with documentation that is inappropriate for the way they work.  Large, bulky manuals full of technical information.  Documents that are inconsistent and in different formats and layouts.  Documents are written for an external assessor rather than for the a practical business process.  The result is clear.  People don’t bother to read or use them.  And this means the resulting business practices become non compliant and out of control.  Security risks therefore, will increase dramatically.

Getting documents “write” shouldn’t be difficult.  I’ve compiled a list of top tips below that, if followed, should ensure that documentation stays, relevant, up to date, useable and more importantly read and followed by an organisations stakeholders.

The most important document you will write is the document control, or “how to document” document.  This will set out the formats and practices that the rest are built on, and makes sure that all the other documents are consistent within the organisation.

Educate staff on the difference between policy (senior management aspiration), procedure (documenting how to undertake a process), guidance (non-mandatory help or explanation) and records (evidence that procedures have been carried out).  Too many organisation use the word “policy” to mean all of the above and end up with documentation with very confused purposes and language.

Try to keep documents short and succinct.  As a guide, try and keep policies to a single page, procedures to around three.  Consider whether a picture or diagram will be more effective than words.

Allocate roles and responsibilities early to ensure everyone knows where they stand.  If you allocate someone a role or responsibility, be clear what that entails and requires of the individual.

Give staff ownership of documents that pertain to their part of the business.  Make them responsible for document update and maintenance.  Not only will it ensure that documents are produced, but that they are relevant, accurate and practical to their right audience.  Audit to ensure documents have been reviewed and updated.

Try and avoid large and unwieldy compliance manuals, instead build security controls in to the smaller business process documents that are relevant to the staff who will use them. 

When pursuing standards, though you must ensure the requirements are covered, ensure that documents are still written in language that is appropriate to the staff and culture of the business.  For example, if a standard says you must have a “corrective action” procedure, it may be better to call it something like “How do we fix problems?” instead of the title from the standard.

When applying protective marking (or information classification) to documents, make sure that everyone is educated in the marking system and what it means you can and cannot do with a document.  Consider extending the marking system to other tangible information assets, such as manual files, emails, media and using it for the basis of access control (ie this is a “public” zone and through that door is the “confidential” zone)

Consider how you will evidence that staff have read and understood documents.  However, getting staff to sign loads of documents can sometimes be a waste of resource.  Consider standing orders that require staff to visit a folder or intranet page at a certain time, or an email with links to relevant documents.

Don’t mix words like “will”, “shall” and “should” in the same document.  Some words are aspirational (“will” is a good word for policy), some are mandatory (“shall” or “must” is good for procedures) and some are non-mandatory (“should” or “may” is good for guidance).  Mixing these words like this within a single document means that you are not providing clear direction to your staff on what they are required to do.  Being consistent in your words means that the style of documents and instructions to staff remain consistent.

Make sure document formats and templates are held centrally and used by staff to create documents.  This ensures the logo and brand is protected, and staff have examples to work from.  Make sure that documents can be approved and published centrally to ensure that all documents contain the relevant information and can be found when required (technology solutions for storing these documents in web portals are becoming more popular by the day).

Finally – whenever I train staff and information security professionals the documentation part of the courses, is always initially met with a groan.  However, once people see the many benefits of good documentation regimes, they leave the session enthused and confident, knowing the many benefits that good communication can brings to any organisation, and the improvement it can bring to its security stance.

Post by Ralph O’Brien.