Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing IT Risk MRC Weatherall Institute of Molecular Medicine Tom Anstey Risk - combination of the probability of an event and.

Published byAugustine Tucker Modified over 9 years ago

Similar presentations

Presentation on theme: "Managing IT Risk MRC Weatherall Institute of Molecular Medicine Tom Anstey Risk - combination of the probability of an event and."— Presentation transcript:

1 Managing IT Risk MRC Weatherall Institute of Molecular Medicine Tom Anstey tom.anstey@imm.ox.ac.uk Risk - combination of the probability of an event and its consequence

2 MRC Weatherall Institute of Molecular Medicine Managing risk MRC Weatherall Institute of Molecular Medicine Technology has enabled us to work in remote locations, away from the office and at any hour. This puts at risk data that we work with on laptop computers and portable storage devices because they can be stolen or misplaced. We cannot change these realities, so we must do a far better job of protecting data contained on the devices. A Statement from the NIH Director, Elias A. Zerhouni, M.D., on Encryption and Data Security

3 MRC Weatherall Institute of Molecular Medicine If there is genuinely no significant risk, nothing needs to be written down. If a written assessment is needed – keep it fit for purpose, and crucially, act on it. Paperwork without action does no one any good.

4 MRC Weatherall Institute of Molecular Medicine Management support is essential Effective information security governance requires senior management commitment and an overall culture conducive to information security at the executive and operational levels. Too often management determines that it is easier to buy a solution than to change a culture. The result is all too often an ad hoc collection of poorly integrated tactical point solutions that are increasingly difficult to manage and invariably leave gaps in protection.

5 MRC Weatherall Institute of Molecular Medicine Management support is essential Education and training in the operation of information security processes are often overlooked as well. However management should consider that even the most secure system, if operated by ill-informed, untrained, careless of indifferent personnel, will not achieve a significant degree of security. ISACA Information Security Governance Guidance for Information Security Managers

6 MRC Weatherall Institute of Molecular Medicine Personally identifiable data – in UK, Data Protection Act 1998 Any information that links one or more identifiable living person with private information about them Any source of information about 1000 identifiable individuals or more other than information sourced from the public domain The data itself obviously isn't hazardous Identify the hazards

7 MRC Weatherall Institute of Molecular Medicine Emails and the contacts stored in an email system count as personal data Research data Locations, research methods, staffing data Examination results Intellectual Property – what might it be worth? The data itself obviously isn't hazardous Identify the hazards

8 MRC Weatherall Institute of Molecular Medicine The University or College Fines by the Information Commissioner's Office (ICO) – up to £500,000 Bad publicity Loss of possible funding and public goodwill Release of Intellectual Property Who might be at risk and how?

9 MRC Weatherall Institute of Molecular Medicine Funding bodies (including parents?) The Media is probably the biggest problem Staff, students, their families and colleagues Private information, user names, contact details, research methods (a CV/resumé/job application could easily count as “Personal Data”) Who might be at risk and how?

10 MRC Weatherall Institute of Molecular Medicine Is there an Information Asset Register? Does the Risk Register extend to information/data? Is there sensitive data in places where it may easily be physically removed – laptops, external hard drives, USB keys, PDAs, mobile 'phones, iPads? Do you understand your colleagues’ work? Are you even interested? Is it your job? Evaluate the risk, looking at the type of data stored..

11 MRC Weatherall Institute of Molecular Medicine Is there sensitive data in places where it may easily be physically removed – laptops, external hard drives, USB keys, mobile 'phones, iPads etc.? Are the rooms locked, laptops tethered, and is there CCTV and door access control? Is equipment labelled and on the inventory? Is there frosted glass on windows in public viewable areas? Evaluate the risk, looking at where the data is stored..

12 MRC Weatherall Institute of Molecular Medicine Electronic security Are you using encryption? Is all accessible data anonymised? Remote wipe facilities on smartphones? Are there limits to shared data areas? Are the firewall rules too lax? Security -vs- Convenience Humans are the greatest risk! From inside and outside! H ave you vetted all staff & contractors in particularly sensitive areas? Do staff know what they may say and to whom? Evaluate the risk

13 MRC Weatherall Institute of Molecular Medicine

14 Consider encryption – it’s not a cure-all, but makes the ICO happy! Mitigate the risk

15 MRC Weatherall Institute of Molecular Medicine Lock rooms, tether laptops CCTV and (logged) access door controls - a lock isn’t enough! Equipment labelling lowers re-sale value Put frosted glass on windows in areas visible to the public Mitigate the risk - physical

16 MRC Weatherall Institute of Molecular Medicine Electronic security – firewalls, A/V etc Encrypt if needed, anonymise data, limit access to shared data Humans are the greatest risk Mandate the wearing of ID cards? Encourage the challenging of unknown people Don’t allow tailgating through access routes Mitigate the risk

17 MRC Weatherall Institute of Molecular Medicine Ban camera-phones and iPads? Disable USB ports on workstations? Force encryption of USB storage? Lock rooms and laptops, CCTV, equipment labelling and inventory, access controls Electronic security eg. encryption, remote backup, anonymised data, limits to shared data areas, remote wipe of portable devices. However, go too far, and users will become evasive! Take precautions and prevent loss!

