Data Security - Access

Many businesses are now completely reliant on the data stored on their Network Servers, PCs, laptops, mobile devices and cloud service providers or internet service providers. Some of this data is likely to contain either personal information and/or confidential company information.

Here we look at some of the issues to consider when reviewing the security of your computer systems with respect to access controls, and to ensure compliance with Principle 7 of the Data Protection Act. This states that -

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Access security

Good access controls to the computers and the network minimise the risks of data theft or misuse.

Access controls can be divided into two main areas:

• Physical access - controls over who can enter the premises and who can access personal data
• Logical access - controls to ensure employees only have access to the appropriate software, data and devices necessary to perform their particular role.

Physical access

As well as having physical access controls such as locks, alarms, security lighting and CCTV there are other considerations such as how access to the premises is controlled.

Visitors should not be allowed to roam unless under strict supervision.

Ensure that computer screens are not visible from the outside.

Use network policies to ensure that workstations and/or mobile devices are locked when they are unattended or not being used.

Ensure that if a mobile device is lost it can be immobilised remotely.

Mobile devices being small are high risk items so sensitive data should always be encrypted and access to the service should be controlled via a pin number or password.

It may be necessary to disable or restrict access to USB devices and Optical readers and writers.

Finally, information on hard-copy should be disposed of securely.

Logical access

Logical access techniques should be employed to ensure that personnel do not have more access than is necessary for them to perform their role.

Sensitive data should be encrypted and access to this data controlled via network security and user profiles.

Access to certain applications and certain folders may also need to be restricted on a user by user basis.

Finally, it may be necessary to lock down certain devices on certain machines.

Passwords

It is accepted, universally, that a password policy consisting of a username and password is good practice.

These help identify a user on the network and enable the appropriate permissions to be assigned.

For passwords to be effective, however, they should:

• be relatively long (i.e. 8 characters or more)
• contain a mixture of alpha, numeric and other characters (such as &^")
• be changed regularly through automatic password renewal options
• be removed or changed when an employee leaves
• be used on individual files such as spreadsheets or word processed documents which contain personal information

and should NOT

• be a blanket password (i.e. the same for all applications or for all users)
• be written on ‘post it’ notes which are stuck on the keyboard or screen
• consist of common words or phrases, or the company name.

How we can help

We can provide help in the following areas:

• defining and documenting security and logical access procedures
• performing a security/information audit
• training staff in security principles and procedures.

Please contact us if you would like any help in any of these areas.

Data Security - Backup

Many companies are now completely reliant on the data stored on their network servers, PCs, laptops, mobile devices and on data stored in the cloud. Some of this data is likely to contain either personal information and/or confidential company information.

Here we look at some of the issues to consider when reviewing the security of your computer systems and data.

Data backup is an essential security procedure and needs to be undertaken on a regular basis. A business should view the undertaking regular backups as a form of insurance policy.  There are a number of points to consider.

Systems and Applications Software Installation media

Ideally, once software has been installed, the original media (unless the software was downloaded) should be stored securely off-site. Any activation keys/codes should be similarly stored securely.

Data file locations

In a network environment some data files might be stored on the server and other data files stored on local drives. In which case separate backups may be required for both the server and one or more PCs.

Ideally, a network solution should be provided which ensures that all data is re-copied back to the server from local drives.

Backup strategy and frequency

There is likely to be a need for two parallel backup procedures; one to cover a complete systems backup of the server(s) and another to incrementally (or differentially) backup data files which have been updated since the previous backup.

The most common backup cycle is the grandfather, father, son method. With this, there is a cycle of 4 daily backups, 4/5 weekly backups and 12 monthly backups.

Remember that some data has to be preserved for many years - for example accounting records for need to be kept for a minimum of 6 years.

Backup media can be re-used many times, but they do not have a finite life and will need replacing after 2-10 years depending on quality and number of times used. Some additional points are made on this issue in the section on backup media degradation.

