I have finally got the draft text sorted. Pasted below for consideration and attached with svg as a pack you can view locally. Please can you review and we post as a draft in the next few days.
Russ
Legend:All modern organisations handle and manage information, including personal data, as part of their business. Demand from citizens and regulators has placed a greater emphasis on data security caused by widespread automation and outsourcing trends in the last 10-20 years. Maintaining appropriate levels of data security requires a holistic approach to security across the organisation and through the supply chain. Key controls that must be considered include;
* Awareness and Training
* Risk Assessment including Classification (RA-02 Security Categorisation)
* Identification and Authentication to faciliate data access by appropriate individuals or roles
* System and Communication protection to ensure that the data is stored, processed, and transmitted securely.
Description:Data security can be defined as the maintenance of Confidentiality, Integrity and Availability for information processed by the organisation.
In practice this requires solid data handling and processing practices which depend on:
* A culture that properly values, protects and uses data, both in the planning and delivery of services
* Strong accountability mechanisms, recognising that the organisational unit is best placed to understand and address risks to their information, including personal data
* Strong scrutiny of performance, to build confidence and ensure that lessons are learned and shared.
A Data Classification scheme is often used to help understand which controls are needed for the data types processed by the organisation. This scheme will be defined based on the legal, regulatory and business requirements that the organisation must adhere. Common schemes used have 3 or 4 levels, including Public/Unclassified (e.g. Marketing materials), Internal Use (Information shared within the organisation or with suppliers e.g. Intranet), Confidential/Private (Sensitive information e.g. Credit card details or Medical history), Secret (Market Sensitive Information e.g Year-end results or Secret recipe for Coca-Cola)
What are the high level objectives to support the organisations data security goals:
* Infosec must be a management priority, the tone from the top is key
* Have a clear idea of how good the organisation is. (Get the right reporting and metrics to give feedback)
* Ensure and maintain clear accountabilities
* Define clear policies that are simple to understand and use
* Ensure that business processes reflect the way information is processed (observe the realities of IT implementations rather than previous paper based approaches for example)
* Control the extended enterprise, understand what your suppliers are doing and control as necessary
* Provide a consistent, universal training framework.
* Take a lifecycle perspective for data and employees
Principles for data security (adapted from Poynter 2008):While standards exist for controls around processes (NIST 800-53, ISO27002) and there are principles around data protection in the regulations such as the Data Protection Act – there are no general principles to govern how an organisation should approach information security and what the contract should look like between it and its customers. Poynter sets out ten principles that we believe have broader applicability.
* Data about an entity (be it an individual or a business) belongs to that entity. It can be entrusted to other parties but always remains the property of the entity to which it refers.
* It follows that it is the responsibility of the entity to maintain its own data.
* Data becomes information when it has value. This typically happens through context and through aggregation. The ambition should be never to lose or allow undesired access to information. Key to this is segregation – i.e. separating out data when it is stored and designing jobs and the systems that support them to require a minimum of information
* An organisation should hold the minimum data required to perform its functions, including the retention period it holds data for. It should not, for instance hold data that it can get elsewhere but it should routinely make use of other sources of data that improves its ability to tailor its services to its customers
* An organisation should hold data about entities once – it should move to a single customer record for individuals and a single customer record for businesses
* Effective information security requires both service provider and customer to play their part. Organisations should have the powers to be able to specify secure methods of exchanging data with its customers, starting with businesses and over time including individuals
* Organisations should have regard to external sources of guidance on information security such as the Data Protection legislation and the guidance given to the financial services sector by the FSA.
Information security measures should be focused on the area of biggest risk, data transfer. It follows that:
* Transfers of digital data involving physical media should be phased out completely
* Paper-based communications should be rationalised as to content and frequency with a long term plan of substantially eliminating them
* Computers (and in the short term, any removable media) should be encrypted so that if they are lost or stolen any data or information on them cannot be accessed.
Technical Design approachesIt makes a lot of sense to keep data in secure areas of your organisation such as the data centre rather than on laptops or other devices which will be carried in public areas. Thin client technologies such as browser based, or terminal sessions allow for access to applications but keep the data within the data centre and can be configured to prevent local printing and storage.
If data does need to stored on portable devices or machines that are accessible from public areas it should be encrypted (it often makes sense to do this for desktops as well as it simplifies disposal requirements). Many regulations such as PCI also require encryption for credit card information that is stored on servers, and it is sensible to use encryption for sensitive data that is stored server side unless there are serious cost of performance considerations that require the use of alternative compensating controls.
There is no point encrypting data or applying other controls if the access to it is not restricted on a need to know basis. Identification, authentication and authorisation controls are key to providing this foundational capability. Carefully consider how you will manage entitlements, common models such as Role Based Access Control (RBAC) give a structured way to link business roles to underlying rights in information systems.
Enterprise Content Management (ECM) tools can help to manage and classify data although it is possible that for unstructured data types such as email, spreadsheets and word processor docuements tools such as Data Loss Prevention (DLP) will be of greater value. DLP tools provide a ways to discover what data types are being transmitted and stored by the organisations information systems, and then apply business rules to this data to determine where it can be stored, printed, or transmitted.
Organisational and process considerationsSome of the areas to watch that can help improve sucess are:
* Determine your strategic approach. For example: protecting info is mandatory, goal for zero info loss, no tolerance for non-compliance with standards
* Use a Data security programme to implement- keep program in business (must own and be accountable), write policies and instructions with the business
* Set up the role of data guardians within the organisation.
* Use an array of techniques to drive awareness and training such as; Data awareness workshops, Golden rules for data security to all staff, Managers discuss rules with staff, Staff personal objectives include data security, remove sensitive items from desk if found (mgr to security office to recover)
* Get the physical basics in place such as Lockable security, removal of waste, and of course building security.
* Put blame at the back of any process- analyse, identify systemic issues, put accountability last.
* Utilise existing processes and reporting lines (e.g. Staff/Data processor->Manager->Information Asset Owner->Information Risk Officer->Board + Audit Committee)
*
* Consider instances where you may need to deal with shared data
Assumptions: None.
Typical challenges: Management appetite. Selling in the organisation. Keeping it simple, and cutting through the complexity of environment. Building the right awareness and training campaign.
Looking forward, the challenges to maintain data security are likely to get harder. The pace of technological change is quickening. The level and sophistication of external threats, such as e-crime, is increasing. Improving services will mean greater use of data within organisations and more data sharing. Meanwhile, existing challenges around secure handling of other information such as paper will continue.
Indications: Organizations who process Personally Identifiable Informatio (PII), are in regulated sectors (Health, Finance, Government etc) or process commercially sensitive information.
Contra-indications: Publically available information, freely available from many sources.
Resistance against threats: To be determined.
References:
Poynter report (covering HMRC data losses and recommendations):
http://www.hm-treasury.gov.uk/d/poynter ... 250608.pdfHannigan report (covering Data Handling Procedures in Government):
http://www.cabinetoffice.gov.uk/reports ... dling.aspxRelevant technologies that underpin data security:
* DLP (Data Loss Prevention)
* Identity management Overview of ID management
* RBAC (Role Based Access Control)
* Encryption Overview of encryption approaches
Related patterns: Identity management.
Classification: Data Security.
