Author: Himanshu Shewale
The Data
Protection Act of UK is known to be one of the most stringent regulations when
it comes to protecting “Personal Data”. The Act regulates how personal data needs to be protected while it is processed, stored or transmitted by the data controller. A data controller can be any entity that holds information about its customers and hence needs to comply with Data Protection Act.
One of the
basic motives behind the Act is to prevent personal data from getting
compromised accidentally or even deliberately. In the digital era, personal
data is mostly being maintained in digital format. The principle seven of Data
Protection Act talks about securing the information irrespective of its format.
In general, an organization is responsible for maintaining the security of the
data that it holds in its environment. Security controls implemented in this
attempt need to be versatile and hence a more holistic risk centric approach would provide better outcome.
The Data Protection Act of UK-Principle Seven states:
Appropriate technical and organizational
measures shall be taken against unauthorized or unlawful processing of personal
data and against accidental loss or destruction of, or damage to, personal
data.
Security measures
appropriate for meeting the Principle Seven:
The Data Protection Act does not define
the security measures that need to be in place. However, industry specific best
practices and standards may impose specific security measures. Depending on the
organization environment and business process, security measures will vary, but
in general, Technical, Physical, Management and Organizational security
measures are important for protecting personal data.
- Organizational and Management measures
Risk Assessment is cornerstone of any security assessment for an
organization. Identifying business specific risks and corresponding threats and
vulnerabilities helps in aligning security efforts in the right direction. Risk
assessment also helps in identifying and allocating responsibility of security
measures to individuals and teams in an organization.
- Staff
Underestimating
the organization’s internal threats is found to be one of the biggest mistakes
of late. To ensure that the staff understands the importance and responsibility
of protecting sensitive and personal data, training and awareness plays a vital
role. Staff roles and responsibilities need to be clearly defined and ensured
that security procedures are actually put in practices.
- Physical security
Technical
security measures to protect computerized information are of evident significance.
However, most of the security incidents relate to the theft or loss of old
computers or equipment, or hard-copy records being deserted.
Physical
security includes things like the quality of locks and entrance and exit doors,
and whether facilities are protected by warning alarms, security lighting or
CCTV cameras. However, it also involves how you perform visitor management, control
access to facility, discard hard copy paper waste and media, and keep electronic
portable equipment secure.
- Computer security
Computer
security is constantly evolving, and is a complex technical area. Computer
security needs to be appropriate to the size and use of your organization’s
systems. Your security measures must be appropriate to your business practices.
The measures you take must be appropriate to the nature of the personal data
you hold and to the harm that could result from a security breach. Security
controls are as follows but not limited to -
- Organization Information security policies, procedures and guidelines
- Logical and Physical access control
- Encryption of sensitive data during transmission and storage
- System components configuration and hardening
- Information access management
- Device and media controls
- Person or entity authentication
Information security breaches not only cause monetary
loss but reputational too. The result of a breach might prove costly for an
organization. Recently, a Japanese consumer electronics giant was
fined heavily for 'serious breach' of Data Protection Act by the Information
Commissioners office. Hackers were successful to break into the company's
online store and exposed personal information including name, address, date of
birth and credit card information.
How to get
compliant:
- First of all organization needs to determine if there is legitimate business reason for storing, processing and transmitting personal data.
- If yes, then it is necessary to define and implement best suited administrative, physical and technical controls organization level so that the personal data handled in a fair and legal manner.
- Identifying what best suits for a particular business environment is often tough. Hence, partnering with information security specialists to identify security controls best suited for a particular environment is of utmost importance.Information security investment in
effort to protect personal data would be fruitful only in case business
specific risks are properly recognized, and mitigated timely.
Author: Himanshu Shewale,
Privacy | HIPAA | Risk Assessment | PCI DSS,
MS(InformationSecurity)
No comments:
Post a Comment