Cookies and Implied Consent

The recently much publicised ‘Watering Down’ of the UK implementation of the Privacy and Electronic Communications (EC Directive) Regulations 2003, which were enacted on 25^th May 2011 through the Privacy and Electronic Communications (EC Directive)  (Amendment) Regulations 2011 (PECR 2011 for short).

Much has already been written about the lack of compliance of websites, and those offering subscriptions to online services ahead of the 26^th May 2012 deadline for enforcement, which has just passed.

The simple answer is that the ICO have changed their position on ‘Consent’ between their earlier, and their most recent statements of the last few days.  The reasons for this are irrelevant if you are the one subject to the ongoing enforcement enquiries of the ICO, seeking evidence as to what action you have ‘already’ taken towards your being compliant with PECR 2011.

So what do you need to know?

√      Audit what types of cookies you have got, why and where they are used within your website;

√      Analyse the intrusiveness of your cookies; and

√      Depending on the intrusiveness of your cookies, put in place appropriate notices and consent messages.

How does the change in the ICO’s position affect you today?

The updated guidance provides additional information around the publicised issue of ‘Implied Consent’, and the ICO says:

• ‘Implied consent’ is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
• If you are relying on ‘implied consent’ you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
• You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
• In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that ‘explicit’ consent is more appropriate.

The ICO themselves have a prominent text box at the top of every page which says “The ICO would like to place cookies on your computer to help us make this website better.  To find out more about the cookies, see our privacy notice (which is a Hypertext Link to their full policy description)” with a box for the User to tick if they agree with the statement “I accept cookies from this site” and a button to ‘Continue’ either way.  The ICO don’t mind anyone copying their solution but point out they will monitor and possible amend their solution in the future.

This approach by the ICO clearly meets the 2 requirements of the Regulation 6, that you must provide clear and comprehensive information about any cookies you are using and you must obtain consent to store a cookie on a user or subscribers device.

When you are doing your cookie audit you need to collect the following data:

• Identify which cookie are operating on or through your website;
• Confirm the purpose(s) of each of these cookies;
• Confirm whether you link cookies to other information held about users – such as usernames;
• Identify what data each cookie holds;
• Confirm the type of cookie – a ‘session’ or ‘persistent’ type;
• If it is a ‘persistent’ cookie how long is its lifespan;
• Is it a first or third party cookie? – If it is a third party cookie who is setting it; and
• Double check that your privacy policy provides accurate and clear information about each cookie.

The fuss in recent days relates to the new position of the ICO that ‘Implied Consent’ for cookies is a reasonable proposition in the context of the Data Protection Act 1998 in particular Principle 3 – ‘Personal Data must be adequate, relevant and not excessive’.  What it is not is a euphemism for ‘Doing Nothing’, in many cases you may still need to follow the ICO guidance to be able to successfully rely upon it.  Whether the consent is ‘Implied’ or ‘Specific or Prior’ it must still be given by the user ‘Freely’ therefore some action must be taken by the ‘consenting individual’ from which their consent can be inferred.

The consenting individual must be ‘informed’ of that cookies are being set or information being accessed on their device and just visiting the website is insufficient, even when there is an explanation deep in the small online print, of the Policy or Terms and conditions statement.  If a user is browsing from page to page on a website by clicking a button the individual must have a reasonable understanding that by doing so they are agreeing to cookies being set.

Many comments and commentators have said that implied consent puts the onus on the User, the ICO does not share this view and have made it clear that the “understanding is all on the website operator’s side and the user  ‘giving’ consent is unaware that their actions are being interpreted in this way”.  Where ‘implied consent’ is being relied upon, the provider must ensure that clear and relevant information explaining to users what is likely to happen while the user is accessing the site, is made readily available them.  The ICO says that it does not feel it’s their place to determine exactly how the provider does this.

So if you want to know more about how to steer a safe path through this complex issue, come and talk to us.

www.advent-im.co.uk

Watch out FLAME – Malvern’s new ‘dirty lab’ is open…

Francis Maude with MP Harriet Baldwin and Baroness Pauline Neville-Jones opening the ‘dirty lab’ at Malvern. Picture Worcester News

As members of the Malvern Cyber Security Network, we were lucky enough to be invited to the opening of the country’s first ‘dirty lab’ on Friday (25th May 2012). The lab was opened by Cabinet Office Minister Francis Maude, who was accompanied by Baroness Pauline Neville-Jones, Special Minister to Business on Cyber Security, and has been set up by local companies, including our very own Trusted Partner encription, to help test IT systems and prevent one of the 21st Century’s biggest threats – cyber attacks.

Commenting ahead of the trip, Francis Maude said, “My visit to Malvern is an excellent opportunity to see and hear about the work local business and SME’s are undertaking. Government is working to raise awareness of the potential cyber threat to business reputation, revenues and intellectual property. But cyber security also offers huge benefits for business and is an important growth area for our economy.”

