I’ve been working for a while on a policy and associated procedures for Trinity College Dublin to enable us to leverage various cloud technologies and services for the benefit of the college. What has struck me is the complexity of dealing with the topic in a large-scale environment.

As consumers, many of us use cloud services every day; examples are Gmail and Hotmail for email; Amazon Cloud Drive and Dropbox for file storage; Google Docs, Docs.com and Microsoft Skydrive for document processing; Twitter, Facebook, Google+ and LinkedIn for social networking, etc. Many of us tend to use these and other services with little thought being given to security, data protection, privacy, identity theft, ownership of data, etc. When considered from a corporate or business perspective, these issues are significantly more important and take on many complex legal aspects. Yet, in a corporate and, indeed, an educational environment, there is significant pressure to enable these services in the business context, since end users and familiar with them from personal use.

Pursuing another interest of mine this evening – Internet Radio – I came across C-SPAN Radio and just happened to stumble upon the live proceedings of the US Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, on 6 October 2011, discussing the issue of the security implications of cloud computing. The Committee was addressed by very influential people in the area of information technology, information security, education and regulation:

• The Honorable Richard Spires, 
Chief Information Officer
, U.S. Department of Homeland Security
• Dr. David McClure, Ph.D., 
Associate Administrator
, Office of Citizen Services and Innovative Technologies, 
U.S. General Services Administration
• Mr. Greg Wilshusen, 
Director of Information Security Issues
, Government Accountability Office
• Mr. James W. Sheaffer, 
President
, North American Public Sector
, Computer Sciences Corporation
• Mr. Timothy Brown
, Senior Vice President and Chief Architect for Security, 
CA Technologies
• Mr. James R. Bottum
, Vice Provost for Computing & Information Technology
 and Chief Information Officer
, Clemson University
• Mr. John Curran
, Chief Executive Officer
, American Registry of Internet Numbers

Each contributor submitted a paper to the Subcommittee and they are all available on the Subcommittee’s website. So if you are looking for what the current areas of concern are in relation to security and cloud computing, why not pick up the papers and listen back to the oral testimony.

Links to the papers (PDF)

• Richard Spires
• David McClure
• Greg Wilshusen
• James W. Sheaffer
• Timothy Brown
• James R. Bottum
• John Curran

What is your organisation doing about security and cloud computing? Do you have a cloud computing policy or are your end users simply using cloud services without regard to existing policy or legislation? Please leave a comment and let me know.

If you found this post interesting, you might also like:

• Data Loss by PA Consulting
• Laptop Theft and Data Loss By Irish Health Service Executive
• More Laptops Stolen – And This Time It’s Personal

Receive new articles from johnlawlor.ie by subscribing to my RSS Feed or by email subscription. You can also share this post by using one or more of the buttons at the top and bottom of the post. Thanks for visiting!

In my industry talks on Social Media, I mention the challenges presented to organisations by consumer technologies, so-called “shadow IT”, social media and mobile technologies. A new generation of technology users are used to having leading edge, powerful technologies and are not satisfied with the constraints placed by their employers on their technology use, productivity and flexibility. Therefore, many employees (and particularly younger employees) are getting around corporate controls by using personal email accounts, personal hosting services, online storage, Facebook, blogs, etc. The availability of new, powerful consumer technologies and services is putting increasing pressure on corporate IT departments to keep up.

Recent research commissioned by Mimecast, a UK-based email management company, highlights the risks that organisations face from their employees using non-corporate IT to circumvent controls. Carried out by Loudhouse Research, based in London, England, the research found that knowledgeable employees, familiar with social media and frustrated with corporate controls, are compromising corporate data and intellectual property.

Employees have become dissatisfied with the constraints of corporate email rules and mailbox size limitations. To get around these problems, more and more employees are adopting “a slapdash attitude to company intellectual property (IP)” and use personal email accounts to store corporate information on public servers, outside the control of the organisation. The research found that 85% of under 25s admitted that they send work-related emails or documents to or from personal email accounts.

The “Generation Gmail” research also found that:

• 36% of incoming email to work inboxes is not work related;
• Over 300 work-related emails are sent per person via personal accounts each year;
• Typically around half of these emails contain attachments, meaning that the average employee under 25 will send approximately three emails a week containing corporate IP and potentially sensitive information outside of their corporate environment, and
• Generation Gmail is particularly predisposed to personal email; 52 per cent rated it as better than work email in terms of mailbox size, compared to just 29 per cent of over 55s.

