IT Governance Blog on IT governance, risk management, compliance and information security.

It’s fair to say that within business, it’s easy to assume that your customer knows everything. I think the customer may even go as far to say that they know everything too. However, one thing that was clear to me whilst at this year’s #infosec13, was a lack of understanding what is meant by Data Classification.

What is Data Classification?

There are a number of definitions to Data Classification provided by Wikipedia which are:

• Data classification (data management)
• Data classification (business intelligence)
• Classification (machine learning), classification of data using machine learning algorithms
• Assigning a level of sensitivity to classified information

If you take a look at these you will see that there is relevance to all of it but at Boldon James we want to draw your attention to the fourth point, ‘Assigning a level of sensitivity to classified information’, and more specifically:

‘Some corporations and non-government organizations also assign sensitive information to multiple levels of protection, either from a desire to protect trade secrets, or because of laws and regulations governing various matters such as personal privacy, sealed legal proceedings and the timing of financial information releases.’

We tend to think of ‘Top Secret’ classified information being a military thing only. Well, it really isn’t. All of the content that we create on a daily basis has some form of sensitivity to it. This could be the spread sheet with your company’s sales figures and customer details on it, it could be your project plan when releasing a new product to the market or it could be the medical records your doctor holds. All of this information is crucial to your business and it’s up to the content creators (i.e. you and me) to ensure the integrity of your data.

This was an eye opener for me at Infosec13. I realised this is something that needs to be addressed and understood by all content creators, especially as more of us are creating new content every day which adds to your business risks.

Overall, the #Infosec13 show was a great experience and much bigger than I thought it would be. Congratulations go to Peter Nash @reallygrumpidad for winning £100 voucher from our channel partners @ITGovernance in the Boldon James sweater competition. It was also a very fruitful experience for me winning a Nexus 7 from our technology Partners, Egress. Thanks all and I look forward to next year’s event and many more events this year.

Tweet @waylum_99

View more information on data classification software and find out what it could do for your business.

Data protection seems to have a bit of an image problem. What began with such good intentions is fast becoming a scapegoat for silly decisions, overzealous practitioners and an awful lot of paperwork.

Slightly bonkers stories, such as the letter featured in The Guardian last month from a lady whose purse had been shredded ‘for data protection purposes’, has led to data protection being viewed in the same irrational light as human rights and health and safety.

All three concepts are perfectly sensible and lovely, but are too often misunderstood. Scared of the consequences of getting these things wrong, organisations tend to over-compensate leading to measures such as banning triangular flapjacks and refusing to sell knitting needles.

Admittedly it keeps a small army of Daily Express journalists in work but it’s not good for those of us who’d rather keep our data, health and human rights safe.

The truth is that data protection does need to be a serious concern for all organisations. Everyone needs to comply with the 8 key principles of the act or face fines of up to £500,000.

However, it is possible to comply without inconveniencing your customers, without hundreds of convoluted processes and without making yourselves look stupid.

The IT Governance DPA Foundation Course is a one-day introduction to the act. Led by an expert, the foundation will dispel the myths and make sure you get data protection right.

On January 8 of this year, a billing manager with United HomeCare Services Inc. left a work laptop in her car for ten minutes. This was all it took for an opportunistic thief to smash the window and steal the device. While the billing manager had permission to take the laptop home with her, data regarding 13,617 clients was stolen. This information included names, social security numbers, dates of birth, home addresses, service dates, health plan numbers, and diagnoses, dating back as far as 2002. [Source: PHI Privacy]

It’s unclear whether the data was encrypted, or what other security measures are in place, but it’s obvious to see that – at the very least – five minutes of training could have prevented this breach. Of course, training alone isn’t going to protect your data: people’s memories slip, confidence erodes behavioural measures, and in (hopefully) rare cases, an employee might deliberately allow such an event to happen. In the event that a mobile device like a laptop, USB stick or mobile phone does go missing, you need to know that your data is as secure as it can possibly be.

The key facets that you need to control are:

• Authentication control
  Ideally using two keys (passwords, tokens, biometric).
• Encryption
  Wherever data is held – centrally, on mobile devices and in cloud storage.
• Access to data
  Control who has access to which data sets.
• Confidentiality, integrity and accessibility
  The cornerstone of data security – you need confidence in your data and protection measures.

