Cyber Security and Managing Personal and Confidential Information
In an organisation, managing and processing PCi (Personal and Confidential Information) should be managed by a policy which every employee should understand. Retraining should be offered and reminders should be sent to avoid any data breach. Users who access and process such information should fit the following criteria:
- Have a legitimate reason related to their job to be handling PCi.
- Comply with Data Protection Act 1998 when managing and processing data (This should be incorporated with an organization's IT Policy)
- Be able to justify the need to use or store PCi on portable devices (laptop, iPad or USB) in public spaces.
- Aware of protocol of reporting any data loss or breach to Chief Information officer (or your organization's equivalent).
A cyber security policy on PCi will usually cover the following topics:
Storage of PCi
All PCi must be store on agreed network drives or agreed encrypted devices. PCi may only be transferred to USB sticks provided they are encrypted and all data is immediately deleted when it has served its purpose. Camera/phone images of any PCi must not be kept on personal devices. All data should be stored on company-issued and company secured devices. Storage of information is an important aspect of any IT policy. Loss of data can happen to anyone. For example, HMRC at one point in 2007 seemed to be losing data way too often. All of the data breaches did not relate to some complex hack orchestrated by fraudsters. It all went down to users, the employees. BBC has kindly listed the most memorable data losses by Her Majesty’s Custom and Revenue.
Mobile Device Security (laptop, tablet, phones)
- All mobile devices must be password protected (Password policy by Bantu Tech)
- When not being used, mobile phones should be decommissioned and wiped.
- PCi must be encrypted if stored on a mobile device. If an organisation is issuing Mobile phones, please use an enterprise server such as BES (BlackBerry Enterprise Server).
- Do not use a company-issued mobile device over insecure Wi-Fi networks.
- Any PCI held on mobile devices must be encrypted.
- All devices need a remote wipe function, just in case.
Security is the forefront of BlackBerry for a reason. They just can’t be matched. If governments depend on them to secure their devices, your organisation probably should too. CrackBerry (a fan sited dedicated to all things BlackBerry) have more information on whethere you need a BES. And of course head over to BlackBerry for more information.
Distributing PCi internally/externally.
- All PCi in electronic format must be encrypted.
- PCi sent internally should be password protected.
- Should you ever need to post PCi (last resort) ensure it is sent in secure packaging and recorded or courier delivery must be used (receipts and signatures kept).
- Avoid sending PCi via Dropbox or cloud distribution services. If the user loses accesses to these accounts, your data is vulnerable.
- PCI should never be sent in the body of an email, always in an encrypted attachment.
HMRC once posted data on Child Benefits stored CDs which never arrived via TNT non recorded delivery…the data was never seen again (and luckily never used). And also concerning HMRC, once an employee left a laptop in a car and the laptop was stolen. Read more here. Employees can be an asset to an organisation but at the same time, they could be the start of an organization's downfall. Loss of data to the consumer and general public means you lose any trust your company has ever built with its customers.
Disposal of hardware, data files and documents.
Degausser – If you have never heard of it, google it and go buy one. It is the safest way to dispose of computer hard drives. The hammer and nail option is still an option, but there’s a machine that does the exact same job.
If you intend to sell hardware, wipe the machine and remove the OS for safe measure.
Old machines should not be left to rot in a storeroom. Decommission it and either use it for parts (if out of warranty) or get rid of it in an environmentally friendly manner.
As always, it is important to remember key elements that must be part of an IT Security Policy
- Individual login accounts and password management.
- Antivirus on all machines with access to data.