Oxford Computer Consultants

Welcome to the ninth edition of the OCC eNewsletter with its insight into how emerging Information Technology will impact on your business.

Our aim is to inform business managers and technical directors in clear language about topical aspects of IT. Every quarter we'll explain how businesses are using IT to gain a competitive advantage and improve their business processes.

In this issue, Chris Henry discusses Data Security, how to prevent loss of data and what OCC has done to protect personal information.

Data Security: Policy, Practice and Common Sense

It seems you can’t open a newspaper or switch on the television these days without hearing about a lost memory stick or a stolen laptop. Lapses in data security are not a new problem, but in the year following the loss by HM Revenue and Customs of two discs holding personal details of 25 million child benefit customers, there has been a high level of public concern about the security of personal information. There is a growing awareness of the measures which should be taken to protect data, and woe betide the government department or business which suffers a loss and is shown not to have taken them. Are you confident that your organisation is doing all it should?

You may think that maintaining security is just a matter of common sense. After all, you know that you shouldn’t copy confidential data onto your laptop before taking it on a train. But suppose your laptop has a synchronised copy of a network folder – if another employee has innocently saved a sensitive spreadsheet to a subfolder, it will be automatically copied to your laptop. The same spreadsheet will probably also be in your emergency backups and these will usually be taken offsite.

How to lose secret data you didn’t even know you had on your laptop

Unfortunately, a combination of actions, which in themselves seem harmless, can add up to a serious security breach. Effective security therefore requires a clear policy, put into practice by all staff, which controls how sensitive data is handled in your organisation. The details will vary based on the nature of the data your organisation uses, the requirements you have for working with the data, and the potential severity of the harm or adverse publicity that would arise from losing it. This article describes a three point strategy for developing an effective security policy, as follows:

• Identification – Identify clearly which data is sensitive
• Minimisation – Avoid storage, duplication and use of the sensitive data
• Protection – Apply safe practices and avoid dangerous actions

Identification

Your organisation may handle a variety of data, and unless it is already fully in the public domain almost all of it will require a basic level of protection. However, only some of this data will be sufficiently sensitive to require stronger security. Normally this will be protected personal information, defined in a recent government report1 as:

“material that links an identifiable individual with information that, if released, would put them at significant risk of harm or distress, or alternatively any source of information relating to 1000 or more individuals that is not in the public domain, even if the information about an individual is not considered likely to cause harm or distress.”

Depending on the nature of your business you may also need to protect certain commercial data. For the purposes of a security policy, a concrete statement is needed naming the specific kinds of data handled by your organisation which are considered “sensitive”. Armed with this definition, you can begin to classify specific files, folders and computers as sensitive or non-sensitive. It is good practice to designate certain computers as sensitive and ban storing sensitive data in any other location. This has a number of benefits:

• Even without any further security measures, it provides a psychological barrier against accidental or unnecessary use of sensitive data. Giving these computers distinctive names may help!
• You can restrict access to these computers to named individuals.
• You can locate these computers in a locked room and/or on a secure inner network.
• You can apply different backup policies to these computers.

To achieve the maximum benefit, these computers should not also contain other, non-sensitive, data, as this reduces the psychological effect and increases the number of users who require access.

Minimisation

Just because your organisation handles sensitive data, it doesn’t mean you always have to use it. For a given task, you should always consider whether the use of sensitive data is essential. For example, in a database of social care provision data, if you are analysing changes in spending from 2007 to 2008, you don’t actually need to know the names, addresses, dates of birth or financial details of the clients receiving the care. If you took a copy of the database and scrambled all of these fields, the information about how much care was delivered at what price would remain intact, and your analysis would be unaffected. For the purposes of a security policy, such an “anonymised” database can be considered to be non-sensitive.

If you are working with sensitive data which is owned by another organisation, or which is hosted in a secure offsite facility, you can sometimes further minimise use by working with the original data via remote desktop, without copying it to your own premises at all. A combined strategy of making anonymised copies for most purposes, with remote access for the occasional difficult task may enable you to avoid ever having sensitive data on your own premises. If you don’t have it, you can’t lose it.

If your organisation does need to store sensitive data onsite, you should consider whether you need to keep it indefinitely, or whether it can be deleted once work on it is complete. Temporary copies made for analysis purposes should normally be deleted after only a short retention period.

Protection

Once you have identified which data is sensitive, and have minimised use of it as far as possible, you can implement measures to protect it. Clarity of identification and aggressive minimisation will reduce the cost and inconvenience of protection.

