Data Security: Policy, Practice and Common Sense
It seems you can’t open a newspaper or switch on the television these days without hearing about a lost memory stick or a stolen laptop. Lapses in data security are not a new problem, but in the year following the loss by HM Revenue and Customs of two discs holding personal details of 25 million child benefit customers, there has been a high level of public concern about the security of personal information. There is a growing awareness of the measures which should be taken to protect data, and woe betide the government department or business which suffers a loss and is shown not to have taken them. Are you confident that your organisation is doing all it should?
You may think that maintaining security is just a matter of common sense. After all, you know that you shouldn’t copy confidential data onto your laptop before taking it on a train. But suppose your laptop has a synchronised copy of a network folder – if another employee has innocently saved a sensitive spreadsheet to a subfolder, it will be automatically copied to your laptop. The same spreadsheet will probably also be in your emergency backups and these will usually be taken offsite.
How to lose secret data you didn’t even know you had on your laptop
Unfortunately, a combination of actions, which in themselves seem harmless, can add up to a serious security breach. Effective security therefore requires a clear policy, put into practice by all staff, which controls how sensitive data is handled in your organisation. The details will vary based on the nature of the data your organisation uses, the requirements you have for working with the data, and the potential severity of the harm or adverse publicity that would arise from losing it. This article describes a three point strategy for developing an effective security policy, as follows:
- Identification – Identify clearly which data is sensitive
- Minimisation – Avoid storage, duplication and use of the sensitive data
- Protection – Apply safe practices and avoid dangerous actions
Your organisation may handle a variety of data, and unless it is already fully in the public domain almost all of it will require a basic level of protection. However, only some of this data will be sufficiently sensitive to require stronger security. Normally this will be protected personal information, defined in a recent government report as:
“material that links an identifiable individual with information that, if released, would put them at significant risk of harm or distress, or alternatively any source of information relating to 1000 or more individuals that is not in the public domain, even if the information about an individual is not considered likely to cause harm or distress.”
Depending on the nature of your business you may also need to protect certain commercial data. For the purposes of a security policy, a concrete statement is needed naming the specific kinds of data handled by your organisation which are considered “sensitive”. Armed with this definition, you can begin to classify specific files, folders and computers as sensitive or non-sensitive. It is good practice to designate certain computers as sensitive and ban storing sensitive data in any other location. This has a number of benefits:
- Even without any further security measures, it provides a psychological barrier against accidental or unnecessary use of sensitive data. Giving these computers distinctive names may help!
- You can restrict access to these computers to named individuals.
- You can locate these computers in a locked room and/or on a secure inner network.
- You can apply different backup policies to these computers.
To achieve the maximum benefit, these computers should not also contain other, non-sensitive, data, as this reduces the psychological effect and increases the number of users who require access.
Just because your organisation handles sensitive data, it doesn’t mean you always have to use it. For a given task, you should always consider whether the use of sensitive data is essential. For example, in a database of social care provision data, if you are analysing changes in spending from 2007 to 2008, you don’t actually need to know the names, addresses, dates of birth or financial details of the clients receiving the care. If you took a copy of the database and scrambled all of these fields, the information about how much care was delivered at what price would remain intact, and your analysis would be unaffected. For the purposes of a security policy, such an “anonymised” database can be considered to be non-sensitive.
If you are working with sensitive data which is owned by another organisation, or which is hosted in a secure offsite facility, you can sometimes further minimise use by working with the original data via remote desktop, without copying it to your own premises at all. A combined strategy of making anonymised copies for most purposes, with remote access for the occasional difficult task may enable you to avoid ever having sensitive data on your own premises. If you don’t have it, you can’t lose it.
If your organisation does need to store sensitive data onsite, you should consider whether you need to keep it indefinitely, or whether it can be deleted once work on it is complete. Temporary copies made for analysis purposes should normally be deleted after only a short retention period.
Once you have identified which data is sensitive, and have minimised use of it as far as possible, you can implement measures to protect it. Clarity of identification and aggressive minimisation will reduce the cost and inconvenience of protection.
Protection comes down to a combination of technical security measures, and a ban on certain dangerous actions. The level of security required will vary between organisations, and the following non-exhaustive list gives some areas you should consider:
Review the physical security of your office. Could a stranger walk in off the street and get into your server room?
- Review general network security and antivirus protection.
- Restrict the list of users who are allowed to access sensitive computers, and review it often.
- Adopt a policy of strong passwords – and ban users from writing them down.
- Review backup arrangements for sensitive data. Backups must be stored in a secure location; if encryption is used for additional protection it is essential to protect the key and to test that the decryption process would actually work in an emergency! Do not back up computers which contain only temporary copies of sensitive data.
- Consider secure wiping or destruction of hard disks when you dispose of old hardware. Deleting or reformatting is not sufficient protection.
- If you use encryption for any purpose, use a strong encryption tool. Password protected office software files and many kinds of password protected zip files are easily cracked.
- Do not transfer unencrypted data by e-mail or over the internet.
And finally, a piece of common sense: don’t copy unencrypted sensitive data on to laptops, memory sticks, CDs, or paper. This is by far the easiest way to achieve 15 minutes of national infamy for yourself and your organisation.
Data Security at Oxford Computer Consultants (OCC)
OCC’s public and private sector projects often involve protected personal information about members of the general public, and in some cases about vulnerable individuals. OCC take the security of this data very seriously, and we adopt the strategy recommended above of Identification, Minimisation, and Protection.
As a software company we deal with potentially sensitive datasets from a large number of customers, and a single definition of “sensitive” is not possible. We therefore keep a list on our internal website which records for each project:
Whether it involves sensitive data
- If it does:
Which data is defined sensitive?
Are copies of sensitive data stored on OCC premises?
The data retention period
Have any special security measures been agreed with the customer?
We use anonymisation technology and remote access whenever possible to minimise the use of sensitive data at OCC premises. Any data that we do handle is carefully protected: when we transfer sensitive data to and from OCC, we always use industry standard methods of encryption, and within OCC premises unencrypted data is stored and processed exclusively on designated secure servers. These are implemented using Microsoft® Hyper-V virtualisation technology which allows us to create multiple virtual servers, each with its own access control list, on a single physical computer kept in a locked server room.
No organisation which handles any kind of personal or other sensitive data can afford to ignore the issue of security. Although common sense has a role to play, it is possible for a combination of apparently sensible actions to lead to a breach of security, and a well designed and implemented security policy is required to mitigate these risks.
This article has outlined a strategy based on Identification of sensitive data, Minimisation of its use, and Protection by technical measures and safe practices. Effective protection is only possible with careful identification of sensitive data within your organisation, and economical protection can be achieved by the minimisation of unnecessary processing and storage of this data.