Backup responsibilities

Someone should be given responsibility for the backup procedures. This person needs to be able to:

• regularly ensure that all data files (server and local) are incorporated in the backup cycle(s)
• adapt the backup criteria as new applications and data files are added
• modify the backup schedule as required
• interpret backup logs and react to any errors notified
• restore data if files are accidentally deleted or become corrupt
• regularly test that data can be restored from backup media
• maintain a regular log of backups and log where the backup media are stored.

Applications backup routines

Many accounting and payroll applications have their own backup routines. It is a good idea to use these on a regular basis (as well as conventional server backups) and always just before critical update routines. These backup data files should be stored on the server drive so that they are backed up.

Local PCs

Certain users will have applications data files exclusively on their local drives (such as payroll data for example) and these will require their own regular backup regime which as mentioned in the previous paragraph may consist of a combination of backing up to media and backing up to the server.

Backup media

Selecting the right media to use for backups depends on budget, how much data there is and the networking operating software. External hard disks or a NAS box with cloud backup may provide a good solution . If an external service provider is used, or perhaps a cloud option, they should have their own backup regime – but don’t totally rely on this.

Optical storage such as CD/DVD, or Blu-Ray may also be considered as a cheaper alternative, but capacity and life may be limited.

Backup location

Backups should be stored in a variety of both on-site and off-site locations. On-site backups are easily accessible when data has to be restored quickly, but are at risk from either fire or other disaster.

A large number of businesses use an on-site safe, however, this will be useless if it’s buried under tons of rubble, or the premises otherwise become inaccessible.

Off-site backups have the advantage that they can be recovered in an emergency, but

a) they still need to be stored securely; and

b) need to be reasonably accessible.

Backup retention

Finally, certain type of records, such as accounting records for example, need to be kept for a minimum period of time and this must be considered when developing the data backup strategy (also see below regarding degradation).

Backup media degradation/decomposition

Backup media degrades and the data stored on them decomposes over a period of time.

Optical media such as CD/DVD and Blu-Ray are particularly sensitive to light (photosensitive), so ensure that they are stored in a dark environment. They are also prone to physical damage when being handled. Finally, this type of media is not designed for long-term storage - lasting possibly as little as 2 years.

Backups should be checked on a regular basis for signs of digital decomposition, and tested to check that data can be successfully restored.

In-house or cloud?

Many internet service providers and third-party IT service organisations, now offer, either as standard or as a chargeable extra, off-site data repositories and also complete online application solutions. The immediate appeal is that there is no need to internally support a server and its operating and applications software. However, there are a significant number of key security issues which should be covered as part of the contract/service level agreement (SLA). These should include level of encryption , the countries in which the data is processed and stored (as this has potential issues with Data Protection laws), data deletion and retention periods, the availability of audit trails of who is accessing the data and finally, who has ownership of the data if the provider goes into administration/receivership.

We would always recommend therefore that if a third-party is used, that the business uses a combination of both traditional in-house backup solutions, and cloud backup services. Where data is stored in the cloud, try to ensure that as little personal data as possible is processed and stored in this way.

How we can help

We can provide help in the following areas:

• performing a security/information audit
• drawing up a suitable backup regime
• training staff in security principles and procedures.

Please do contact us if we can be of further help.

Data Security - Data Protection Act

Many businesses are totally reliant on the data stored on their PCs, laptops, networks, mobile devices and in the cloud. Some of this data is likely to contain either personal information and/or confidential company information.

Here we look at some of the key compliance issues surrounding data protection and the Data Protection Act (the Act).

Most businesses process personal data to a greater or lesser degree. If this is the case, compliance with the Act is required unless one of the exemptions applies (see below).

Complying with the Act includes a notification process, handling data according to the principles of data protection and dealing with subject access requests.

In the UK, the Information Commissioner (ICO) is responsible for the public Data Protection Register and for enforcing the Data Protection Act.