Working in an academic environment, I am very familiar with these challenges and with many more as well. Younger and well-educated people have come to expect that corporate IT services should be as good as what they can get for free on the Internet and they are impatient when this is not the case. However, it is difficult for organisations to respond either quickly enough or with a similar range of technologies to satisfy the expectations of employees and – in academia – students, researchers and academics.

How can corporate IT respond to these challenges? Are policies and procedures enough? What controls should or can be put in place to ensure that corporate information and IP are safeguarded? Is this even possible in the age of the iPhone, 3G, netbooks, tablets, high-capacity storage and other wireless devices?

It seems to me that the response to these challenges must be  try to give users what they expect, no matter how difficult this might seem. Perhaps corporate IT can never be as fast as the giants of the Internet like Facebook, Microsoft and Google but it should look for ways, nevertheless, to provide what it can. This could mean developing a Social Media strategy that identifies how you will provide the communications, collaboration and information sharing technologies that people now expect. Where can you use third parties to deliver services? What partners might you work with? Can you use Facebook or Yammer to enable sharing and collaboration? What about Blogger, Tumblr, Posterous, WordPress or Typepad for blogging? Are your policies, procedures, controls and security constraints still appropriate for the current environment and expectations of users?

We grapple with these issues every day in Trinity College and, to be truthful, we are probably always going to lag behind our users, because that is the nature of the organisation and it reflects the modern experience of technology innovation. Nevertheless, we have tried to meet expectations where we can. We have adopted Google Mail and Google Docs for our students; we are trialling Yammer as a collaboration platform for the college; we recently completed the rollout of internally-hosted Microsoft Exchange for staff; we are implementing SharePoint 2010 as an enterprise collaboration platform; we offer podcasting services and publish material with iTunes and iTunesU; we are about to release WordPress as a blogging platform for all users; and we use Microsoft Enterprise Project Management for project collaboration. We are also working on defining our needs for XaaS and Cloud Computing.

It is a start, and we know we have a long way to go. But if we can meet the expectations of our users, perhaps we can discourage them from using other technologies that might put the enterprise at risk.

What do you think? Are you dealing with these problems as well? Are you giving your users the technologies they want? What solutions have you found and how have you implemented them? This is a challenge that no organisation can avoid, so how are you approaching it? Please leave a comment and let me know your views.

Finally, Mimecast’s Chief Scientist, Nathaniel Borenstein and Cloud Strategist, Justin Pirie; and CEO of First Base Technologies ISACA, Peter Wood will host a webinar at 10 a.m. GMT on 8 March 2011 with the title ‘Generation Gmail: Is business email at risk?’. You can take part in the seminar at http://mediazone.brighttalk.com/event/infosecurity/79cc30c735-4820-intro?TID=MC.

And very lastly, if you would like to talk to me about the use of Social Media in your organisation, please feel free to contact me.

If you liked this post, you might also like:

Would You Like to Get to Inbox Zero?

Social Media Revolution? What’s Your View?

Receive new articles from johnlawlor.ie by subscribing to my RSS Feed or by email subscription. You can also share this post by using one or more of the buttons at the top and bottom of the post. Thanks for visiting!

ICT research in Europe is set to get a major boost in 2011 with the announcement today by the European Commission of a call for proposals for research projects worth 1.2 billion euros.

The projects will include a number of Public Private Partnerships:

The future Internet
ICT for energy efficient buildings
ICT for the fully electric vehicle
ICT for factories of the future.

These four projects have a combined budget of 220 million euros. Details of other budget provisions are available here (PDF).

All documentation is available through the links above. The deadline for submission of proposals is 2 December 2010.

The research funding is part of Europe’s Digital Agenda (launched in May 2010) and is the first significant increase for EU ICT research in more than 10 years. The digital agenda has seven priority areas:

1. Creating a digital Single Market
2. Greater interoperability
3. Boosting Internet trust and security
4. Much faster Internet access
5. More investment in research and development
6. Enhancing digital literacy skills and inclusion and
7. Applying information and communications technologies to address challenges facing society like climate change and the ageing population.

