Hosting Your Data. Website Hosting, Security, Data Protection & Information Governance (IG)

Transcription

1 Hosting Your Data Website Hosting, Security, Data Protection & Information Governance (IG)

2 LHM is a web solutions provider that creates technology, products and software that is meaningful and measurable. We connect consumers with providers for the good of all. Focusing on engagement, customer experience and business intelligence, LHM provide smart digital and offline solutions to understand data to drive informed decisions. The capability to discover, combine and visualise multiple data sources with our unique technology has helped our clients to learn more about their business, community and influence change.

3 P3 Contents Hosting Your Data Security Web Application Firewall The Data Protection Act What Activites does the Data Protection Act regulate? What is Personal Data?/Cyber Essentials Information Governance What are the Information Governance requirments? Ten Rules for Data Compliance for your Business

4 P4 Hosting Your Data LHM utilise cloud website hosting solutions by Amazon Web Services (AWS) and manage them for our clients. This provides businesses, non- profits, and governmental organisations with a flexible, highly scalable, and a low- cost way to deliver their websites and web applications. Many people tend to believe that AWS or any other cloud- based solution is only for the riches. However, the reality is completely opposite. We see AWS as playing field leveler enabling any size business to leverage highend technologies and infrastructure needs and Amazon has more than 15 years of experience in delivering global infrastructure at a large scale. Companies, which utilise AWS, include Netflix, Adobe, Nokia and Thomson Reuters. For any business that collects data, website traffic can fluctuate a lot. From quiet times in the middle of the night, to campaign driven, social media sharing traffic spikes, LHM provide a very flexible computing infrastructure that can grow and shrink to meet your needs. Global Infrastructure

5 P5 Security AWS offers our clients peace of mind when it comes to security and backup storage for their content and data. SAS 70 Type II, PCI DSS Level 1, HIPAA, FISMA Moderate and ISO are among the well- recognised certifications that AWS has. The AWS infrastructure puts strong safeguards in place to help protect customer privacy. All data is stored in highly secure AWS data centers. Maintain the highest standard of security without having to manage your own facility. LHM retain complete control and ownership over the region in which your data is physically located, making it easy to meet regional compliance and data residency requirements. E.g. patient data stored within the EU. Multiple geographic regions and Availability Zones allow you to remain resilient in the face of most failure modes, including natural disasters or system failures. Ability to configure built- in firewall rules from totally public to completely private or somewhere in between to control access to instances. AWS delivers highly scalable managed services for database, caching, data-warehousing, transcoding, storage, backup, infrastructure management & application management.

6 P6 Web Application Firewall The biggest contributing factor to website hacks today comes from insecure code. With enough time, and new techniques, attackers find ways to exploit weaknesses in code. A Website Firewall helps stop these vulnerabilities from being exploited. Prevention and protection is the key. In addition to providing the leading hosting solution globally for your business, LHM provide as standard a Web Application Firewall by Sucur i that protects your website and data. The biggest concern with security implementations is always the impact to the website s performance. Rest assured that with our Website Firewall, you experience dramatic increases in performance, not just in how your website loads for your clients, but in the load placed on your web server. We offer the following: Website Malware Removal & Clean Up Continuous Scans for Malware & Hacks Website Blacklist Monitoring & Removal Website Application Firewall (WAF) Distributed Denial of Service (DDoS) Mitigation SSL & PCI Compliance Customer Support Backups of your site We offer our clients peace of mind and professional support when they need it most during a security incident: Defense in Depth: A layered approach to proactive and reactive website security. Protection: Website Application Firewall (WAF) & Intrusion Prevention System (IPS). Detection: Continuous website security monitoring to quickly identify potential Indicators of Compromise (IoC).

7 P7 The Data Protection Act The Information Commissioner s Office (ICO) is the UK s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. As a data processor for your information, LHM hold the necessary experience and certification to process personal data effectively and support our clients and individuals who are data controllers. The Data Protection Act 1998 requires every organisation that processes personal information to register with the Information Commissioner s Office (ICO), unless they are exempt. Failure to do so is a criminal offence. LHM is registered with the ICO and our Registration number is: ZA197879

8 P8 What Activities does the Data Protection Act regulate? The Act regulates the processing of personal data. Processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of perations on the information or data, including (a) organisation, adaptation or alteration of the information or data, (b) retrieval, consultation or use of the information or data, c) disclosure of the information or data by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, erasure or destruction of the information or data.

