Five steps to securing personal data online Gary Shipsey Managing Director

Similar documents
Protecting your Privacy Winchester Cathedral Privacy Notice

This Privacy Policy applies if you're a customer, employee or use any of our services, visit our website, , call or write to us.

SECURITY & PRIVACY DOCUMENTATION

Federated Authentication for E-Infrastructures

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

A practical guide to IT security

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Talenom Plc. Description of Data Protection and Descriptions of Registers

In this policy, whenever you see the words we, us, our, it refers to Ashby Concert Band Registered Charity Number

10 FOCUS AREAS FOR BREACH PREVENTION

WHITEPAPER. Security overview. podio.com

The following security and privacy-related audits and certifications are applicable to the Lime Services:

QuickBooks Online Security White Paper July 2017

Awareness Technologies Systems Security. PHONE: (888)

Cloud Security Standards and Guidelines

KantanMT.com. Security & Infra-Structure Overview

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

CONNX SECURITY OVERVIEW

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Data Protection Policy

Network Security and Cryptography. 2 September Marking Scheme

SECURITY TESTING. Towards a safer web world

Federated authentication for e-infrastructures

Google Cloud Platform: Customer Responsibility Matrix. April 2017

1. Muscat & Co Mortgage Solutions Ltd - Privacy Notice

UWC International Data Protection Policy

IPM Secure Hardening Guidelines

Privacy Policy Statement Last update 25 th May 2018.

Security Information & Policies

Oracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero

Cloud Security Standards

PRIVACY POLICY. We will use the information that we collect about you in accordance with:

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Grand Orange Lodge of Ireland Privacy Notice

1.3 Please follow the links below for further information. Where relevant, we have made a distinction between different categories of data subjects:

Eco Web Hosting Security and Data Processing Agreement

msis Security Policy and Protocol

Data protection. 3 April 2018

Information Security in Corporation

GDPR Draft: Data Access Control and Password Policy

Information Security Data Classification Procedure

General Data Protection Regulation

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Order of Malta Volunteers Privacy Statement

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Security Principles for Stratos. Part no. 667/UE/31701/004

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Meeting the Meaningful Use Security and Privacy Measure

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

Security Specification

Juniper Vendor Security Requirements

Google Cloud Platform: Customer Responsibility Matrix. December 2018

IBM SmartCloud Engage Security

De Montfort Students Union Student Data Privacy Statement

EXHIBIT A. - HIPAA Security Assessment Template -

Auditing Bring Your Own Devices (BYOD) Risks. Shannon Buckley

Annual Report on the Status of the Information Security Program

Data protection policy

Privacy Policy GENERAL

efolder White Paper: HIPAA Compliance

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Network Security Policy

Privacy Policy May 2018

ETSY.COM - PRIVACY POLICY

Smile IT Ltd Privacy Policy. Hello, we re Smile IT Ltd. We offer computer and network support to businesses and home computer users.

Security Policies and Procedures Principles and Practices

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

MigrationWiz Security Overview

Information Security at Veritext Protecting Your Data


Red ALERT Apparent Breach of an Unidentified Pharmacy Related Database

Enviro Technology Services Ltd Data Protection Policy

Shaw Privacy Policy. 1- Our commitment to you

Islam21c.com Data Protection and Privacy Policy

It s still very important that you take some steps to help keep up security when you re online:

An Introduction to the ISO Security Standards

Security Overview. Technical Whitepaper. Secure by design. End to end security. N-tier Application Architecture. Data encryption. User authentication

Inventory and Reporting Security Q&A

Internet of Things Toolkit for Small and Medium Businesses

SDR Guide to Complete the SDR

A (sample) computerized system for publishing the daily currency exchange rates

But it Was Such a Little Phish February 2016 Webinar

Kenex (Electro-Medical) Limited. Privacy Statement. Kenex (Electro-Medical) Limited (Kenex) have been in business for over 40 years and have

Privacy Policy Wealth Elements Pty Ltd

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

Redkite Data Protection and Privacy Statement

Information Security. How to be GDPR compliant? 08/06/2017

Data Processing Amendment to Google Apps Enterprise Agreement

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

A1 Information Security Supplier / Provider Requirements

These pieces of information are used to improve services for you through, for example:

Disaster Recovery Self-Audit

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Lichfield Cruising Club 2000 Ltd. Privacy Policy

SECURITY PRACTICES OVERVIEW

Privacy Notice Q-UK-PO02

Transcription:

Five steps to securing personal data online Gary Shipsey Managing Director 25 September 2014

Agenda Learn from the mistakes of others and protect personal information online. 1 2 Where does your information go who is responsible for online security? The top 5 risks and what to ask to sort them out. The future privacy impact assessments and privacy by design. 3 2

Who are you? Why are you here? Do you have a website? Do you use web-based services? 3

My favourite colour is My salary is 4

In 2010, I voted for I last visited the Doctor for 5

I have read 50 Shades of Grey My favourite position is 6

Email First name Surname garyshipsey@aal.co.uk Gary Shipsey Animal Testing Support Group Email First name Surname garyshipsey@aal.co.uk Gary Shipsey 7