Following the official opening, the Minister and Baroness Neville-Jones joined members of the Networking Group to discuss issues affecting SME’s including how Government would encourage an integrated approach to cyber security with business and academia, how SME’s access the £650m budget being made available to combat cyber security threats, barriers to procurement for SME’s delivering innovative products and services to mitigate against cyber attacks and the best way for SME’s to gain information on cyber security policy and guidance. All too soon the interesting discussions came to a close but it was clear that the Minister and Baroness have a number of areas they both want to develop, and we hope their next visit will be a round table discussion to move things to another level and provide two-way dialogue on what is clearly a key national threat in an increasingly technological world..

The opening of the lab was made all the more apt with news on Monday 28th May of the latest cyber threat to be discovered – Flame. According to researchers, Flame is a complex targeted cyber attack that has collected private data from countries such as Israel and Iran. Having only recently been detected, it is believed to have started its attack in 2010. This new threat appears not to cause physical damage, but once a system is infected it collects huge amounts of sensitive information by beginning a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations and intercepting the keyboard etc….

The United Nations has only today (30/5/12) stated that it is to issue a warning to governments about the Flame worm, which it perceives to be the “most serious warning ever” as the worm could possibly attack critical infrastructure.

The attack is thought to be state sponsored but its exact origins remain unknown. So why are these attacks such a threat and how can the Malvern Cyber Security Group (MSCG) help UK businesses protect itself?

Tony McDowell, Managing Director of encription explains.

“Threats, like the recently discovered Flame malware, have been all too apparent within commercial and Government systems over the past two decades.  The increasing sophistication of malware, such as Flame, is of concern to all individuals and organisations; in fact the size and sophistication of Flame takes malware to a new level.  Although this malware appears to have been targeted at specific organisations it is only a matter of time before it  will be available on the open market., as has historically been the case when exploit writers are continually developing new attacks.  This is one of the key reasons for the formation of the MCSG , to assist all organisations in combating cyber attacks and theft”.

The lab will not only be used for research purposes into understanding cyber attacks such as Flame, their origins, modus operandi and complexities but also to provide training for people learning cyber defence techniques.

It is clear that if we can understand the threats we can stay one-step ahead in protecting UK businesses from cyber attack.  We look forward to bringing you news on success stories at the lab in the future.

Cloud post #2 – The Revenge

Growth in the ‘usage of Cloud services’ is in growth what do we think about that? Assess the real risks and don’t cloud the security issues.

OK so there aren’t any actual sharks and the leader does have a shameless pun, but it is an addendum, or part 2, to our original Cloud blog post which you can read here if you haven’t already. (It will open in a new window so you won’t lose you place)

Reading a survey from CIF last week (here), its clear to see that the number or at least the percentage of organisations using Cloud services, is increasing. This includes the public sector, perhaps an enlightened reader can tell us how much of that is driven in UK by G-Cloud.

However, its clear that the research term ‘Use of Cloud services’ could be a bit misleading. There are variations in service types - Platform services, Software Services and Infrastructure services and they are not all in growth.

Geographical references beyond ‘Europe’ are not available in the report, which makes it difficult to deep dive on the cause. However, according to the PWC Global State of Information Security Survey - in terms of ‘Government’, as we had noted Public Sector increased interest, IaaS is over-indexing in terms of uptake on this particular service type.

‘Global’ vs. ‘Government’ vs. ‘Europe’ Cloud Service % of organisations taking this service. Source PWC Global State of Information Security 2012

The same source highlights security concerns amongst Cloud users and if we refer these back to some of the points made in our original blog, the security policies of the data end location is clearly a very important and sensitive issue, this comes through with over 30% of respondents flagging this up and making it the top security threat in this survey.

One of the other things we highlighted back in January was the ability to be able to audit the data centre where your organisation’s data is held, this also comes through as a concern from Cloud users, including ‘Government’ users.

What is the greatest risk to your Cloud computing strategy? ‘Government’ vs. ‘Global’

Being able to audit where your data goes or is moved to, as well as fixing the end points for moving your data are very important, as we said back in January. Whether this is achievable if going through a ‘broker’ style relationship for instance, is debatable. In these situations, the cost model the driver and so wherever the broker can source will be where the data sits or is moved to and this may not mean all of the data  is in the same place either. Specifying end points, for instance, in a service level agreement may start to push the price up and so it is crucial you understand just what your risk appetite is in terms of what you will allow to happen to your data. Disturbingly, as a footnote to all the security issues highlighted in the PWC data, the CIF survey  identified that 1 in 5 respondents were expecting to put their IT security services in the Cloud…

The CIF report states “One sign of the immaturity of the cloud market is reflected in terms of contractual process, as barely half (52 per cent) of cloud users negotiated the legal terms of their contract with their cloud service provider (CSP), with larger organisations more likely to do so. This also infers an evolution of the culture that led to the click-thru agreement online more than a business critical supply agreement.”