Summary of the principles of the Data Protection Act

1. Personal data must be fairly and lawfully processed;
2. Personal data must be processed for limited purposes;
3. Personal data must be adequate and not excessive;
4. Personal data must be accurate and up to date;
5. Personal data must be kept no longer than necessary;
6. Personal data must be processed in line with the data subjects' rights;
7. Personal data must be secure;
8. Personal data must not be transferred to countries outside the European Economic Area (EEA) without adequate protection.

Exemptions

There are 5 main categories of exemption -

• organisations that process personal data only for:
  -  staff administration (including payroll)
  -  advertising, marketing and public relations (in connection with their own business activity) and
  -  accounts and records
• some not-for-profit organisations
• organisations that process personal data only for maintaining a public register
• organisations that do not process personal information on computer and
• individuals who process personal data only for domestic purposes.

There are a number of more specific exemptions. However, most companies find the exemptions are too narrow, and opt to notify (see below).

Notification

Notification is the method by which a company’s usage of personal data is added to the public Data Protection register maintained by the ICO. The process starts by completing the notification documentation (available from www.ico.gov.uk) and sending this back with the annual notification fee (currently £35 for the small business).

Notification needs to be performed annually (even if there are no changes).

N.B. Be wary of organisations who say they represent the ICO and who charge more than the standard £35 fee.

Subject Access Request (SAR)

Individuals have rights under the Act to find out whether you are processing their personal data, and to provide them with a copy of the data which is stored about them.

Most SARs must be responded to within 40 days.

An individual has the right to ask you to:

• correct or delete information about them which is inaccurate;
• stop processing their personal data for direct marketing purposes;
• stop processing their data completely or in a particular way (depending upon the circumstances)

A fee can be levied for dealing with an SAR - but only up to £10 (except for health or education records).

If a fee is levied, the access request does not have to be complied with until the fee has been received.

Secondly, the Act makes it clear that the SAR must contain enough information to validate that the person making the request is the individual to whom the personal data relates. So it may be necessary and is legitimate to ask for further identification from the originator of the SAR.

Data security

The Act says there should be security that is appropriate to:

• the nature of the information in question;
• the harm that might result from its improper use, or from its accidental loss or destruction.

The Act does not define “appropriate" - but it does say that “an assessment of the appropriate security measures in a particular case should consider technological developments and the costs involved".

So, there a number of key areas to concentrate on -

Management and organisational measures

Someone in the organisation should be given overall responsibility for data security.

Staff

Staff need to understand the importance of protecting personal data, that they are familiar with the organisation’s security policy, and that they put security procedures into practice.

Physical security

Technical security measures to protect computerised information are of obvious importance. However, many security incidents relate to the theft or loss of equipment, or to the disposal of old equipment and old printouts.

Computer security

As well as a comprehensive backup regime, appropriate access controls and mechanisms need to be in place. Websites in particular need sophisticated security measures in place.

As well as the Data Protection Act there are various other Acts and regulations which have a bearing on data security. These include:

• Privacy and Electronic Communications Regulations (PECR) 2003 - which cover ‘Spam’ and mass-marketing mail shots. Regulations under the PECR are also issued from time to time. For example, regulations on the use of cookies on websites.
• Copyright Design and Patents Act - amended 2002 to cover software theft.
• There may be other IT standards and regulations applicable to your business sector. For example, companies processing credit card transactions need to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS).

How we can help

We can provide help in the following areas:

• performing a security/information audit
• training staff in security principles and procedures
• notification
• advising on appropriate procedures to ensure compliance with regulations applicable to the type of organisation.

Please do not hesitate to contact us if we can be of further assistance.

For information of users: This material is published for the information of clients. It provides only an overview of the regulations in force at the date of publication, and no action should be taken without consulting the detailed legislation or seeking professional advice. Therefore no responsibility for loss occasioned by any person acting or refraining from action as a result of the material can be accepted by the authors or the firm.