Category: Data Protection Act
Data Protection Act
It Is Time To Think About Data Leakages.
Do You Know Data Leakages Are?
Do you know all the possible ways to take information out of company so that no one would know? I’m sure that there are means and methods for data leakage despite security controls.
Let’s think about how can we control this process better.
First, it’s necessary to understand that there no absolute controls around security. Even if a USB port is blocked, it’s still possible to write some data to USB, if there is system that controls outgoing mails, then it’s still possible to use some trick that intruder might use to send out important data out of the company.
So how to manage information security policies to prevent possible data leakages? Let’s list all possible ways to prevent leakage. There are two general categories – active and proactive security. These terms are sometime hard to understand in real word, so let’s discuss another approach. There are means that will help to prevent the fact of information leakage, and there are means that will help to find out, if information was leaked. Both methods should be considered when building information security at your company.
How to prevent information leakage. First, it’s necessary to apply a security policy which will guaranty the access to the certain data only for trusted persons, in this way you will always know who has access to the data, so it is easier to find possible intruder and to control your employees.
Second, consider all possible ways for information to be stolen, such as sent out by email, copies by some employee, stolen by some spyware software, copies to the external drive, etc. Think about all possible ways and think about risks applied. Try to minimize the risk for the most important data.
Let’s list some possible security issues and the ways how we can get rid of them.
Keyloggers and other spyware software. Keylogger is a program that works in background, records all keystrokes and send out information to third-party. The good idea is to start with firewall, which will allow access to the internet only for a certain programs.
Intruder insider your company. Statistics shows that there are some in most companies. The bad news is that these people might produce more damage that all other attackers. Make sure you know about what employee do, what he or she keeps on his hard disk and all you do comply with privacy policy of your company.
Hardware that might be dangerous. There are software that allows to lock USB ports, there are software that allows to block access to any other writeable media, consider installing these tools on computers and user accounts which doesn’t need to use this functions during their work.
Finally, the key principle about fighting information leakage is to be proactive. You don’t need to wait until some information will be stolen, being a little paranoid will help to save your business. It’s easy to install and integrate into the security policy some audit measures, that will regularly check your company for possible security holes, it’s simple, but it will work.
Smartphone Cameras Can Turn Against You
How Can Smartphone Cameras Be Your Enemy?
What if you get to know your smartphone is clicking pictures without giving you any signal? What if you come to know that your smartphone is sending those pictures to a stranger without notifying you? What if you realize that your smartphone camera is capturing moments when you thought it is off? It must be sounding quite horrifying for you, isn’t it? Well, these horrifying actions do take place due to some of the malware today that is specially designed for such activities. One of such infectious programs was only engineered for mapping of the building with the courtesy of photos and videos that are captured with the help of that malicious program.
You can be filmed or imaged by the camera of your smartphone that it would be truly an embarrassment if they are publicized. These malware imposes some serious risks to your privacy, but, you can avoid such injurious programs leak your personal and confidential person and videos. People that give somewhat importance to the security of their privacy and scan their smartphones on regular intervals will keep them safe. The portable computing gadgets such Windows Phone are on the target of cyber criminals and crooks so that they need to be secured more carefully.
Portable computing devices such as a smartphone, there is a huge risk of getting hundreds of devices infect by just one device. A charging port of plugging the device into an infected computer will cause that gadget harm. The infected smartphone is likely to spill data than an ordinary computer due to its weak data security. In order to remain secure from such a program, you should avoid using each other’s data and stop plugging into PCs and laptops that are unknown. A smartphone is a great target to steal data from the online crooks and they often do that.
You may have avoided downloading from any third party app store or not using apps that are doubtful. But, what if the developer of an app gets hit by hackers and release an update with a harmful feature. The program will get automatically updated and you will control the camera of your smartphone. You might be considering the issue of leaking images as a lighter one, but, it is indeed a big issue. Smartphones are not allowed to be carried in sensitive places as recording devices can never be trusted and they can betray their owner any time with, thanks to the hackers.