Further details on the Digital Agenda and the seven priority action areas are available here.

The Commission expects that SMEs will benefit from the work programmes funded from the research funding, which will be welcome in the current economic climate.

There are many opportuities for funding available on the EU Information Society website, which is always worth keeping an eye on. Let’s hope the research under these calls is successful and leads to an improvement in the lives of European citizens. We still have a long way to go to catch up on our American and Asian competitors.

If you liked this post, you might also like:

eCall In-Vehicle System Could Save 2,500 Lives Each Year

Society’s Grand Challenges: What Is The Role of Science and Technology?

Receive new articles from  johnlawlor.ie by subscribing to my RSS Feed or by email subscription. You can also share this post by using one or more of the buttons at the top and bottom of the post. Thanks for visiting!

How To Ensure Business Continuity After A Disaster

When things are going well, or when you’ve no obvious problems, it can be easy to forget the risks your business faces every day.  These can include fire, flood, theft, equipment failure, network failure, human error, computer viruses or industrial action. Preparing a business continuity plan (BCP) can help to ensure ongoing business operation, and even survival, following a disaster.  A BCP serves two main purposes.  Firstly, it helps to prevent a disaster or security failure, or reduces its impact to a tolerable level.  Secondly, it helps you to resume operations after a disaster.  So, if you want to stay in business you should prepare a BCP before a disaster happens.  And that means now!

Here is a practical seven-step outline of how you can set about the task.

1. Get management support

You must have the support of senior management for your BCP project to succeed.  Even in normal circumstances — but especially in today’s difficult economic climate — it can be difficult to justify a BCP project, which management might view as an unnecessary expense.  We are inclined to think that “it couldn’t happen to us” but, sadly, too often it does!  Therefore, you need to make management aware of the risks your company faces and the potential damage to the bottom line and to ongoing operational capability.  Once senior management support the project, the likelihood of success will increase.

2. Identify key business processes

Identify your key business processes and realistically assess the risks they are exposed to.  Put simply, key business processes are those without which you would find it difficult or impossible to run your business.  For example, if you depend on the Internet to deal with your customers, say through electronic shopping, then this is a key business process.  If you make specialised equipment for a major retailer, then that production process is key.

3. Assess your risks

Having identified the processes, think of the risk of failure and the likely impact it could have on your business. Effective ways to do this include looking at things that happened in the past, scenario development and brainstorming.  For example, computer viruses could destroy a computer or a disk could fail.  A fire could destroy your restaurant’s kitchens.  A health and safety incident could mean your business is closed temporarily, damaging your reputation.  Remember that if you fail to meet your customer’s needs, even for one day, you could lose a valuable order, or a competitor could pinch your hard-won business.

4. Prepare business continuity plans

Next, for each process, prepare plans to prevent a disaster or minimise its impact and to recover from failure.  Using knowledge gained from your earlier analysis, identify the actions you can take to deal with disasters, failures and security breaches.  Specify emergency, crisis management, evacuation and fallback procedures to enable you to respond quickly when an incident occurs.  Identify the buildings, facilities, materials and resources you will need and the people required to implement your continuity plan.  Although insurance is becoming less of an option for many businesses, be sure to think about it as part of your overall strategy.  Other typical continuity strategies include:

• keeping computer backups off-site;
• duplicating computer disks and processors;
• keeping computer virus protection software and firewalls up to date and operational;
• arranging for alternative buildings and equipment to be available so that you can maintain at least some production;
• ensuring that adequate fire prevention and suppression equipment is available and working, and
• agreeing with other organisations to act as backup sites for each other if one of you suffers a disaster.

Evaluate the likely cost of each continuity strategy and compare it to the likely cost and impact of each risk.

5. Document the BCP and train your staff

Write down the BCP and store it in a safe place, including an off-site location.  Keep paper and computer-based copies of the plan.  Make sure that everyone involved in the plan knows it exists and what they have to do if a disaster strikes.  Train staff about the plan’s procedures and clearly specify their roles in responding to an emergency.

Maintain strict version control over the plan to be sure that all staff have the correct copy; this will avoid confusion if you need to execute the plan.  Control circulation so that you know who has a copy.  The plan should be clear and detailed enough so that you can resume business operations using it alone, i.e., knowledge that is not in the plan should not be required to recover from a failure.  The plan must be a “living document” and must be updated as circumstances change.  This would happen, for example, when:

• people join or leave the organisation;
• new processes are introduced or existing processes are changed;
• new computer systems are introduced and old ones retired, or
• risks change significantly.

