|
 |
|
 |
Data Security Data Controllers in the private and public sectors hold increasing amounts of personal data on individuals. The decreasing cost of electronic storage and processing has greatly contributed to this. Organisations also increasingly outsource data processing to third parties “data processors”. Many organisations also continue to hold personal data in manual form – often in off-site locations. This explosion in the quantity of personal data processed and held gives rise to new challenges for organisations. Data Controllers need to regularly audit their holdings of personal data and the procedures they have in place to protect this data. Questions they should ask include:
The Data Protection Acts, 1988 and 2003 do not detail specific security measures that a Data Controller or Data Processor must have in place. Rather section 2(1)(d) of the 1988 Act places an obligation on persons to have appropriate measures in place to prevent "unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction." SI 626 of 2001, and later the Data Protection (Amendment) Act, 2003, introduced a new section 2C into the 1988 Act. This section helps interpret the nature of security measures required to demonstrate compliance with 2(1)(d). When determining measures, a number of factors need be taken into account:
A further development introduced by the 2003 Act is the obligation on data controllers and data processors to ensure that their staff are aware of security measures and comply with them. This guidance is purely intended as an indication of issues which data controllers and data processors may wish to consider when developing security policies. Access Control A data controller has a duty to limit access to personal data on a “need to know” basis. The more sensitive the data, the greater the duty to limit access to it. Requiring each user to use a unique password to access data is a basic control measure. Such passwords should be changed regularly. A password is only useful if staff understand that it must be kept secure. Passwords should be changed regularly in order to minimise the danger of unauthorised individuals gaining access to data. In conjunction with authentication, the nature of access allowed to an individual user should be set and reviewed on a regular basis. Users should only have access to data which they require in order to perform their duties. Regular reviews are necessary in order to increase if necessary as well as to restrict previous access where a user role changes. There should be strict controls on the downloading of personal data from an organisation’s IT system. Such downloading can easily be blocked by technical means (disabling drives etc) A logging and reporting system is an important tool in assisting the network administrator in identifying abuses and developing appropriate responses. Encryption Encrypting (“scrambling”) data can add a further useful layer of security. It can be considered an essential measure where personal data is stored on a portable device. As with passwords, this measure is pointless unless the key to decrypt the data is kept secure. Anti-Virus Software Anti-Virus software is not only required to prevent infection from the internet (either e-mail or web-sourced). Viruses may also be introduced from portable devices, such as memory sticks – a further reason for strictly limiting their use. No anti-virus package will prevent all infections, as they are only updated in response to infections. It is essential that users update such software on a regular basis, but also keep vigilant for potential threats. A policy of not opening e-mail attachments from unexpected sources can be a useful way of preventing infection. Firewalls A firewall is essential where there is any external connectivity, either to other networks or to the internet. It is important that firewalls are properly configured, as they are a key weapon in combating unauthorised access attempts. The importance of firewalls has increased as organisations and individuals increasingly avail of "always-on" internet connections, exposing themselves to a greater possibility of attack. Automatic screen savers Most systems allow for screensavers to activate after a period of inactivity, on the computer. This automatic activation is useful as the alternative manual locking of a workstation requires positive action by the user every time he/she leaves the computer unattended. Regardless of which method an organisation employs, computers should be locked when unattended. This not only applies to computers in public areas, but to all computers. It is pointless having an access control system in place if unattended computers may be accessed by any staff member. Logs and Audit trails It is of course pointless having an access control system and security policy if the system cannot identify any potential abuses. Consequently, a system should be able to identify the user name that accessed a file, as well as the time of the access. A log of alterations made, along with author/editor, should also be created. Not only can this help in the effective administration of the security system, its existence should also act as a deterrent to those staff tempted to abuse the system. The Human Factor No matter what technical or physical controls are placed on a system, the most important security measure is to ensure that staff are aware of their responsibilities. Passwords should not be written down and left in convenient places; passwords should not be shared amongst colleagues; unexpected e-mail attachments should not be opened unless first screened by anti-virus software. Certification ISO 27001 is an information management standard approved by the International Organisation for Standardisation. If a body is certified to be ISO 27001 compliant, it would demonstrate compliance with the security requirements of the Data Protection Acts. Further information about the Standard is available from the NSAI website. Remote Access Where a worker is allowed to access the network from a remote location (e.g. From home or from an off-site visit), such access is creating a potential weakness in the system. Therefore, the need for such access should be properly assessed and security measures reassessed before remote access is granted. Wireless networks Access to a server by means of a wireless connection (such as infrared or radio signals) can expose the network to novel means of attack. The physical environment in which such systems are used may also be a factor in determining any weakness in the system security. As with remote access, wireless networks should be assessed on security grounds rather than solely on apparent ease of use.
Portable Devices Laptops, personal organisers and other form of portable devices are especially vulnerable, as there is not only a higher risk of theft, but also a new risk of accidental loss. It would be a sensible precaution not only to have adequate security measures, but also to limit what data are placed on such machines in the first place. Where a data controller considers it essential to store personal data on a portable device, encryption of the device to a standard that makes it impossible to access the data without the encryption key should be the norm. Such personal data should be deleted from the portable device as soon as possible. . Back-up systems A back up system is an essential means of recovering from the loss or destruction of data. While some system should be in place, the frequency and nature of back up will depend, amongst other factors, on the organisation concerned and the nature of data being processed. The security standards for back-up data are the same as for live data. click here for more information on back-up data Physical Security Physical security includes issues like perimeter security (office locked and alarmed when not in use); computer location (so that the screen may not be viewed by members of the public); and secure disposal of records (effective "wiping" of data stored electronically; secure disposal of paper records). » Permanent Link |
|
|
|||