In the event one of your devices goes missing, you need to know that the measures in place will keep your data safe, no matter whose hands it falls into. If you want to make sure your data is encrypted and as safe as possible, we recommend Sophos SafeGuard Enterprise. It covers the whole spectrum of data storage for your business, and is designed to integrate without reducing productivity or interfering with day-to-day business processes.

Find out more on our Security Products page, or pick up the phone and call +44 (0) 845 070 1750 to chat to us about what your organisation needs to be secure.

Information Security and Data Protection are two issues which are of concern to all public sector organisations. Not only must you protect confidential data and transmit it safely, you must also ensure that you are gaining the maximum value from your IT systems.

Effective Information Security and Data Protection systems can help you achieve both these objectives.

For over a decade IT Governance has been assisting public sector organisations deliver information and data protection solutions. One of the most effective ways we have achieved this is through training which has:

• Helped organisations understand their security and compliance obligations
• Helped organisations realise the benefits and cost savings that security and compliance can bring
• Helped organisations plan and implement their projects

Our Foundation courses offer fantastic value and are the perfect place to start an information security or compliance project.

ISO27001 Certified ISMS Foundation Training Course Delegates will understand why ISO27001 is the world’s information security standard, what the huge benefits it brings     are, and how to start planning an information security project within their own organisationNext courses: 8 April in Manchester  – reduced by £148 15 April in London Limited Availability. Book today >>>

DPA Foundation Training Course From attending this course, delegates will be in a position of knowledge to review and understand their current data processes and how to plan a project to ensure compliance with the DPA.Next courses: 15 May in London Limited Availability. Book today >>>

Need more information first? These handy pocket guides will provide you with the essential background knowledge you need to get started.

Data Protection Compliance in the UK ISO27001/ISO27002 A Pocket Guide An Introduction to Information Security and ISO 27001

We’ve all experienced it…usually just when you’re about to settle down for a slap up mixed grill or slide into a deep bath… the phone rings and someone is trying to sell you something.

You wonder how they got your number, not too difficult it seems these days, and try not to use too many expletives in ending the call.

Well this week the Information Commissioner’s Office (ICO) dealt one of these infuriating organisations, DM Design, a big fat £90,000 slap in the face. The ICO and the Telephone Preference Service (TPS) have received nearly 2,000 complaints about DM Design. In a clear breach of the law, DM Design consistently called people who had opted out of receiving marketing calls, and responded to only a handful of complaints made against them.

The ICO cites one instance where a DM Design employee removed the complaint of an individual from the company’s system and instead threatened to “continue to call at more inconvenient times like Sunday lunchtime”.  They sound like a lovely bunch.

The ICO have informed two more companies that they are intending to impose similar fines in the coming weeks.

Information Commissioner, Christopher Graham, said:

“Today’s action sends out a clear message to the marketing industry that this menace will not be tolerated. This company showed a clear disregard for the law and a lamentable attitude toward the people whose day they were disturbing. This is not good enough.

“This fine will not be an isolated penalty. We know other companies are showing a similar disregard for the law and we’ve every intention of taking further enforcement action against companies that continue to bombard people with unlawful marketing texts and calls.”

Marketers take note.

A recent survey commissioned by the Information Commissioner’s Office (ICO) has found there to be something of a ‘laissez faire’ attitude when allowing staff to use their own personal devices at work.

BYOD (Bring Your own Device) is a growing trend as it allows organisations a more flexible workforce and employee’s a better work-life balance. The ICO survey, conducted by YouGov, found that 47% of all UK adults now use their personal smartphone, laptop or tablet computer for work purposes.

However, only 3 in 10 are provided with guidance on how to use these devices in a work capacity. This raises huge questions about how personal and sensitive information is accessed, stored and transmitted on these devices.

The survey found that the most common work activity carried out on personal devices was email (55%), editing work documents (37%) and storing work documents (36%).

The ICO’s Simon Rice commented:

“The rise of smartphones and tablet devices means that many of the common daily tasks we would have previously carried out on the office computer can now be worked on remotely. While these changes offer significant benefits to organisations, employers must have adequate controls in place to make sure this information is kept secure.”

