Monthly Archives: March 2013

The Security Institute votes Advent IM Managing Director onto the Board of Directors.

From the Press Release:

Following voting by Security Institute members at their Annual General Meeting on March 26 2013, five new members of the Board of Directors were announced. One of those new Directors will be Mike Gillespie, Managing Director of the Independent Security Consultancy, Advent IM Ltd. 

The Security Insititute, Mike Gillespie, Advent IM Director

Mike Gillespie – Advent IM MD, newly elected Director for The Security Institute

“I am really excited to have been elected. I have so many ideas to share and am so thrilled to be able to be a part of the future of the Security Institute, which is in turn, the future of our profession.” Mike is a relative newcomer and considered his chances of election to be quite slim, “I was so pleased at being nominated in the first place, it was quite unexpected and felt like I had achieved something, so to actually get elected is a privilege.  I have been talking a lot about converging  Information Assurance (IA)  with the physical world and bringing cyber security to the forefront, but I will have to wait until I attend my first Director’s meeting in April and get my portfolio” 

The Board of Director’s next business will be to elect a Chairman.

 

Advertisements

Employment Law – Seminar slides now available

Advent IM, data protection act 1998 Advent IM consultants

CCTV? Phone monitoring? Email monitoring? Vehicle tracking? Personal Data that all falls within The Data Protection Act 1998

Effective Monitoring of Employees – Are you monitoring or are you snooping?

The slides from the recent Employment Law Seminar we spoke at for Waldrons Solicitors, are now available on our Slideshare account.
 http://www.slideshare.net/Advent_IM_Security

MM900040991     Watch this space for news of a follow up article

For details of our Data Protection Services please visit the website

http://www.advent-im.co.uk/data_protection.aspx

Aspirationally Paperless?

First published in Tomorrow’s FM February 2013 as part of the Water Cooler regular feature with FM experts: Lee Haury, Liz Kentish, Wendy Mason, Martin Pickard, Lucy Jeynes, Iain Murray and John Bowen. The discussion was inspired by Health Secretary Jeremy Hunt’s desire to see the NHS go paperless by 2018….

The Advent IM response to a paperless NHS.

Data Protections Advent IM

Yay! Paperless was easy!

Paperless as a concept, has been around for a long time. Look around the average office and you will see varying degrees of success in its implementation. For many it is still largely aspirational. Removing  paper records does have some security benefits, presuming they were securely disposed of, of course! By this I mean you are removing one potential source of data loss, but how many of us can commit  to never printing off information or emails for instance? One security eye would always have to be on the possibility of employees doing this and valuable assets being put at risk or marching out of the door. Information is an asset, however it is stored. The NHS (for it is they and Jeremy Hunt who have inspired this discussion) has had a fairly disastrous year with Information Security and received huge monetary penalties. These breaches were not generally the result of hacks or other cyber-criminal activities but the result of poor security awareness and  people doing daft things with both paper records and electronic devices.

Bottom line is, if you are going to use mobile devices and remove the need for paper records, then Security policies have to be watertight and thoroughly trained through all users, they need to know they are accountable. That means if someone decides to load a laptop with thousands of patient records, they should be challenged or potentially prevented, by policy, from doing so. For instance if the device were used merely for securely accessing patient records as and when they were required, it would remove  the need for either paper or local digital storage. Hopefully the NHS are thinking a little further than merely paperless and thinking about how the replacement digital information is going to be stored and accessed. Significant and ubiquitous awareness training is required to make a success of any such initiative and prevent patient data risk.

Data Destruction – Passing the Buck – Guest blog from Malcolm Charnock – Icex

data protection act 1998 Advent IM  consultantsData Protection

Understanding your responsibilities as a data owner includes having proper policy and processes in place for safe removal and destruction of information that should no longer be stored. Its should form part of an organisation’s overall Information Security Policy with specific reference to the Data Protection Act (1998)

Through the power of Social Media we were delighted to meet Malcolm Charnock from Icex and even more delighted that he agreed to do a guest blog on Data Destruction for us. 

Data Destruction – Passing The Buck by Malcolm Charnock

MP900341374

One of the things that keeps me enthused about my job is every client has different requirements when it comes to ensuring all data is eradicated. “Different requirements”? Well maybe the truth is every client has different levels of understanding (or apathy) of their obligation and options when it comes to securely eradicating data.

I have spoken to organisations who insist on 2mm granulation of hard drives, after all this is the standard the MOD requires so their business should insist on this too??? Actually you have to take your hat off to an organisation who takes data destruction this seriously; until you find out this same organisation use a courier to send the hard drives to a data destruction “specialist” who they have no real knowledge of!

The fact is every organisation has the same responsibility and in most cases the process that is most suitable is the same. OK, the local shop losing data will clearly not have the same impact as the MOD but the thought process behind any Information Security Policy should be similar.

ICO Monetary Penalties, contrary to popular opinion, are not levied purely as a result of a breach occurring. Just as important are the organisation’s processes and policies. Have all reasonable precautions been taken to ensure the breach could not occur? Was due diligence carried out to check the suitability of your service provider, contractor or vendor? If the answer is yes and an unprecedented occurrence caused the breach I would personally not expect the ICO to take action other than to ensure you were not vulnerable to this type of event again.

SECURELY MANAGING DECOMMISSIONING AND DISPOSAL OF REDUNDANT IT ASSETS

There are an estimated 700 companies offering IT recycling as part of their capabilities so you would feel confident that in a competitive, open market you would reap the benefits of price checking and negotiating a free collection. The problem is that this is a largely unregulated industry so how do you choose a credible partner to trust with eradicating your data? There are a wide range of “accreditations” cited on most ITADs’ websites and literature, many of these I have never heard of while others require no audit to achieve. In other cases the accreditation is listed although the ITAD will not actually have achieved the standard. The buck stops with the data owner so it is important to do a little investigating before selecting the most suitable partner.

Advent IM Information Security Audit

  • Is your Data Destruction contractor approved? By whom? Have you audited them?
  • Do they use third party contractors? Are they approved? By whom? Have you audited them?
  • Are their processes and policies secure and approved? By whom?
  • Is there a contingency in place?
  • How are data holding items transported? By whom? Are they approved? Have you audited them?

If you can answer all of the above questions you really should have little to fear from the ICO, but you would also be in the minority. If in doubt, speak to ADISA (Asset Disposal and Data Security Alliance) or check their website to see if your preferred IT Recycling partner meets with this DIPCOG recognised industry standard.

The data, regardless of the terms of any contract, remains the responsibility of the data owner and does not pass to an IT recycler at any stage of the process. Yes, immeasurable damage would be done to the reputation of any ITAD who failed to 100% eradicate data presumably resulting in the death of the organisation, but the ICO will look to the Data Owner and levy penalties and broadcast its findings regarding the failure of the company’s Data Security policy which led to the breach. – Malcolm Charnock

Images courtesy of Microsoft Clipart and istock

ICEX-jpg-1