9 P9 What is Personal Data? Personal data means data, which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Cyber Essentials LHM is also accredited under the UK Government s National Cyber Security Strategy is to make the UK a safer place to conduct business online and from 1 October 2014 all suppliers must be compliant with the new Cyber Essentials controls if bidding for government contracts which involve handling of sensitive and personal information and provision of certain technical products and services. The Cyber Essentials scheme is a cyber security standard, which organisations can be assessed and certified against. It identifies the security controls that an organisation must have in place within their IT systems in order to have confidence that they are addressing cyber security effectively and mitigating the risk fro Internet- based threats. The scheme focuses on the following five essential mitigation strategies: Boundary Firewalls and Internet Gateways Secure Configuration Access Control Malware Protection Patch Management

10 P10 Information Governance (IG) LHM has also a certificate for the IG Toolkit, completed with Sandwell and West Birmingham Hospital Trust, completed with Information Governance Manager Claire Mazurkiewicz within the Informatics Service. Information Governance is to do with the way organisations process or handle information. It covers personal information, i.e. that relating to patients/service users and employees, and corporate information, e.g. financial and accounting records. It provides a way for employees to deal consistently with the many different rules about how information is handled, including those set out in: The Data Protection Act The common law duty of confidentiality. The Confidentiality NHS Code of Practice. The NHS Care Record Guarantee for England. The Social Care Record Guarantee for England. The international information security standard: ISO/IEC 27002:2013 and ISO/IEC 27001:2013. The Information Security NHS Code of Practice.

11 P11 What are the Information Governance requirements? There are different sets of information governance requirements for different organisational types. However all organisations have to assess themselves against requirements or: Management structures and responsibilities (e.g. assigning responsibility for carrying out the IG assessment, providing staff training, etc). Confidentiality and data protection. Information security.

12 P12 Ten Rules for Data Compliance for your Business: 1. Consent Wherever possible obtain consent before acquiring, holding or using personal data. Any forms, whether paper or web- based, which are designed to gather personal data should contain a statement explaining what the information is to be used for and who it may be disclosed to. 2. Sensitive data Be particularly careful with sensitive personal data (i.e. information relating to race, political opinion, physical or mental health, religious belief, trade union membership, sexuality, criminal offences etc). Such information should only be held and used where strictly necessary. Always obtain the consent of the individual concerned and notify them of the likely use(s) of such data. 3. Individual rights Wherever possible be open with individuals concerning the information being held about them. When preparing reports or appending notes to official documents, bear in mind that individuals have the right to see all personal data and could therefore read any informal comments made about them. Also be aware that this includes e- mails containing personal data and so the same caution should be used when sending e- mails. 4. Review files Only create and retain personal data where absolutely necessary. Securely dispose of or delete any personal data, which is out of date, irrelevant or no longer required. Hold regular reviews of files and discard unnecessary or obsolete data systematically. 5. Disposal of records When discarding paper records that contain personal data treat them confidentially (i.e. shred such files rather than disposing of them as waste paper). Similarly any unnecessary or out- of- date electroni records should be deleted. Your computers should not be given away or sold unless Information Services have ensured that all information stored on it has been removed or deleted.

13 P13 6. Accuracy Keep all personal data up to date and accurate. Note any changes of address and other amendments. If there is any doubt about the accuracy of personal data then it should not be used. 7. Security Keep all personal data as securely as possible (e.g. in lockable filing cabinets or in rooms that can be locked when unoccupied). Do not leave records containing personal data unattended in offices or areas accessible to the members of the public. Ensure that personal data is not displayed on computers screens visible to passers- by. Be aware that these security considerations also apply to records taken away from the office e.g. for work at home or for an external meeting. Also bear in mind that e- mail is not necessarily confidential or secure so should not be used for potentially sensitive communications. 8. Disclosing data Never reveal personal data to third parties without the consent of the individual concerned or other reasonable justification. This includes parents, guardians, relatives and friends of the data subject who have no right to access information without the data subject s consent. 9. Worldwide transfer Always obtain consent from the individual s concerned before placing information about them on the Internet (apart from basic office contact details) and before sending any personal data outside the European Union, Iceland, Lichtenstein or Norway. 10. Third party processors Be aware that if you are using a third party data processor e.g. for bulk mailings or database management and are giving them access to personal data, then you must have a written contract in place with them to ensure that they treat such information confidentially, securely and in compliance with the Data Protection Act 1998.

14 Together we re making a difference LHM works in partnership with many leading health institutions, housing organisations and local authorities. There s so much you can achieve using smarter digital communications. We support our clients to make people s lives better and improve awareness of how our health and care systems can be enhanced. We re making a difference, and so are you. Call: hello@lhmmedia.com or visit