6. Ensure continuity of operations

Ensure that your plan also covers continuity of operations.  It should include strategies for ensuring availability of your buildings, systems, processes, people and services so that you can withstand a failure or security breach.  Things to think about include:

• using locks and identification cards to control access to buildings and facilities;
• regularly inspecting and maintaining essential plant and equipment to be sure that they are working properly;
• keeping critical spares on-site and off-site;
• having access to an alternative building or facilities, and
• entering into agreements with third parties for immediate support if certain specified events happen.

7. Test the plan regularly

Finally, test the plan regularly to ensure that it will work properly if a disaster, failure or security breach happens.  Specify in the plan the number of times per year that you will test it.  Think about hiring independent consultants to work with your testing team to ensure the integrity and objectivity of your tests.  Note and report honestly on anything that did not work properly during the test and implement corrective or preventive measures urgently.  Change the plan to reflect these new arrangements and tell everyone who should know about the changes.  Withdraw all copies of the existing plan from circulation and issue the new one, remembering to replace the off-site copies as well.

When a test has been completed, send a full report on the outcome to senior management.

It could happen to you

Could a disaster hit your business?  Should you have a BCP?  In both cases the answer, most definitely, is “yes.”  Whether you’re a big or a small organisation, it will be too late to realise that you should have had one after a disaster happens.  Preparing a BCP is an investment in the continuous operation and future survival of your business.  In today’s high-risk environment, it is one investment that should be high on every manager’s list of priorities.

Copyright © John Lawlor 2010. All rights reserved.

If you need assistance in preparing your Business Continuity Plan, please leave a comment below or email me.

If you liked this post, you might also like:

Why Organisations Don’t Learn From Project Failure

Planning For Success: The Basics Of Good Project Management

Receive new articles from  johnlawlor.ie by subscribing to my RSS Feed or by email subscription. You can also share this post by using one or more of the buttons at the top and bottom of the post. Thanks for visiting!

The Twittersphere was loaded tonight with Tweeters complaining about a major failure in Eircom’s DNS service. I have been having ongoing problems with Eirom, which is one of Ireland’s main ISPs, and have little satisfaction in getting my problems resolved. It is clear from tonight’s events that I am not alone. I had to rely on O2′s mobile broadband service for much of the evening.

Thanks to a number of Tweeters, I was referred to OpenDNS, which is a provider of free security and infrastructure services that make the Internet safer through integrated Web content filtering, anti-phishing and DNS. I had to sign up for a free account, which was very easy to do and took just a few minutes. Once this was done, I changed the DNS entries in my broadband router and I was up and running on the web again.

I am still looking forward to the day when I can dispense with Eircom’s “service” all together.

What has your experience with Eircom’s broadband service been? Leave a comment and let me know, though I expect I already know the answer.

I had not intended this blog to become a security-related publication, or one dealing exclusively with theft of laptops and storage media. But there is certainly a trend developing; let’s hope it does not last.

Following on from yesterday’s post, and from my post of 24 August 2008, we learn today from a report on RTE, Ireland’s national broadcaster, that a laptop computer containing  the records of some 75,000 customers of Bord Gais Eireann (BGE – the Irish Gas Board) was was one of four stolen on 5 June 2009, although news of the theft was only released today, 17 June 2009. The records relate to customers who signed up for the BGE “Big Switch” campaign, which encouraged them to move their account for electricity supply from the Electricity Supply Board (ESB) to BGE. Like previous incidents, data on this laptop was reported not to have been encrypted.

This time it’s personal, as I have been potentially affected by this latest security failing.

It appears to me that many (I suspect a very, very large number) organisations that process personal information simply do not take the issue of electronic data security and data privacy seriously enough. Throughout the world, we learn regularly of significant breaches of customer confidentiality. As  I wrote in my August 2008 post, many of these incidents occur through the failure to manage portable devices and removable media effectively. But there is also a lack of appropriate polices, procedures, practices, guidelines and controls. Indeed, in many organisations, there appears to be little or no attention paid to security at all, except for template procedures and documents.

