establishing security and trust in the digital world

Establishing Security & Trust in the Digital World

Gareth NealInformation Risk ConsultantIT Governance Ltd

www.itgovernance.co.uk

TM

© IT Governance Ltd 2013

TM

Agenda

● Introduction to IT Governance Ltd and presenter

● The threats that consumers and businesses face

● Data protection, privacy & information security challenges across the mobile ecosystem

● Data security – ensuring confidentiality, integrity and availability and security of Personal Identifiable Data

● How to create secure information systems and managing the mobile enterprise to reduce risk and improve consumer confidence

● Case study example

*

© IT Governance Ltd 2013© IT Governance Ltd 2013

TM

About IT Governance Ltd

IT Governance is a one-stop-shop for organisation’s to meet their information security, risk management and compliance needs.

Our Vision:Information, information technology and information security is always a business issue, never just an IT one.

Our Mission:To enable boards and business executives to properly manage their information technology strategies.

*


TM

About the presenter

•Career–Internal Audit Manager (Accountancy practice)–Lead Auditor – DPA 1998 (ICO)–Information Risk Consultant (IT Governance)

•Experience–Public and private sector internal auditing–Public sector risk management–Data Protection Act compliance auditing–Management consultancy – ISO 27001 and ISO 9001

TMThe threats that consumers and businesses face•Consumer threats

–Identity theft and other forms of personal data misuse

–Sensitive personal data is lost / stolen – causing substantial damage and distress

–Victim of fraud

*


TMThe threats that consumers and businesses face

•Business threats–Nature and accidents–Current and past employees–Competitors–Litigants–The Press–Hackers–Criminals–Governments, Terrorists and Political Organisation's

•Resulting in:–Regulatory fines–Damaged reputation–Loss of business


*

TMData protection, privacy & information security challenges across the mobile ecosystemLegislation

•Data Protection Act 1998 - Principle 7 Security• UK Regulator (ICO) activity is increasing – Audits and

Enforcement action• ICO Good Practice audit team has a shift in focus

towards risks associated with mobile working• ICO Enforcement fines (Civil Monetary Penalties) are

primarily based on Principle 7 breaches, with specific CMP cases finding a lack of encryption for mobile devices, lack of staff training and insufficient policies to be the key downfalls


TMData protection, privacy & information security challenges across the mobile ecosystem

•Human Rights Act 1998 – Article 8 Privacy

● Growing trend in that society is increasingly knowledgeable and concerned about individual privacy rights

● Pressure on public and private sector business to get things right first time and maintain robust compliance with current and future legislation

● Balanced approach is needed to investing in new mobile technological advances whilst investing resources to identify and manage privacy risks

*

TMData protection, privacy & information security challenges across the mobile ecosystem

International Standard

•ISO 27001 – Information Security Management System (ISMS)

• Confidentiality• Integrity• Availability

•Business, legal, regulatory, and contractual security obligations


TMData Security – ensuring confidentiality, integrity and availability of Personal Identifiable Data

● CIA● Important to identify what data your business processes,

where, in what format, and by whom● Data should be categorised in terms of its sensitivity/

critical importance● Data and data processing environments/systems should

be risk assessed● Controls should be put in place to manage data security

risks● Authorisation for new processing/working arrangements

is important● Training staff is fundamental● Continual improvement, which includes internal audits is

crucial to ensure good data security management

TMAudit results - common areas of good practice● Strong information security / data protection governance structures

with Board level oversight

● Audit assurance and consultancy plans are completed

● Organisation wide training strategy and plans incorporate information security and data protection within induction and refresher training programmes.

● Physical security protocols, systems and entry controls

● Regular review and monitoring of systems user access permissions.

TMAudit results - common areas for improvement● Insufficient Information Asset Registers and lack of risk assessments covering

remote / home working

● Lack of Privacy Impact Assessments (PIAs)

● Tracking and reporting on information security training completion rates and ensuring refresher training is actually completed

● Uncontrolled movement of paper-based records

● Unsecure electronic data transmission to third parties

● Unsecure disposal of personal data held in paper and electronic format

● Lack of encryption for laptops and removable media devices

TMHow to create secure information systems and manage the mobile enterprise to reduce risk and improve consumer confidence

● Key points – risk reduction

● Conduct risk assessments for mobile / remote / home working● Complete Privacy Impact Assessments (ICO Guidance)● Develop appropriate policies and procedures covering mobile

working based on risk assessment outcomes● Staff training and awareness, including board members,

temporary workers and contractors● Access permissions – physical and logical● Deploy encryption software

TMHow to create secure information systems and manage the mobile enterprise to reduce risk and improve consumer confidence

● Key points – consumer confidence

Implementation of international standards - ISO 27001 Accredited Certification.

Demonstrate compliance with industry recognised standards – assurance statements for PCI DSS, NHS IG Toolkit etc.

Senior management commitment to investing resources in continual information security and data protection compliance activity.

Openness and transparency agendas for information security and data protection compliance regimes.

*

TM

Case Study: Wirefast

ConfidentialityIntegrityAvailability

ISO 27001© IT Governance Ltd 2013

*

Product and services


TM

*

Questions and Answers


Questions?


TM

Thank you

Find us: www.itgovernance.co.uk

Email us: [email protected]

Call us: 0845 070 1750

Tweet us: @ITGovernance

Connect: Facebook and Linkedin


*© IT Governance Ltd 2013

http://www.itgovernance.co.uk/

mailto:[email protected]