Its clear then that  organisations need to go into the Cloud with its eyes wide open and armed with a comprehensive Risk Assessment.  Whilst it’s easy to label security consultants as Luddites who want to hold back the tide of progress, it is in fact not true. We are realists who want businesses to protect themselves, their clients, their supply chain and their employees and progress into the future securely.

How to get all over your security training – like a pigeon on a chip.

We recently read Joe Ferrara’s excellent article found on CSOonline.com:  ’Ten Commandments for effective security training’, and as security consultants who provide training, it got us thinking.

So, diving into our pool of expert resource here are some handy hints and tips which you can use in addition to Mr Ferrara’s observations (which you can read if you click here and it will open in a new window).

Always conduct a Risk Assessment and gear your training toward contributing to the mitigation of the identified top risks.

1. Security training and awareness is just another security control.  Fact.  So make sure all your security controls, including training, contribute to the mitigation of your security risks.  This means that just turning up and telling people to lock their computers, put stuff away at night and report breaches is not good enough.  Do a risk assessment followed by a training needs analysis so you can be sure the right messages are getting to the right people.  So if spam, unauthorised third party access, burglary or whatever are your top risks make sure your training contributes to mitgating these.
2. ‘S’ is for security, strategy (and sausages).  Your security training strategy can be (and probably should be) as simple as four columns: who (needs training), what (do they need to know), when (do we do it) and how (classroom, online, during team meetings)?  Sausages are optional and because your strategy will cater for everyone you will need some meat-free ones.
3. 

   Monty Python – delivering Spanish Inquisiton – style security promotion. OK, not really.

   No one expects the Spanish Inquisition.  But everyone expects the Information Security Manager to promote security awareness.  So why not get IT, estates management, HR, reception and anyone else who is responsible for delivering security controls in your organisation to help out with planning and delivery.  It will keep your training varied, get your colleagues involved and ‘on message’, take the weight off your shoulders and keep your powder dry for another time.

4. Big bangs are for fireworks night only.  Under sell and over achieve.  As Mr Ferrara points out, information security is an iterative and continuous process so go easy on the dry ice and audio visuals to begin with.  On this point, don’t ignore the value of ‘watercooler moments’ (management speak for those daily discussions we have).  Reinforcing and reminding good practice one a one-to-one basis is just as valid and effective as a presentation to the Board.
5. Don’t forget your 3rd parties.  Suppliers, contractors and customers may have access to your information assets, so make sure you include them in your security training strategy.
6. Get feedback.  Make sure you have a clear method for understanding the effectiveness of your security training BEFORE you deliver it, whether that is a survey, ‘happy sheet’, group discussion or whatever. Someone will be monitoring the effectiveness of some of your other security controls (e.g. the Firewall) so do the same for your training – it is just as important.
7. Get buy-in.  Before you start make sure management are on board.
8.  Is security training ‘on pain of death’?  Our energies should be focused on making
   

   “As you didn’t turn up for security training, I now have to smash up your laptop. You were warned.”

   the training a fantastic experience that people want to engage with, rather than expending time and effort brandishing a big stick to non-attendees.

Thank you to Mark Goddard, one of our expert consultants.

Security training needs to be seen as it truly is, an enabler for business.

Advent IM can help with training or out-sourced security management. www.advent-im.co.uk

Business Continuity and the joy of getting it right

I was encouraged to hear that  Business Continuity adoption amongst managers has risen 2011 vs 2010, according to the CMI Business Continuity Survey 2011

As I read the data, I wondered about the level of threat perceived in some categories. This looks to have resulted in issues being added to BC plans for some businesses, such as Terrorist Damage. I can understand that if this kind of incident were to occur then it is extremely serious and may halt all business. Clearly lots of businesses felt the same way - they perceived major threat and scoped it in to their BC plans. However not as many perceived or scoped the Loss of Water/Sewerage and its potential impact on business. This affected 9% of the businesses surveyed. I am glad I didn’t have occasion to be visiting or working at any of the businesses that experienced Loss of Water or Sewerage…

Another point this data this raised was Extreme Weather, the percentage of businesses who experienced disruption due to Extreme weather, far outstripped the percentage who had perceived or scoped it as a threat.

I find these results to be compelling reasons to take the Threat Assessment approach. Businesses are all impacted by tightening budgets and stretched resource. Placing resource in the right areas and making sure you have all angles covered in your BC plan is even more vital if your resource is tight. Leaving something out of scope because you have not perceived it as a serious threat, such has extreme weather, could cost your business substantially.

