The recent loss by PA Consulting of data about criminals in Britain raises many questions about data security and highlights the difficult of guaranteeing privacy and security of data.  With the proliferation of portable storage devices, coupled with their increasing capacity and low cost, the challenges of maintaining data privacy and security are considerable.

I expect that PA signed all the necessary confidentiality agreements, security policies, data management policies, etc, when agreeing the contract with the Home Office. I expect that they also provided the necessary assurances to the client when negotiating the work. And I expect that the client took assurance from all of this. And yet, despite that, a significant breach of confidentiality and data security occurred, exposing both the contractor and the Home Office to being sued.  So, if policies and procedures, signed declaration and undertakings aren’t adequate protections, what can a client do when engaging third parties, or, indeed, protecting data from disclosure by staff?

Insist on encryption

Naturally, following incidents like the Home Office one, there is a strong focus on the need to encrypt data held on computer disks. However, this does not often lead to action. It is really not that hard to encrypt information at the entire device level, i.e. at disk level, at folder level, or at file level. There are many open source encryption systems available, such as TrueCrypt and Cryptainer. Commercial products are available from PGP Corporation, Symantec, McAfee and others. Even the ubiquitous WinZip allows users to encrypt files.

If users could get into the habit of encrypting all removable media and laptops immediately on acquisition, this would make a significant difference to data security. At a corporate level, all purchased devices should include provision for encryption at the point of purchase.

Ban data exchange and removal

A more extreme approach might be to ban all electronic data exchange between a client and a contractor or supplier, including banning the use of email, laptops, modems, wireless connections, etc.  In this scenario, all work would be carried out on the client’s site, with all computer equipment, network facilities, storage, printers, paper, etc, provided by the client. Even this would be difficult to police, however, as a contractor could easily bring in a portable storage device and connect it to the client’s computer. This might be avoided by providing equipment with all external ports and wireless features disabled, but the difficulty of doing this should be evident. However, in today’s connected world, where business happens at the speed of light, this option would not be really practical.

Ban use of own data processing equipment by contractors

Many, many years ago, a friend of mine worked in the vaults of a very large bank in Ireland. Before starting every day, he had to remove all valuables and money from his person and leave them in secure custody with the bank. At the end of the day he was searched and, when confirmed as penniless as when he went in, his valuables were returned to him and he was escorted off the premises. This happened every day he worked there.  Similar procedures could be implemented with regard to contractors and computing equipment, ensuring that they did not have any data processing or storage equipment in their possession when they entered or left the client’s premises. But, once again, the difficulty of policing this is quite apparent. With contractors working in almost every area of large businesses and the public sector, it would be difficult to get uniform implementation (or, indeed, awareness) of security policies. Nevertheless, it might be necessary to consider measures like these to adequately protect sensitive data.

Control issue and use of portable storage devices and laptops

This would not be easy to do but, coupled with other controls, would be an effective way of ensuring that data is not removed from a client premises. Tight procurement procedures would be required but, as portable devices are now so cheap, individuals can simply buy them themselves. Therefore, it may also be necessary to lock down external ports on machines but, understandably, this would make effective working quite difficult.

Control or prevent access to Internet storage sites

Many companies now offer free or cheap storage over the Internet, which anyone can subscribe to. These enable users to back files up to these sites on demand, or on a schedule.  Similarly, Gmail and Hotmail accounts enable users to store up to 5Gb of data on the Intenet. Therefore, these sites create a new weakness in corporate networks and, where possible, access to them should be denied.

Prevent use of Internet-based email accounts such as Gmail, Hotmail and Yahoo!

Difficult to do, but, if possible, prevent use of free Internet-based mail accounts like Gmail, Hotmail and Yahoo! Do not provide contractors with access to or accounts on your email service so that they cannot mail files to their own work email accounts.

Identify someone in the client organisation responsible for data security and handling contractor requests

Contractors might have a legitimate reason for requiring data to be provided on portable devices; for example, to carry out testing on an application at their own premises. A single person in the client organisation should be responsible for providing such data and ensuring that the request is appropriate, that only data that is absolutely necessary is provided and that it is properly secured. Appropriate undertakings (however shaky) should be received from the contractor, including undertakings concerning the storage, security and encryption of data.

Get contractors to disclose any previous breaches of data security that affected them or their clients

As part of the due diligence process in any contract negotiation, clients should ask contractors to disclose any breaches of data security that affected them or their clients in the last number of years, say three years. Contractors could be held liable for failure to disclose any breaches. If a contractor has suffered breaches of security, perhaps it would be better to avoid using them, particularly on very sensitive contracts.

Make sure your contractor has adequate insurance cover

Make sure that your contractor has adequate professional indemnity insurance and that you are indemnified against any loss or damages arising out of negligence or omission by the contractor.  This should not only extend to the professional execution of the contracted work but also to such eventualities as data loss or security breach, as in the PA case.

Learn about information security standards

The information security landscape is changing and becoming more complex all the time.  The key international standard is ISO 27000 and, if you are concerned with security and data privacy, you should become familiar with this standard.  Also pay attention to sites like the SANS Institute, CoBIT, ISACA, etc.

Conclusion

There’s a lot more to information security and data privacy than I have covered here. As more and more of our personal and corporate information is transmitted over the Internet, we should all pay far more attention to this issue.

If you liked this post, you might also like:

Laptop Theft and Data Loss By Irish Health Service Executive

More Laptops Stolen – And This Time It’s Personal!

Receive new articles from johnlawlor.ie by subscribing to my RSS Feed or by email subscription. You can also share this post by using one or more of the buttons at the top and bottom of the post. Thanks for visiting!