One of the most sensitive, confidential and precious data stored on your smartphones must be images. Using Windows Phones that have the best camera results available now. The leakage of your personal memories will definitely hurt you, for the purpose use Secure Photo Gallery, so that your pictures and videos remain safe and secured. Other than that, if you are afraid that your camera can be hacked and handled remotely by a hacker, keep your phone in a pouch, a bag, in a cover or at a similar place so that it cannot record anything.s Sticking a small piece of opaque paper on the lens of a camera is not a bad option either.
Your Data Saved In USB Flash Drive Might Be At Risk
How Your Data Saved In USB Flash Drive Might Be At Risk
Where USB flash drive serve computer users all around the world, similarly, it imposes threats to the data of computer users in every part of the world. One of the examples of just big threats was witnessed by the whole world when Edward Snowden, who was an employee of NSA (National Security Agency) and CIA (Central Intelligence Agency (CIA) stole confidential information of the department and revealed to in front of the world. Stealing data for Snowden was just a piece of cake, all he did was that he carried an ordinary USB flash drive to the workplace, copied all the data that he intended to compromise and walk away with all that information. Here are some of the threats imposed by USB flash drive to your data security.
Insider Threat
USB drives are as small as a human thumb nail in size and have the immense capability of storing data. This quality of pen drives makes them a perfect tool to steal data. An employee who is furious on a company or is bribed to leak data can easily carry sensitive information from the company and hand it over to the rival entrepreneur. You might be astonished to know that insider threat is the second biggest threat after the threat imposed to data security by hackers.
Prone to Getting Lost and Stolen
Due to the small size of USB flash drive, it imposes huge threats to your data that is saved in those small data storing devices. Their tiny existence makes them prone to getting lost and stolen, even if you have deleted all the data saved in that portable drive before it was lost, your data will still be at risk of getting compromised. Because when you delete files from a pen drive, it actually does not get removed; instead a small sheet covers the saved files that can easily be extracted by an expert. Using USB Security Software can secure your data saved in your USB jump drive.
Spread Malware
Hackers used to spread malware via emails and other infectious links through the internet. But, these cyber criminals have learned a more effective way of spreading infectious program i.e. via USB flash drives. Research suggests that more than 70 percent of the people who find an abandoned USB flash drive will like to plug it into the computer without even giving a single thought about their data’s security. Even more than 30 percent of the IT pros tend to plug it into their computer.
The steps you can take to stop data leakage through USB flash drive is only allowed the authorized users to use only authorized small portable data storing devices. The new principle of Bring Your Own Device (BYOD) should not be encouraged as it imposes as it establishes some real chances of data theft. All in all, USB flash drive is such a wonderful piece of invention that is helping millions of users all around the world to transfer data. You just need to be a bit careful and take some precautions while using it for the sake of your data’s security.
Data Loss Prevention (DLP) demand is growing
Read Why Data Loss Prevention (DLP) Demand Is Growing
With the importance in data security escalating, there has been an increased demand for the earliest approaches to securing data, namely data loss prevention, say experts.
Data loss prevention (DLP) is a term used to describe software products and strategies that help a network administrator control what data end users can transfer.
According to Trevor Coetzee, regional director, SA and Sub-Saharan Africa at Intel Security, there has been a revival of the DLP market locally and growth globally – in both data loss and data leakage prevention requirements – due to new privacy laws being implemented by countries across the world.
Many SA organisations are investigating solutions in preparation for the privacy laws like POPI within the country, says Coetzee.
Moreover, the demand is also being driven by the growing adoption of cloud services, data going across public cloud services, and increased focus on the insider threat that many organisations face on a daily basis, says Coetzee.
“We are also encountering, unlike what we have seen in the past with emerging technologies and capabilities, that SA companies are adopting cloud strategies and technologies at a surprisingly fast rate.
“As a result, they are now looking for numerous security solutions which align to their strategy – including DLP solutions.”
Research firm Markets and Markets agrees, saying one of the major factors that have helped the DLP market to grow is the increasing focus of organisations towards meeting regulatory and compliance requirements and data saved on public and private cloud.