The 2008 Annual Report of the Irish Data Protection Commissioner provides information on the top ten threats to individual privacy as identified by his staff. The unscientific list represents perceptions of Commission staff of the major threats to privacy at the close of the year 2008, based on the queries and issues they deal with on a day to day basis. The top ten threats are identified as follows:

1. Failure of organisations to have even the most basic protocols in place to minimise the loss of customer and employee data.
2. Continued lack of proper procedures in public and private sector bodies to limit access by their employees to personal data on a ‘need to know’ basis.
3. Failure to take due account of the legitimate privacy expectations of members of the public when moving towards greater efficiency of public services.
4. The tendency of new legislation to seek ever more personal data from the public and the sharing of that data between organisations without (in many cases) any real business case to justify such sharing.
5. Criminals using increasingly sophisticated methods to part individuals from their personal data for criminal and fraudulent use.
6. The extended use of the Personal Public Service Number (PPSN). This is the number given to each citizen by the Government to identify them when they interact with public bodies. More and more services seek to use this identifying number, often without any credible justification.
7. Publication and availability of excessive personal data on the internet (sometimes placed there by the individuals themselves on social networking sites etc).
8. Continued lack of awareness among data controllers of their data protection obligations.
9. Indifference on the part of data controllers to the consequences of their actions when they deliberately and persistently refuse to respect the data protection rights of their customers.
10. Continued lack of awareness on the part of members of the general public (who, as a result, give away their personal information too easily, don’t ask why personal information is needed or fail to ‘tick the box’ to say that we don’t want to be contacted).

BGE issued a short press release advising that it had promptly informed the Irish Police and the Data Protection Commissionerof the theft and that it will be contacting all affected customers. However, since there has been almost a two-week lag between the occurrence of the theft and the issue of the press release today, it is possible that customers’ financial or other personal information could have already been compromised. This is simly not good enough. It is no good doing things right (if you can call a two week delay in advising affected customers “right”) after an incident has occurred; appropriate steps must be taken to ensure that such incidents do not occur in the first place and that, if they do, the risk to information security is minimised or removed entirely. Time will tell whether the “risk assessment” referred to in the BGE statement led them to a correct decision not to advise customers sooner; I hope they got that right.

Organisations must take serious steps to improve security now. Some of the steps they take might include:

• Raising security awareness among all staff and providing appropriate training.
• Assigning responsibility for information security to the right people, not just to the IT department.
• Implementing appropriate and effective security policies, procedures and practices.
• Implementing adequate and effective information security controls and risk management systems.
• Carrying out regular audits of information security practices.
• Encrypting data on laptops, portable devices, tapes, removable storage and other vulnerable media.
• Implementing appropriate controls over removable media and devices.
• Introducing strict penalties for staff who breach security requirements including, for serious breaches, dismissal.
• Revisiting my post of August 2008 for further information on information security.
• Visiting the web site of the Irish Data Protection Commissioner, which is full of good information on information security.
• Reading the 2008 Annual Report of the Data Protection Commissioner, which is an excellent document and gives an overview of the activities of the Commissioner and provides information on prosecutions, investigations, summary data, etc.

Organisations and individuals must realise and accept that information security is not an issue for the IT department alone; it is a business issue and needs to be treated as such. Staff who use laptops, portable devices and removable media must understand that it is their responsibility, not the IT department’s, to keep data safe. And basic security, like locking these devices away or securing them appropriately, as well as encrypting them, must become the norm, not the exception.

Under Irish Data Protection Legislation, penalties for breaches of the law can be severe and encompass both civil and criminal proceedings, fines and forefeiture and destruction of equipment. Bodies corporate and individuals are subject to the provisions of the legislation. Fines of up to 250,000 euros can be imposed. Maybe it is time that fines of this magnitude were imposed. Without tough enforcement, I fear that breaches of the law and loss of personal data will continue to occur.

Kevin Kehoe, who I thank for commenting on my previous post, mentioned that organisations need to assess their appetite for risk. Perhaps it is time to dampen that appetite dramatically and, when it comes to handling the personal private information of customers, staff, prisoners, benefit applicants, etc, accept that no appetite for risk at all is the desired attitude to have.

If you have been affected by the BGE failing and feel strongly enough about the matter to complain, you can get all the information you need to make a complaint from the Data Protection Commissioner’s website.