Protection comes down to a combination of technical security measures, and a ban on certain dangerous actions. The level of security required will vary between organisations, and the following non-exhaustive list gives some areas you should consider:

• Review the physical security of your office. Could a stranger walk in off the street and get into your server room?
• Review general network security and antivirus protection.
• Restrict the list of users who are allowed to access sensitive computers, and review it often.
• Adopt a policy of strong passwords – and ban users from writing them down.
• Review backup arrangements for sensitive data. Backups must be stored in a secure location; if encryption is used for additional protection it is essential to protect the key and to test that the decryption process would actually work in an emergency! Do not back up computers which contain only temporary copies of sensitive data.
• Consider secure wiping or destruction of hard disks when you dispose of old hardware. Deleting or reformatting is not sufficient protection.
• If you use encryption for any purpose, use a strong encryption tool. Password protected office software files and many kinds of password protected zip files are easily cracked.
• Do not transfer unencrypted data by e-mail or over the internet.

And finally, a piece of common sense: don’t copy unencrypted sensitive data on to laptops, memory sticks, CDs, or paper. This is by far the easiest way to achieve 15 minutes of national infamy for yourself and your organisation.

Data Security at Oxford Computer Consultants (OCC)

OCC’s public and private sector projects often involve protected personal information about members of the general public, and in some cases about vulnerable individuals. OCC take the security of this data very seriously, and we adopt the strategy recommended above of Identification, Minimisation, and Protection.

As a software company we deal with potentially sensitive datasets from a large number of customers, and a single definition of “sensitive” is not possible. We therefore keep a list on our internal website which records for each project:

• Whether it involves sensitive data
• If it does:
• Which data is defined sensitive?
• Are copies of sensitive data stored on OCC premises?
• The data retention period
• Have any special security measures been agreed with the customer?

We use anonymisation technology and remote access whenever possible to minimise the use of sensitive data at OCC premises. Any data that we do handle is carefully protected: when we transfer sensitive data to and from OCC, we always use industry standard methods of encryption, and within OCC premises unencrypted data is stored and processed exclusively on designated secure servers. These are implemented using Microsoft® Hyper-V virtualisation technology which allows us to create multiple virtual servers, each with its own access control list, on a single physical computer kept in a locked server room.

Conclusion

No organisation which handles any kind of personal or other sensitive data can afford to ignore the issue of security. Although common sense has a role to play, it is possible for a combination of apparently sensible actions to lead to a breach of security, and a well designed and implemented security policy is required to mitigate these risks.

This article has outlined a strategy based on Identification of sensitive data, Minimisation of its use, and Protection by technical measures and safe practices. Effective protection is only possible with careful identification of sensitive data within your organisation, and economical protection can be achieved by the minimisation of unnecessary processing and storage of this data.

Top

What is OCC?

The purpose of OCC (/) is to create original, robust and flexible IT solutions. Our aim to add value to customers' businesses by enabling them to grasp the opportunities of Information Technology and the Internet. In so doing, we aim to give our staff challenging jobs and competitive rewards. We work in the IT field because we enjoy the technology, because we're good at it and because we can see the positive impact IT has on both business and society. We aim to achieve our purpose by:

• recruiting and retaining highly skilled staff. We believe that the intelligence and skill of our developers is one of our competitive advantages,
• working closely with our customers. It is always our aim to allow any prospective client to contact any of our previous or ongoing clients for a reference,
• using our results and reputation to win repeat business and generate new business. We believe that our reputation should speak for itself; and
• undertaking leading edge R&D because this is the life blood of innovative companies. This ensures that we have expertise in emerging as well as current software technologies.

What Does OCC Do?

OCC promotes itself as having a strong ability to grasp a client’s business needs and to use technology to “add value” to client processes. Our strengths are reflected in the quality of our development staff, our high levels of repeat business (over 93% of clients buy again from OCC), and our knowledge and experience in specific sectors such as energy, engineering, local government and health.

OCC’s Services and Expertise

Software Services

A complete range of design, development and support services for:

• Custom software applications;
• Re-engineering of software in legacy applications; and
• Content Management System based web sites and web applications based on standard and emerging web services technology.

Industry Sectors

Over 16 years of experience, reference sites and testimonials from our customers in:

• Online Training and eLearning (/Doc18191.html)
• Electronics (/Doc20185.html)
• Energy and Oil (/Doc18197.html)
• Environment (/Doc18183.html)
• Financial Services (/Doc18174.html)
• Healthcare Software Solutions (/Doc18172.html)
• Manufacturing (/Doc20195.html)
• Telecommunications (/Doc18195.html)
• Public Sector (/Doc20351.html)

Technologies

All mainstream and emerging technologies including:

• Database applications;
• Mathematical modeling software with graphical outputs; and
• Web applications based on Content Management technologies, web services and the semantic web.

Socially Responsible Business Practice

Oxford Computer Consultants adheres to socially responsible business practice (/Doc21009.html). The company has formal environment and ethics policies that are communicated to all staff.