On talking to a colleague, one of our Consultants, about this survey he also pointed out the Supply Chain result,

“Only one third (34%) of respondent organisations identified
supply chain disruption as a threat and even fewer (26%) have included this
within the scope of their business continuity response.  Highlighted by
the tragic events in Japan earlier this year and codified in the new ISO 28002
Standard (Resilience in the Supply Chain) we hope strengthened supply chain
planning comes out stronger in follow up studies.”

You can also see this disparity at work when you look at some of the more ‘people or opinion’ based categories. More than half of the surveyed businesses (53%) perceived Loss of Skills to be a major threat and yet only 30% had in in scope. This is even more pronounced when you look at Damage to Reputation/Brand with 51% identifying a major threat and only 24% putting it in scope.

Perceiving a threat is a small part of the equation, getting it in proportion and then making sure you know what other threats your business’ continued operation faces, is vital.

Ellie

www.advent-im.co.uk

Given the interest in Business Continuity as an enabler, I have an update which you may also find useful. It is a set of FAQ’s and soon it will be posted on our website along with a Jargon Buster.

BCM FAQs

What is business continuity?

Business continuity is a series of steps organisations take before an interruption has occurred to reduce the impact of an incident, regardless of its cause or effect.

Is business continuity the same as disaster recovery?

Like most professions business continuity management has its own vocabulary which can be confusing to the initiated (see our business continuity jargon buster).  To make matters worse there is not always universal agreement as to which definition is right and some of these terms are hotly debated within the business continuity community!  However most business continuity professionals agree that disaster recovery relates to the restoration and resumption of technology, whilst business continuity (as the name suggests) is wider and also includes people, buildings, information and equipment.

So who should have responsibility for business continuity in an organisation?

There is no one single answer to this and it will depend on the nature (scale, composition and interdependencies) of your organisation.  In most organisations IT will be a critical component to the maintenance and resumption of business services during a disruption (see disaster recovery – above) which will make it very difficult for them to take responsibility for everything else. So unless your senior management can be assured that IT can implement a technology-neutral approach to business continuity it may be advantageous that responsibility for business continuity sits outside of IT.

Advent IM can recommend options for the location of business continuity responsibilities within your organisation.

We already have a business continuity plan.  Do we need to do anything else?

It depends.  Business continuity plans are one of those things that can quickly become outdated and obsolete.  If the plan reflects the needs of the business, is regularly tested and everyone knows what they need to do in the event of an incident then well done – there is not much else to do!  Otherwise you probably need to do a bit more to make your plan a living document.

Advent IM can recommend ways of improving, embedding and testing your business continuity plans.

We are a category 1 or 2 responder under the Civil Contingencies Act.  Do we have to do anything else?

The Civil Contingencies Act 2004 (CCA04) makes it a legal requirement for some public authorities (or those carrying out the role of a public authority) to maintain plans for the purpose of assuring, so far as is reasonably practicable, that if an emergency occurs they are able to continue to perform their functions.  As above, if your planning reflects the needs of the business, is regularly tested and everyone knows what they need to do in the event of an incident then you should give yourself a pat on the back.  If not, then you probably need to do more.  Either way you should consider getting an independent and professional review of your business continuity arrangements.

What is BS25999?

BS25999 is the British Standard for business continuity management since 2006.  The standard is based on underlying principles and is not-prescriptive meaning it is scalable to all organisations, regardless of their size or nature and most approaches to business continuity share common ground with BS25999.  Some organisations choose to align themselves to the standard whilst others choose to become fully accredited.  Depending on the organisation there are benefits and disadvantages to both and we can advise what is best for you and your organisation.  BS25999 is scheduled to be replaced by international standards (ISO22399 / ISO22301) 2012 but the new standards will almost certainly be significantly based on BS25999 anyway.  There is no statutory requirement for BS25999 compliance or accreditation but some organisations (e.g. the finance sector and public authorities) mandate the requirement for business continuity planning.

Business continuity sounds expensive and time consuming.  Are there any benefits?

Firstly it does not have to be expensive.  A lot of good business continuity work focuses on making sure everyone knows what is in place and what they have to do in the event of an incident and does not necessarily involve spending lots of money!  Also, business continuity does not have to be time consuming.  In all but the largest organisations business continuity management is often part of someone’s existing job role rather than a dedicated function, although a good business continuity management system will have inputs from across the organisation, rather than just being the product of one or two individuals.  The benefits of a well conceived and properly delivered system of business continuity management can include:

• Cost reduction:Business continuity management can help identify opportunities for;  improved resource allocation, risky interdependencies, inefficient business processes, lower      insurance premiums and significantly reduced costs in the event of an incident occurring.
• Increased performance:  Proven resilience can be a prerequisite to winning business and can provide         opportunities for improving collaborative working and hardening systems and  processes.
• Reputation: Improved business continuity management can assure clients, stakeholders and employees that you are a professional organisation who behaves professionally.

Ellie

www.advent-im.co.uk