Genuine email address and name Sell on to a spammer. Passwords Use to guess other passwords. Sensitive information Use to blackmail the person or the organisation. Financial details Use to commit fraud. 8

not personal medical records of women 1. Name 2. Telephone # 3. Date of Birth 4. Address who had undergone treatment at bpas and such records were never at risk ethnicity and social background could have led to physical harm or even death if the information had been disclosed by the attacker. 9

1 Where does your information go? Who is responsible for online security? 10

Newsletters Login Webbased services Details Newsletter Donor / service user data Email Database Backup Member Area Login Member details Member Content Defined personal data / content 11

Newsletters Login Webbased services Details Newsletter Donor / service user data Email Database Backup Member Area Login Member details Member Content Defined personal data / content 12

Newsletters Webbased services Details Newsletter Donor / service user data Email Database Backup Login Member details Member Content Defined personal data / content 13

Who manages your IT? Who manages your website? Internal External (contracted in support service) 14

2 The top 5 risks and what to ask to sort them out 15

1 Check that the forms on your website are set up correctly Smith. Now tell me all the information you have about all the other applications 16

1 Check that the forms on your website are set up correctly SQL injection Structured Query Language a common theme across the many computer-related data breaches Preventing, detecting and addressing threat should be a high priority in comparison to other vulnerabilities. 17

1 Check that the forms on your website are set up correctly Is information entered on our website ever treated as a set of instructions? A B Identify who is responsible for maintaining the source code (will vary depending on whether the application is maintained externally or internally) Use the secure tools provided by the application programming interface (API) in use. 18

2 Passwords and credentials A Have we changed default usernames, passwords and settings? B Do we hold all our passwords securely? No plain text Reminders Hashing & Salting C Do we ensure each and every password is difficult to crack? 19

3 Software and services A Do we keep your software up to date? V2.1.2.36 B Have we removed unused software and services? C Are we sure redundant software and services are fully redundant? 20

4 Know where your data is being stored Reduce risk of personal data being processed in inappropriate locations A Do we have a well designed system and network? Have we clarity on where and how data is processed? Test / live systems You DMZ Separate network zone - provides external services to internet. Lower security. Internet Users / clients / donors Networked zones (segregation by function) Main internal network Staff; volunteers. Higher security. Internal network segments HR Finance Fundraising 21

4 Know where your data is being stored Reduce risk of personal data being processed in inappropriate locations B How do we manage Backups? Onsite Offsite Purpose Access Audit C Do we store data in widely-accessible locations? Secure areas of websites (e.g. Member areas) Must apply specific access restrictions Not just a hidden locations www.example.com/private 22

5 Ensure secure communications across the internet https:// Secure Socket Layer (SSL) Transport Layer Security (TLS) Encryption schemes 23

5 Ensure secure communications across the internet You User / client / donor A Are our communications encrypted? B AND Is the identity of one (or both) of the endpoints trusted / verified? 24

5 Ensure secure communications across the internet You User / client / donor A If the communication is not encrypted information transmitted will be viewable via any system on the route between the two endpoints. 25

5 Ensure secure communications across the internet man-in-the-middle attack You User / client / donor B If there is no assurance of your identity a) Impersonates the secure service that User expects to see. b) User potentially agrees to an untrusted connection. WHY? Because they ignore security warnings (used to seeing them on your site); the site looks almost identical to yours. 26

5 Ensure secure communications across the internet man-in-the-middle attack You User / client / donor B If there is no assurance of your identity c) Impersonator then forwards communication to You (the legitimate service). d) Impersonator can see the communication on the way past. Both User and You are unaware the connection is compromised. 27

5 Ensure secure communications across the internet You User / client / donor B Where the identity of one (or both) of the endpoints needs to be trusted / verified User receives a digital certificate from the server. A valid digital certificate provides assurance to the User that You have satisfied a Certification Authority that You legitimately control the domain name(s). 28

1 Check that the forms on your website are set up correctly 2 Passwords and credentials 3 Software and services 4 Know where your data is being stored 5 Ensure secure communications across the internet 29

3 The future (now)? Privacy Impact Assessments and Privacy by Design 30

What is a Privacy Impact Assessment (PIA)? A process which helps assess privacy risks to individuals in the collection, use and disclosure of information. Helps you to assess and identify any privacy concerns / risks and address them at an early stage, and throughout the project. Enables you to bring forward solutions (or accept risks) Prevents having to bolt on solutions as an expensive afterthought (or fire-fighting issues). Make addressing DPA / privacy part of overall risk assessment / management process of a project / process change. 31

Examples where a PIA should be undertaken Any project or process change with the potential to impact personal privacy and confidentiality due to how personal information will be managed and processed: Bring in a new HR system to manage employee data. Use a third party supplier to deliver marketing. Collect additional data from customers for use on a new project. Permit employees to work from home and/or bring their own devices to work. Share data with other organisations to further your strategic goals. 32

Why should I do a Privacy Impact Assessment? 1. To avoid costs as you will avoid problems being discovered at a later stage, when making changes will be more expensive. 2. To avoid loss of trust and reputation by deploying changes without information security and privacy flaws. 3. To identify and manage risks as part of the overall risk assessment and risk management process of the project/process change 4. To help meeting legal requirements addressing privacy and information security early on will deliver compliance with relevant legislation, i.e. the Data Protection Act 1998. 33

www.protecture.org.uk Gary.Shipsey@Protecture.org.uk 020 3691 5731 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback