Given what can only be described as an omnishambles of security breaches, is
there much more that the ICO can do to warn data controllers of the risks they
should take account of?
Probably not.
What might be helpful though, is data controllers refreshing
their memories about the guidance which has emerged from the ICO over the past
few years.
In terms of the top 7 ICO publications, (virtual) copies of
the following guides really ought to be at every DPO’s fingertips:
7. Guidance on data security breach management (Dec 2012). This very high level, 8-page guide,
builds on earlier advice that breaches of non-sensitive personal data relating
to more than 1,000 victims should be notified to the ICO, while breaches of
sensitive personal data relating to far fewer victims should also be notified.
6. Bring your own device (May 2013). This 13-page document contains advice on what a BYOD
policy should contain, what security issues to consider with regard to data
storage & transfers, and guidance on monitoring at work.
5. Guidance on the use of cloud computing (Oct 2012) This 23-page guide, evidently about to be
revised by the ICO, contains a useful PIA-type check list which covering the
issues (in terms of risks, confidentiality, integrity, availability & legal
factors) to consider when using a cloud provider.
4. Privacy in mobile apps – guidance for app developers (Dec 2013). This 23-page guide contains
some basic security advice, together with useful examples of good and bad
practice for app developers.
3. Encryption (Mar
2016) This 35-page guide highlights, through a range of practical
scenarios, when different encryption strategies can help provide a greater
level of protection.
2. A practical guide to IT security (Jan 2016). This
natty 18-page guide reports on 10 practical ways to secure IT systems. Sections
offer high level guidance on the importance of:
- Assessing the threats
- Getting in line with Cyber Essentials
- Securing data on the move & in the office
- Securing data in the cloud
- Backing-up data
- Staff training
- Monitoring alerts
- Documenting controls
- Minimising data
- Monitoring contractors
However, and by a country mile, top of my list of "must read" ICO security publications is:
1. Protecting personal data in online services: learning from the mistakes of others (May
2014). This 46-page guide focusses on the most common 8 computer security
vulnerabilities:
- Software updates
- SQL injection
- Unnecessary services
- Decommissioning
- Password storage
- SSL/TLS configuration
- Inappropriate locations
- Default credentials
So there you have it. Security breaches may well occur
despite data controllers having taken account of the ICO’s advice – but woe
betide a data controller that suffers a security breach because they’ve
wilfully disregarded the published advice.
An inability to follow these basic guides will continue to
be an aggravating factor that will be taken into account when the Information
Commissioner decides what level of Civil Monetary Penalty to impose on a recalcitrant data
controller.
.
.
Posts