“The cost of introducing these controls can range from being relatively modest to quite significant, depending on the type of processing being considered, and might even be greater than the initial savings expected. Certainly the sum will pale into insignificance when you consider the reputational damage caused by a serious data breach. This is why organisations must act now.”

IT Governance has just launched the BYOD Policy Template Toolkit. This in-expensive tool (currently just £20) will help you create an effective approach to BYOD and is fully aligned with the official guidance from the ICO.

This toolkit will help you create a BYOD policy: where staff will easily be able to understand what is and what isn’t allowed; how to maximise the benefits of BYOD; and how to safeguard your information assets with effective BYOD policies.

Learn more about the BYOD Policy Toolkit >>>

The Information Commissioner’s Office (ICO), announced yesterday that it has prosecuted a former receptionist at a GP surgery in Southampton for unlawfully obtaining sensitive medical information relating to her es-husband’s new wife.

Marcia Philips was fined £750 and ordered to pay £15 victim surcharge and £400 prosecution costs following her prosecution under section 55 of the Data Protection Act. Some would argue that she got off lightly as the maximum fine that a Magistrates Court can currently issue is £5000 – and is unlimited in a Crown Court.

The ICO seem to agree

The ICO must think this fine is not enough. They continue to call for more effective deterrent sentences, including jail terms, to stop the unlawful use of personal information.

“We continue to urge the Government to press ahead with the introduction of tougher penalties to enforce the Data Protection Act. Without these unscrupulous individuals will continue to break the law. Action to replace the section 55 ‘fine only’ regime with an effective deterrent is long overdue.”
David Smith – Deputy Commissioner and Director of Data Protection.

Both the UK and India have been victims of cyber threats, with attacks leaving detrimental effects on both nations. India faced one particular attack in July 2012 where over 10,000 senior government official email addresses were hacked and exposed,  including those in high profile government departments.

The UK Prime Minister, David Cameron, and his Indian counterpart, Manmohan Singh, plan to discuss a cyber security partnership that will further binds British and Indian government and businesses together.

The UK sends millions of records including personal, medical and banking records to Indian companies to store information about their businesses and clients. The NHS is one of a number of public bodies who send data to India for processing. The need to protect this information is clear for both nations, as  “Other countries securing their data is effectively helping us secure our data,” said David Cameron.

Information security is a governance issue and so the Indian Information Technology Act (ITA)’s move to enforce regulation including the implementation of ISO27001 (the world’s information security management standard) is welcome news to UK businesses.

Become ISO27001 certified with our range of Books, Tools and Training resources.

New to information Security? Download a copy of our ISO27001 green paper >>

This week the Information Commissioner’s Office held their annual Data Protection conference, setting out their corporate plans for the next three years.

Introducing the conference Christopher Graham, the Information Commissioner said:

“An old Chinese curse says ‘may you live in interesting times’. Ladies and gentlemen, we are condemned to live in interesting times. Data protection is centre stage, with data driving so much of what we all do and how we all do it. In Europe, the greatest reform to data protection law in two decades is in prospect, while at home Lord Justice Leveson’s report on media standards signals more change still. This conference can rarely have fallen at such a decisive moment for the data protection sector.

The conference gathered together 800 data protection officers in Manchester and the keynote speaker was none other than European Commission’s Françoise Le Bail, who spoke about the data protection landscape in the EU.

The key themes of information security, data protection and information rights are applicable to every organisation and every individual. As the UK’s independent authority set up to uphold information rights, the ICO is at the forefront of supporting these themes.

There was a lot to digest from the conference but some of the key talking points included:

• Deputy Commissioner David Smith stating the ICO is “strongly against division of public and private sectors” in reference to EU data protection and privacy regulation reform.
• Francoise Le Bail says fines of 2% of turnover are justified (for data breach), but should be proportional to the breach
• ICO commissioner stating ICO aims remain unchanged upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals
• A political agreement this year would mean a new EU data regulatory framework would be up and running by 2016
• ICO highlighted funding challenges over the next 3 years, especially if the proposed new EU data directive goes ahead

So nothing ground breaking coming out of the conference, but plenty simmering underneath. As the Information Commissioner said in his opening address, these are indeed very interesting and challenging times. It’s a case of watch this space…

Read all about the Conference on the ICO’s Official Website >>>