A Risk Based Approach to Data Security
The Why, What and How of Data Security
Information Security practices protect the assets of an organisation through the implementation of managerial, technical and operational controls; these assets must be managed appropriately to reduce the risk of financial loss – just as financial assets are managed through financial departments and human assets are managed and cared for by the human resources department and associated code of conduct and employment policies and practices.
Failure to protect the information assets from loss, destruction or unexpected alteration can result in significant losses or productivity, reputation or finances (Information Commissioner’s Office / Data Protection Act 2018). Information is an asset that must be protected, as well as software and hardware, which support the storage and retrieval of the information
The primary focus for the information security is to ensure the confidentiality, availability and integrity of the information.
Each business will be different as they operate within different industries with different threat profiles, so audit and analyse what data you hold, why you hold it and how long you intend to hold it for.
Map out where data is held (cloud, laptop, servers in-house etc) and where the backup data is stored / secured
You cannot achieve 100% security – you can only protect to you best efforts; install security measures across data sets in a ‘layered’ manner – many small layers are the most effective, especially if one or two are compromised – there are still some ‘layers’ remaining..
Security management is the glue that ensures the risks are identified and an adequate control environment is establish to mitigate the risks. it ensures the interrelationships among assessing risk, implementing policies and controls in response to the risks, promoting awareness of the expectations, monitoring the effectiveness of the controls, and using the knowledge as input to the risk management.
Analyse what you have and why you are storing it, apply ‘data classification’ rules to the data sets and ensure that each level of ‘data classification marking’ is protected with the relevant controls and levels of security.
Document and employ sensible and enforcible ‘security policies’ across the business; enforce them and ensure the correct levels of protection for each ‘classification’ of data.
Review your data security every six months as a minimum
Current UK Legislation & Director Responsibilities
Current UK Legislation is a complexed area BUT must be fully understood by the directors and the employees; a good place to start would be with the ‘Information Commissioner’s Office (ICO)‘ in the UK.
The ‘General Data Protection Regulation (GDPR)’ was adopted into the UK Data Protection Act in 2018 and the ICO has a huge amount of practical advice and guidance – if you hold data you need to register the company with the ICO on an annual basis
Be aware of your legal responsibilities when holding personal data and be aware of a subject’s (person etc) rights of how that data is used and for how long you intend to keep it;
The ICO could fine the company up to a maximum or 4% of your annual turnover depending on the nature of the breach offence
Have documented and tested routines in place to deal with ‘Subject Access Requests’ (30 day response required) – AND – ensure you have Incident response plans – created & tested – in case you suffer a data breach.
Data security must be actively promoted and supported by senior management
Security Awareness training should be available (if not compulsory) for all staff; training should be re-addressed every six months
Regular backups of data that have been tested to restore correctly
Ensuring that your business data is protected properly is not down to one person or the IT department
Data security is the responsibility of ever single person involved in the business
Ultimate responsibility for security of the business data lies with senior managers (one should be designated as a Data Protection Officer to be the main point of contact for all data security issues)
Directors need to set an example to the business by implementing ‘security’ policies and procedures as well as leading by example as they are ultimately responsible for the company and how it protects data – large fines and possibly (in the future) custodial sentences for data breaches
Data Privacy & Access Policies must be visible on any client / customer facing websites where data is collected
We offer a presentation for management to introduce data security and risk management
Vulnerabilities, Risk, Threats & Impact
A vulnerability is a weakness, something, that if exploited, could cause some unwanted effect(s)
Vulnerabilities are normally fixed with patches or updates from the manufacturer; if these are left off, the system might be found vulnerable to exploitation / attack
Zero day or a day zero attack is the term used to describe the threat of an unknown security vulnerability in a computer software or application for which either the patch has not been released or the application developers were unaware of or did not have sufficient time to address.
Wanacry exploited huge holes in old Operating Systems which had not been patched (although a retro-patch had bee available four months previously
We run on-site ‘vulnerability scanning’ – giving management the current state of the estate along with suggested remedial actions to negate those vulnerabilities. We DO NOT amend your system in any way
A risk is a combination of ‘threat’ and ‘vulnerability’, normally treated in one of four methods –
Avoid, Accept, Reduce or Transfer the risk
NEVER, NEVER ignore a risk
A threat is something that may happen that may cto another – all very dependent on viewpoint , environment and the situation which is being consideredause some unwanted consequence
The impact of the risk actually happening is perhaps the most important of all to understand.
It’s the potential impact which has to be considered and managed
If the perceived impact is small and insignificant then it may be appropriate to accept the risk and take no further action except to monitor it
On the other hand, if the potential impact is large and damaging, then more appropriate countermeasures need to be considered