establishing security and trust in the digital world
DESCRIPTION
IT Governance's Gareth Neal discusses the challenges facing business owners and top managers in establishing security and trust online.TRANSCRIPT
![Page 1: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/1.jpg)
Establishing Security & Trust in the Digital World
Gareth NealInformation Risk ConsultantIT Governance Ltd
www.itgovernance.co.uk
TM
© IT Governance Ltd 2013
![Page 2: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/2.jpg)
TM
Agenda
● Introduction to IT Governance Ltd and presenter
● The threats that consumers and businesses face
● Data protection, privacy & information security challenges across the mobile ecosystem
● Data security – ensuring confidentiality, integrity and availability and security of Personal Identifiable Data
● How to create secure information systems and managing the mobile enterprise to reduce risk and improve consumer confidence
● Case study example
*
© IT Governance Ltd 2013© IT Governance Ltd 2013
![Page 3: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/3.jpg)
TM
About IT Governance Ltd
IT Governance is a one-stop-shop for organisation’s to meet their information security, risk management and compliance needs.
Our Vision:Information, information technology and information security is always a business issue, never just an IT one.
Our Mission:To enable boards and business executives to properly manage their information technology strategies.
*
© IT Governance Ltd 2013
![Page 4: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/4.jpg)
TM
About the presenter
•Career–Internal Audit Manager (Accountancy practice)–Lead Auditor – DPA 1998 (ICO)–Information Risk Consultant (IT Governance)
•Experience–Public and private sector internal auditing–Public sector risk management–Data Protection Act compliance auditing–Management consultancy – ISO 27001 and ISO 9001
![Page 5: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/5.jpg)
TMThe threats that consumers and businesses face•Consumer threats
–Identity theft and other forms of personal data misuse
–Sensitive personal data is lost / stolen – causing substantial damage and distress
–Victim of fraud
*
© IT Governance Ltd 2013
![Page 6: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/6.jpg)
TMThe threats that consumers and businesses face
•Business threats–Nature and accidents–Current and past employees–Competitors–Litigants–The Press–Hackers–Criminals–Governments, Terrorists and Political Organisation's
•Resulting in:–Regulatory fines–Damaged reputation–Loss of business
© IT Governance Ltd 2013
*
![Page 7: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/7.jpg)
TMData protection, privacy & information security challenges across the mobile ecosystemLegislation
•Data Protection Act 1998 - Principle 7 Security• UK Regulator (ICO) activity is increasing – Audits and
Enforcement action• ICO Good Practice audit team has a shift in focus
towards risks associated with mobile working• ICO Enforcement fines (Civil Monetary Penalties) are
primarily based on Principle 7 breaches, with specific CMP cases finding a lack of encryption for mobile devices, lack of staff training and insufficient policies to be the key downfalls
© IT Governance Ltd 2013
![Page 8: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/8.jpg)
TMData protection, privacy & information security challenges across the mobile ecosystem
•Human Rights Act 1998 – Article 8 Privacy
● Growing trend in that society is increasingly knowledgeable and concerned about individual privacy rights
● Pressure on public and private sector business to get things right first time and maintain robust compliance with current and future legislation
● Balanced approach is needed to investing in new mobile technological advances whilst investing resources to identify and manage privacy risks
*
![Page 9: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/9.jpg)
TMData protection, privacy & information security challenges across the mobile ecosystem
International Standard
•ISO 27001 – Information Security Management System (ISMS)
• Confidentiality• Integrity• Availability
•Business, legal, regulatory, and contractual security obligations
© IT Governance Ltd 2013
![Page 10: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/10.jpg)
TMData Security – ensuring confidentiality, integrity and availability of Personal Identifiable Data
● CIA● Important to identify what data your business processes,
where, in what format, and by whom● Data should be categorised in terms of its sensitivity/
critical importance● Data and data processing environments/systems should
be risk assessed● Controls should be put in place to manage data security
risks● Authorisation for new processing/working arrangements
is important● Training staff is fundamental● Continual improvement, which includes internal audits is
crucial to ensure good data security management
![Page 11: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/11.jpg)
TMAudit results - common areas of good practice● Strong information security / data protection governance structures
with Board level oversight
● Audit assurance and consultancy plans are completed
● Organisation wide training strategy and plans incorporate information security and data protection within induction and refresher training programmes.
● Physical security protocols, systems and entry controls
● Regular review and monitoring of systems user access permissions.
![Page 12: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/12.jpg)
TMAudit results - common areas for improvement● Insufficient Information Asset Registers and lack of risk assessments covering
remote / home working
● Lack of Privacy Impact Assessments (PIAs)
● Tracking and reporting on information security training completion rates and ensuring refresher training is actually completed
● Uncontrolled movement of paper-based records
● Unsecure electronic data transmission to third parties
● Unsecure disposal of personal data held in paper and electronic format
● Lack of encryption for laptops and removable media devices
![Page 13: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/13.jpg)
TMHow to create secure information systems and manage the mobile enterprise to reduce risk and improve consumer confidence
● Key points – risk reduction
● Conduct risk assessments for mobile / remote / home working● Complete Privacy Impact Assessments (ICO Guidance)● Develop appropriate policies and procedures covering mobile
working based on risk assessment outcomes● Staff training and awareness, including board members,
temporary workers and contractors● Access permissions – physical and logical● Deploy encryption software
![Page 14: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/14.jpg)
TMHow to create secure information systems and manage the mobile enterprise to reduce risk and improve consumer confidence
● Key points – consumer confidence
Implementation of international standards - ISO 27001 Accredited Certification.
Demonstrate compliance with industry recognised standards – assurance statements for PCI DSS, NHS IG Toolkit etc.
Senior management commitment to investing resources in continual information security and data protection compliance activity.
Openness and transparency agendas for information security and data protection compliance regimes.
*
![Page 15: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/15.jpg)
TM
Case Study: Wirefast
ConfidentialityIntegrityAvailability
ISO 27001© IT Governance Ltd 2013
*
Product and services
© IT Governance Ltd 2013
![Page 16: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/16.jpg)
TM
*
Questions and Answers
© IT Governance Ltd 2013
Questions?
© IT Governance Ltd 2013
![Page 17: Establishing Security and Trust in the Digital World](https://reader035.vdocument.in/reader035/viewer/2022073116/547cc56a5806b5cc3f8b47c3/html5/thumbnails/17.jpg)
TM
Thank you
Find us: www.itgovernance.co.uk
Email us: [email protected]
Call us: 0845 070 1750
Tweet us: @ITGovernance
Connect: Facebook and Linkedin
© IT Governance Ltd 2013
*© IT Governance Ltd 2013