Apart from this, factors such as increasing data breaches and cyber attacks are boosting the demand for DLP solutions, it adds.
Darryn O’Brien, country manager at Trend Micro Southern Africa, says organisations are realising that their data is no longer just information, but an asset which should be protected from the outside world.
It is this awareness that is driving the need for technologies and processes like DLP to address the situation, he adds.
Perry Hutton, Africa regional vice president at Fortinet, says the flow of data transactions into and out of the data centre, between data centres, or that is used and stored on a wide variety of devices is increasing at a dramatic pace.
During this process, the nature of the data changes, and comprehensive data loss prevention strategy is needed to address these different states, adds Hutton.
DLP strategies need to include not only business sensitive information but personal client and employee information too, as the loss of this data can be just as damaging to a business, says O’Brien. “In short it needs to be holistic and embrace all aspects of the business.”
Are you considering the protection that your data demands?
ITSecurity.Org can help you with your DLP requirements
By Regina Pazvakavambwa
Data Protection Services
Assess your Data Protection environment against recent regulatory and legislative requirements including the latest EU mandate
Why Use ITSecurity.Org For Your Data Protection Requirements and Services?
At ITSecurity.Org Our Professional and Qualified Staff have decades of combined experience, expertise, qualifications and certifications gained through working in some of the largest enterprises. Our consultants have experienced many different requirements for Data Protection and are able to deal with your Data Protection situation and needs in a unique way just to suit you.
We have experience on a practical basis of securing data, protecting that data and ensuring that only the people authorised to access that data can use it. We have experience of how to securely manage and monitor data throughout its lifecycle and can provide that expertise to you.
Data Protection Lifecycle
ITSecurity.Org can provide advice and support for all of your Data Protection requirements throughout your data’s lifecycle.
- Create
- Store
- Use
- Share
- Archive
- Destroy
We can provide Data Protection Policies, Standards, Procedures and Training to support all stages of your Data’s lifecycle.
Data Protection Documentation Examples
- Self-Assessment Toolkit
- Data Protection Policy – Management Commitment
- Data Protection Policy – Schedule of Additional Detail and Support Materials
Template policies, procedures and checklists
- 01 Confidentiality and Data Protection Commitment
- 02 End of employment and volunteering procedure
- 03 Third Party suppliers – procurement and model clauses:
- 03a Procurement guidance and checklist
- 03b Supplemental Data Protection Agreement
- 03c Model Data Protection Clauses
- 04 Acceptable Use Policy (AUP)
- 05 Password policy
- 06 Clear desk, clear screen and secure waste policy
- 07 Offsite Working and Removable Media Policy
- 08 Sharing personal information policy
- 09 Social Media Policy
- 10 Access control Policy
- 11 Accurate Data Guide
- 12 Backup Procedures
- 13 Retention Schedule
- 14 Disposal and Deletion Policy
- 15a Information security incidents – Draft letter
- 15b Information security incidents – Checklist
- 16 Subject Access Requests
- 17a Photograph and video footage – Covering letter
- 17b Photograph and video footage – Consent form
Data Protection Guidance Notes
- 01 Roles and responsibilities
- 02 Your staff
- 03 Day-to-day handling of personal information
- 04 Your buildings and offsite working
- 05 Your handling of information security incidents
- 06 Your handling of requests for access to personal information
- 07 Bring Your Own Device Guide
Data Protection Training
Data Protection Training
One of the most important aspects around Data Protection the triad; People, Technology and Processes is People. Your staff need to be trained in Data Protection and why it is so important to your organization.
We can produce Data Protection training for you that is specific to your organisation. This training can take the form of different types of resource; documentation, videos, photos, images, powerpoint slides, quizzes etc.
We can turn all your resource into a really engaging educational training product.
If you require, we can also integrate into your Learning Management System (LMS) using our Moodle publishing platform or your training can be hosted on our training platform.