18 MRC Weatherall Institute of Molecular Medicine Check the identity of anyone requesting confidential data Take up references for potential staff and students & perform security checks if needed (assess risk!). Personal ID Security

19 MRC Weatherall Institute of Molecular Medicine Advise your users to choose passwords that are unique mixtures of letters & numbers and other characters, or a selection of words (although password policies may dictate what you enter). The longer the password, the more secure less insecure it is likely to be! Remember to change them regularly and do not use identical usernames and passwords on different systems Two-factor authentication? Personal ID Security

20 MRC Weatherall Institute of Molecular Medicine Think very carefully before submitting any personal or work information online – including on Facebook and LinkedIn Check the privacy policy of any website where you submit personal data – if it doesn’t have a clear and comprehensive policy, don’t submit it Dispose of data securely, whether in paper or electronic form (especially back-up files & hard drives) Encrypt sensitive data on portable devices Personal ID Security

21 MRC Weatherall Institute of Molecular Medicine Have you got an Information Security Policy? Individuals need to understand that as well as the right to protection, they also have to exercise responsibility So, we need to identify the users and the data being held Who owns the laptop/USB device? Who owns the data stored on it? Who is responsible for possible loss of data? Sensible risk management

22 MRC Weatherall Institute of Molecular Medicine Create an InfoSec Policy – copy [read first] & paste is OK! Manage your workstations – require individual authentication Make an inventory and assess risk of data – particularly on mobile devices. Does it really need to be there? Use an enterprise encryption solution Read and manage your log files Monitor your network – but be aware of users’ rights to privacy Good practice

23 MRC Weatherall Institute of Molecular Medicine So, what about DropBox, SkyDrive, iCloud or Amazon? Should the sensitive data be leaving the University or College to somewhere that you have no legal control? Are you happy that you know and trust all the keepers of your data? US Safe Harbor scheme – are you content with that? Different legal jurisdictions? DPA? Got your head in the cloud? http://www.adam-hart-davis.org/

24 MRC Weatherall Institute of Molecular Medicine Provide understandable guidance “People mostly want to be good. Rather than tell them not to do stuff, tell them the right way to do things. Secure behaviour needs to be the default, not the bolt- on. Security awareness is a use it or lose it mindset. You have to stay engaged. People follow examples, especially their bosses’. If you can get the boss talking and behaving in a way that shows that security is everyone’s responsibility, the message is that much more vibrant.” Chris Burgess Cisco

25 MRC Weatherall Institute of Molecular Medicine Keep “geek-speak” out of users’ lives. They don’t want or need it! They probably don’t need to know whether it’s 2048 or 4096-bit encryption nor the hash and salting methods. Standardise operating procedures when/where possible, but be flexible. Make the difference between “Must” and “Should” very clear! All local policies must be at least as stringent as the University Information Security Policy. MRC Weatherall Institute of Molecular Medicine Provide understandable guidance

26 MRC Weatherall Institute of Molecular Medicine

27

28 What to do when it goes wrong Don’t bury your head Inform Unit Head + OxCERT / University Data Protection Office / Police & University Security Be honest! Mea culpa (if needs be) and helpful attitude please Learn from your (and others’) mistakes Don’t speak to the press – go via the Press Office Maintain confidentiality and privacy Prepare colleagues and give advice to students

29

Download ppt "Managing IT Risk MRC Weatherall Institute of Molecular Medicine Tom Anstey Risk - combination of the probability of an event and."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.

1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
Financial Services Workshop Margaret Umphrey ECU Information Security Officer March 12, 2014 1IT Security, East Carolina University.

Financial Services Workshop Margaret Umphrey ECU Information Security Officer March 12, IT Security, East Carolina University.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
Data Storage & Security Dr Alastair F. Brown Head of Computing MRC Human Genetics Unit MRC Institute of Genetics and Molecular Medicine The University.

Data Storage & Security Dr Alastair F. Brown Head of Computing MRC Human Genetics Unit MRC Institute of Genetics and Molecular Medicine The University.
Helping our customers keep their computers safe.  Using your pet’s, business, family, friend’s names  Using number or letter sequences (0123, abcd)

Helping our customers keep their computers safe.  Using your pet’s, business, family, friend’s names  Using number or letter sequences (0123, abcd)
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”

PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”
Information Security Awareness:

Information Security Awareness:
IT Retreat 2009 IT Security Controls and Initiatives.

IT Retreat 2009 IT Security Controls and Initiatives.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
Sensitive Data Accessibility Financial Management College of Education Michigan State University.

Sensitive Data Accessibility Financial Management College of Education Michigan State University.

Similar presentations

Ads by Google