What do you think? Are you concerned at how easily and how often personal private information is stolen, disclosed or otherwise compromised? Have you been personally affected by a breach of your privacy? Have you lost money or suffered other negative consequences? Have you been responsible for a breach of data security?

Leave a comment and let me know.

If you liked this post, you might also like:

Laptop Theft and Data Loss By Irish Health Service Executive

Data loss by PA Consulting

Receive new articles from johnlawlor.ie by subscribing to my RSS Feed or by email subscription. You can also share this post by using one or more of the buttons at the top and bottom of the post. Thanks for visiting!

I wrote about this topic on 24 August 2008 in relation to the loss of data about people who became involved with state agencies. I suppose it is hardly surprising that the same issue has happened again. In this most recent case, the Irish Health Service Executive (HSE) lost about 15 laptop computers, which were stolen from their offices in Roscommon Town. RTE, Ireland’s national news broadcaster, reports that, while information on 13 of the laptops has been encrypted, what is described as confidential information on one of the other two machines is accessible to anybody in possession of the laptops. The HSE is reported to have said that it ‘is satisfied that there was no identifying information in relation to patients or clients on one of the non-encrypted laptops.’

The truth is, of course, that the HSE cannot make this statement with any confidence, unless they subject their laptops, removable devices, and other storage media to continuous audit and stringent data management policies and controls, which, I suggest, is highly unlikely. In my opinion, there is as much probability of confidential information being stored on any of those laptops as not. The HSE probably has no way of knowing one way or the other; if it does, it should be required to produce the evidence in public immediately.

The ubiquity, portability and ease of use of laptop computers and other removable storage devices make the occurrence of theft and data loss almost inevitable. Indeed, I am sure that I could probably be found wanting myself in this regard, despite the fact that I advise, consult and speak on the topic of information and data security from time to time. As it happens – and this is merely because of the nature of my work – I do not need to store personal private information on my machine. However, I suspect that, on any of my computers or storage devices, there probably lies an old email, an old file, or a stored chat session that related to some private information. Simply put, it is dangerous in the extreme to believe that private information might not be stored on any electronic device. Therefore, the utmost precautions should be taken in all cases and at all times.

It is really time that all people who are in control of personal private information, whether in the public or private sectors, took this issue seriously and started taking immediate, practical and effective steps to secure the data they store and control. It might well be worth reading my previous article again, where I provided advice and guidance on how to improve data security.

What are you doing about information and data security in your organisation? Do you think data processors and data controllers are taking enough care of personal private data?

Leave a comment and let me know.

If you liked this post, you might also like:

More Laptops Stolen – And This Time It’s Personal!

Data loss by PA Consulting

Receive new articles from johnlawlor.ie by subscribing to my RSS Feed or by email subscription. You can also share this post by using one or more of the buttons at the top and bottom of the post. Thanks for visiting!

The recent loss by PA Consulting of data about criminals in Britain raises many questions about data security and highlights the difficult of guaranteeing privacy and security of data.  With the proliferation of portable storage devices, coupled with their increasing capacity and low cost, the challenges of maintaining data privacy and security are considerable.

I expect that PA signed all the necessary confidentiality agreements, security policies, data management policies, etc, when agreeing the contract with the Home Office. I expect that they also provided the necessary assurances to the client when negotiating the work. And I expect that the client took assurance from all of this. And yet, despite that, a significant breach of confidentiality and data security occurred, exposing both the contractor and the Home Office to being sued.  So, if policies and procedures, signed declaration and undertakings aren’t adequate protections, what can a client do when engaging third parties, or, indeed, protecting data from disclosure by staff?

Insist on encryption

Naturally, following incidents like the Home Office one, there is a strong focus on the need to encrypt data held on computer disks. However, this does not often lead to action. It is really not that hard to encrypt information at the entire device level, i.e. at disk level, at folder level, or at file level. There are many open source encryption systems available, such as TrueCrypt and Cryptainer. Commercial products are available from PGP Corporation, Symantec, McAfee and others. Even the ubiquitous WinZip allows users to encrypt files.

If users could get into the habit of encrypting all removable media and laptops immediately on acquisition, this would make a significant difference to data security. At a corporate level, all purchased devices should include provision for encryption at the point of purchase.