Data Protection 03/02/15
- Tivium Ltd (a green deal energy company with a registered office in North London) has been prosecuted for failing to respond to an Information Notice issued by the ICO. The fine was
£5,000 with a £120 victim surcharge & prosecution costs of £489.85. The company appears to still be trading (apparently based in the North of England) but its website indicates that it is closed to new customers. - The ICO has taken enforcement action against high street and online shoe retailer Office [Office Holdings Ltd, based in the City of London] after the personal data of over one million customers was left exposed due to a hacking incident. The reasons for the ICO action were:-
1. The ICO was informed on 29th May 2014 that a member of the public had hacked into an unencrypted historic Office database that was being stored on a legacy server outside the core infrastructure of the current website.
2. This individual had managed to gain potential access to personal data relating to over a million Office customers, including contact details and website passwords. However, the data controller has confirmed that it does not store customers’ bank details, so financial information was not compromised. Moreover, there is no evidence to suggest that the information accessed has been further disclosed or otherwise used.
3. Office explained that there were several technical measures in place to minimise the risk of such an attack, although the hacker managed to bypass these measures to gain access to the legacy servers undetected.
4. Office has also confirmed that whilst penetration tests were carried out on the new websites before migration, only a single such test was completed on the old system, the results of which were not concluded or recorded, due to the legacy system being in the process of being decommissioned.
5. Office has explained that removing the historic customer data from the database before migration to the new system was believed to add complexity and a material risk of data mismatches, operation downtime and customer disruption, so as to put the project at risk.
6. However, Office has since accepted that in hindsight, the risks of removing these details before migration were less than originally thought. As such, it would appear that the retention of this historic data, some of which may now be inaccurate, was over cautious and not strictly required.
7. Amongst other remedial measures taken by Office since the incident, the servers in question have now been decommissioned and a new hosting infrastructure is in place.
8. At the time of the incident, Office’s public facing privacy policy did not contain any specific reference to retention periods and no formal data protection training was provided to staff. Office has since confirmed that both these matters are being addressed and that new policies will be formalised early in 2015.
Electronic Marketing
- An eye care company has been formally warned by the ICO to stop sending out nuisance text messages or face further action. The ICO has served an enforcement notice on Optical Express (Westfield) Ltd, after over 4,600 people registered concerns between September 2013 and April 2014. The concerns about the unsolicited messages were reported to the mobile networks’ Spam Reporting Service indicating they had not given permission for the company to use their details for marketing [this is a breach of Regulation 22 (2) of the Privacy & Electronic Communications Regulations 2003]. The Glasgow-based business which has branches across the UK had been sending out texts that included details of a competition to win free laser eye surgery.
European Union
- Pinsent Masons (a UK law firm) has published an article in Out-Law news and guidance entitled “Data Protection Officers – will EU businesses face an obligation to appoint one? The article gives a useful summary of the proposed Rules with regards to these Officers in the EU Data Protection Regulation, giving a good summary of the Commission’s view, the Parliament’s view and the (current) view from the
- Under the Council’s plans, no organisation would be under an obligation to appoint a Data Protection Officer (DPO) unless required to do so under other EU legislation or the national laws of individual EU member states. Instead, the Council said organisations “may” appoint a DPO and go on to list conditions that organisations electing to appoint a DPO would have to conform to. Many of the conditions are similar to those supported by the Commission and Parliament. They include that the DPO can act independently
Data Protection
- Pinsent Masons (a UK law firm) has published an article in Out-Law news & guidance entitled “US to create new data breach notification rules”. They reported that the US president Barack Obama had stated that US businesses will be required to notify consumers within 30 days that there has been a breach of the security of their personal data.
- Pinsent Masons reported that the proposal is part of a package of measures president Obama said are needed “…to protect the identities and privacy of the American people. We’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused”
- Continuing with his Washington speech, president Obama stated; – “Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies – and it’s costly, too, to have to comply with this patchwork of laws. Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late. So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days. In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans – even when they do it overseas”
- Clearly this new proposal will apply to Capita plc businesses (that process personal data) that are based in the USA. However, it will be interesting to see if these federal proposals help to ensure that Safe Harbour remains available to EU based businesses to transfer personal data to participating organisations in the USA. The future of Safe Harbour is currently under discussion between the European Commission and the US Department of Commerce.