Presentation is loading. Please wait.

Presentation is loading. Please wait.

Technical and organisational measures for protecting data and ensuring data security Simon Rice Group Manager (Technology) 29 May 2014.

Published byPhebe Lawson Modified over 8 years ago

Similar presentations

Presentation on theme: "Technical and organisational measures for protecting data and ensuring data security Simon Rice Group Manager (Technology) 29 May 2014."— Presentation transcript:

1 Technical and organisational measures for protecting data and ensuring data security Simon Rice Group Manager (Technology) 29 May 2014

2 Overview Guidance –ICO guidance –International guidance What are the risks? Where are the threats? What can be done?

3 ICO guidance http://ico.org.uk/for_organisations/guidance_index

4 Cloud guidance Published 27 September 2012 Guidance for data controllers Outlines a number of key risks http://ico.org.uk/cloud

5 BYOD guidance Published 7 March 2013 Guidance for data controllers Outlines a number of key risks http://ico.org.uk/byod

6 App guidance Published 19 December 2013 Guidance for app developers Outlines a number of key risks http://ico.org.uk/for_organisations/data_protection/topic_guid es/online/mobile_apps

7 IT Security Published 12 May 2014 Highlights 8 common failures in IT security http://ico.org.uk/news/latest_news/2014/~/media/documents /library/Data_Protection/Research_and_reports/protecting- personal-data-in-online-services-learning-from-the-mistakes- of-others.pdf

8 International guidance

9

10

11 ENISA cloud computing risk assessment

12 What and where is the cloud?

13 So what do we have now?

14 And how does the cloud differ?

15 What does it look like?

16

17 http://www.google.com/about/datacenters/inside/streetview/

18 A video tour

19 What does the user see?

20 Where is the cloud?

21 What does the user see?

22 Remember, not all clouds are the same!

23 What are the DP/security issues? Who can see the data? Where is the data? Is this really a new problem?

24 Who can see the data? Insiders Authorised Unauthorised Outsiders Authorised Unauthorised

25 Who can see the data? Security –Physical security –Encryption in transit (to and within the cloud provider) at rest –Passwords & remote access Provider access Data disclosure

26 Where is my personal data? Multiple copies in multiple locations –Where are the data centres? –Redundant copies –Back-ups Shared resources –Deletion –Retention Layered services –Is your SaaS provider using a different IaaS provider? Overseas Transfers (Principle 8)

27 Other risks Loss of governance (who has access?) Lock-in (can you transfer to somewhere else?) Isolation failure (eggs in one basket?) Data segregation (who’s data is next to yours?) Regulatory compliance (are you allowed to do it?) Data location (where is your data?) Data recovery (can you get it back?) Staff training (do they know what to do?)

28 More risks… Written contract Monitor performance Access control Connectivity Reliability and resilience Scalability (restricted by contract?)

29 How is the data accessed?

30 What is an ‘own device’?

31 Risks with mobile devices Loss or theft of the device Loss or theft of the data Loss or theft of the access credentials Interception of the data transfer Onward transfer of the data Inappropriate use of the device or data End of life disposal Applicable in BYOD and corporate owned devices

32 Where does data reside? Depends on what types of device do you have? –On the device Internal or external? –Organisation's network Local caching? –Cloud Private Community Public

33 How is the data transferred? How do you transfer data to devices? –3G, Wi-Fi, Wired connection –HTTP, HTTPS, VPN, other encryption –MAC address filtering –IM, Skype, BBM, Facebook, LinkedIn –Cloud, file transfer or email attachment –Direct connection or via proxy –USB or CD

34 How do you control the device How can you control the data on the device? –Who owns the device? –What OS is it running? –Who else has access to it? –What else is it used for? –What if it gets lost? –Onward transfer of data or device?

35 Learning from ICO casework

36 8 common failings 1.Failure to keep software security up to date 2.SQL injection 3.Running unnecessary services 4.Poor decommissioning 5.Insecure storage of passwords 6.Failure to encrypt online communications 7.Processing data in inappropriate areas 8.Default credentials including passwords

37 Software updates

38 SQL injection

39 Unnecessary services

40 Decommissioning

41 Password storage

42 Configuration of SSL / TLS

43 Security architecture

44 Accessible locations

45 Default credentials

46 How will you protect against these?

47 Or these?

48 www.twitter.com/iconews Keep in touch Subscribe to our e-newsletter at www.ico.org.uk or find us on…

Download ppt "Technical and organisational measures for protecting data and ensuring data security Simon Rice Group Manager (Technology) 29 May 2014."

Similar presentations

Driving Factors Security Risk Mgt Controls Compliance.

Driving Factors Security Risk Mgt Controls Compliance.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
The IT Manager’s Nightmare... “Good morning, the board decided last night that we need to have iPads in order to do our work properly. Can you please.

The IT Manager’s Nightmare... “Good morning, the board decided last night that we need to have iPads in order to do our work properly. Can you please.
A-Level Computing data damage and prevention. Objectives To know the dangers associated with a computer system To understand the methods of prevention.

A-Level Computing data damage and prevention. Objectives To know the dangers associated with a computer system To understand the methods of prevention.
Data Storage and Security Best Practices for storing and securing your data The goal of data storage is to ensure that your research data are in a safe.

Data Storage and Security Best Practices for storing and securing your data The goal of data storage is to ensure that your research data are in a safe.
BYOD: Privacy and Security Andrew Paterson, Senior Technology Officer.

BYOD: Privacy and Security Andrew Paterson, Senior Technology Officer.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.

Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Audiences NI Data Protection Workshop

Audiences NI Data Protection Workshop
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Barracuda Networks Steve Scheidegger Commercial Account Manager 734-887-2422

Barracuda Networks Steve Scheidegger Commercial Account Manager
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.
November 2009 Network Disaster Recovery October 2014.

November 2009 Network Disaster Recovery October 2014.
INFO 355Week #61 Systems Analysis II Essentials of design INFO 355 Glenn Booker.

INFO 355Week #61 Systems Analysis II Essentials of design INFO 355 Glenn Booker.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

Similar presentations

Ads by Google