Ban data exchange and removal

A more extreme approach might be to ban all electronic data exchange between a client and a contractor or supplier, including banning the use of email, laptops, modems, wireless connections, etc.  In this scenario, all work would be carried out on the client’s site, with all computer equipment, network facilities, storage, printers, paper, etc, provided by the client. Even this would be difficult to police, however, as a contractor could easily bring in a portable storage device and connect it to the client’s computer. This might be avoided by providing equipment with all external ports and wireless features disabled, but the difficulty of doing this should be evident. However, in today’s connected world, where business happens at the speed of light, this option would not be really practical.

Ban use of own data processing equipment by contractors

Many, many years ago, a friend of mine worked in the vaults of a very large bank in Ireland. Before starting every day, he had to remove all valuables and money from his person and leave them in secure custody with the bank. At the end of the day he was searched and, when confirmed as penniless as when he went in, his valuables were returned to him and he was escorted off the premises. This happened every day he worked there.  Similar procedures could be implemented with regard to contractors and computing equipment, ensuring that they did not have any data processing or storage equipment in their possession when they entered or left the client’s premises. But, once again, the difficulty of policing this is quite apparent. With contractors working in almost every area of large businesses and the public sector, it would be difficult to get uniform implementation (or, indeed, awareness) of security policies. Nevertheless, it might be necessary to consider measures like these to adequately protect sensitive data.

Control issue and use of portable storage devices and laptops

This would not be easy to do but, coupled with other controls, would be an effective way of ensuring that data is not removed from a client premises. Tight procurement procedures would be required but, as portable devices are now so cheap, individuals can simply buy them themselves. Therefore, it may also be necessary to lock down external ports on machines but, understandably, this would make effective working quite difficult.

Control or prevent access to Internet storage sites

Many companies now offer free or cheap storage over the Internet, which anyone can subscribe to. These enable users to back files up to these sites on demand, or on a schedule.  Similarly, Gmail and Hotmail accounts enable users to store up to 5Gb of data on the Intenet. Therefore, these sites create a new weakness in corporate networks and, where possible, access to them should be denied.

Prevent use of Internet-based email accounts such as Gmail, Hotmail and Yahoo!

Difficult to do, but, if possible, prevent use of free Internet-based mail accounts like Gmail, Hotmail and Yahoo! Do not provide contractors with access to or accounts on your email service so that they cannot mail files to their own work email accounts.

Identify someone in the client organisation responsible for data security and handling contractor requests

Contractors might have a legitimate reason for requiring data to be provided on portable devices; for example, to carry out testing on an application at their own premises. A single person in the client organisation should be responsible for providing such data and ensuring that the request is appropriate, that only data that is absolutely necessary is provided and that it is properly secured. Appropriate undertakings (however shaky) should be received from the contractor, including undertakings concerning the storage, security and encryption of data.

Get contractors to disclose any previous breaches of data security that affected them or their clients

As part of the due diligence process in any contract negotiation, clients should ask contractors to disclose any breaches of data security that affected them or their clients in the last number of years, say three years. Contractors could be held liable for failure to disclose any breaches. If a contractor has suffered breaches of security, perhaps it would be better to avoid using them, particularly on very sensitive contracts.

Make sure your contractor has adequate insurance cover

Make sure that your contractor has adequate professional indemnity insurance and that you are indemnified against any loss or damages arising out of negligence or omission by the contractor.  This should not only extend to the professional execution of the contracted work but also to such eventualities as data loss or security breach, as in the PA case.

Learn about information security standards

The information security landscape is changing and becoming more complex all the time.  The key international standard is ISO 27000 and, if you are concerned with security and data privacy, you should become familiar with this standard.  Also pay attention to sites like the SANS Institute, CoBIT, ISACA, etc.

Conclusion

There’s a lot more to information security and data privacy than I have covered here. As more and more of our personal and corporate information is transmitted over the Internet, we should all pay far more attention to this issue.

If you liked this post, you might also like:

Laptop Theft and Data Loss By Irish Health Service Executive

More Laptops Stolen – And This Time It’s Personal!

Receive new articles from johnlawlor.ie by subscribing to my RSS Feed or by email subscription. You can also share this post by using one or more of the buttons at the top and bottom of the post. Thanks for visiting!