Bridewell of Knowledge Q1
2
One of the aims of the impending changes to EU data protection regulation is to define a framework for a consistent approach across Europe. A number of new concerns have been raised that the proposed framework will have a negative impact and undermine research that heavily relies on personal data. Several of Europe’s top scientific institutes have sent a letter to the EU warning that the proposed changes will significantly hinder research. The main area of concern relates to the legal requirement that would require consent to use personal information in research studies. It is also felt that even if consent was obtained the restrictions the new regulations impose would make it very difficult for institutes to maintain contact with the participants taking part in the research. The greatest impact will be seen in the collaboration between institutes in medical research. In recent years links have been made between socio economic characteristics and health. For example, research has demonstrated links between unemployment and general health, smoking and the birth weight of babies, as well as being able to demonstrate the benefits of breast feeding on child development. Restrictions on how personal data can be used in such studies would hinder the evidence that is the basis of the research and, in some cases would totally invalidate the research. With the emergence and growth in data analytics “Big Data”, the potential to unlock hidden benefits from vast volumes of data (especially in developing countries) may sadly remain unlocked. The proposed changes to data protection regulation have been pending for over 18 months and have yet to be finalised. It is clear there are key areas (e.g. research) that urgently need to be considered, otherwise the benefits to our health and well being and of the generations to come may remain undiscovered. Is there a danger that Data Protection will impact our well being? In September 2012, the European Commission produced a strategy paper titled “Unleashing the Potential of Cloud Computing in Europe”. The strategy was quite simple, stating that embracing cloud technology across all industry sectors would lead to significant economic gains across Europe. The paper estimated that 2.5 million new jobs would be created across Europe, adding an estimated €160 billion to the European economy by 2020. Concerns over privacy and security have acted as a barrier to migrating data to the cloud as the procuring organisation is liable for any data protection breaches. Whilst there are financial savings to be made from cloud computing, there is an expectation that the levels of security control should be commensurate to a non-cloud environment. In August 2014, the British Standards Institute (BSI) published BS ISO/IEC 27018:2014 Information technology – Security techniques – Code of practice for PII protection in public clouds acting as processors of personally identifiable information (PII). The standard is designed to work alongside ISO27001 which security professionals are very familiar with and will also be supported by ISO/IEC 27017 – Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services which is currently in draft and due to be published in 2015. ISO27018 sets out a number of cloud provider obligations which will enable organisations to measure and audit a cloud provider against the standard and also create a culture of transparency between both parties. It is also designed to assist both parties on how to enter into a contractual agreement. The standard is a significant step towards ensuring compliance with the principles in the Data Protection Act but only time will tell if it addresses the key concerns of customers with regards to the use of cloud technology. The standard may well lead to a significant increase in the adoption of cloud technology that could generate the predicted economic benefits across Europe. Don’t let things cloud your judgement Bridewell Consulting LLP, Soane Point, 6-8 Market Place, Reading, Berkshire, RG1 2EG, tel: +44 (0)1189 255 084 To discuss what Bridewell Consulting can do for you please e-mail [email protected] www.bridewellconsulting.com Ongoing update on developments in security and risk assurance Promoting discussion between business leaders and security professionals Celebrating the value information security brings to business Objective perspective on current issues Building awareness and understanding Dispelling fear February 2015
-
Upload
anthony-young -
Category
Documents
-
view
59 -
download
0
Transcript of Bridewell of Knowledge Q1
One of the aims of the impending changes to EU data protection regulation is to define a framework for a consistent approach across Europe. A number of new concerns have been raised that the proposed framework will have a negative impact and undermine research that heavily relies on personal data.
Several of Europe’s top scientific institutes have sent a letter to the EU warning that the proposed changes will significantly hinder research. The main area of concern relates to the legal requirement that would require consent to use personal information in research studies. It is also felt that even if consent was obtained the restrictions the new regulations impose would make it very difficult for institutes to maintain contact with the participants taking part in the research.
The greatest impact will be seen in the collaboration between institutes in medical research. In recent years links have been made between socio economic characteristics and health. For example, research has demonstrated links between unemployment and general health, smoking and the birth weight of babies, as well as being able to demonstrate the benefits of breast feeding
on child development. Restrictions on how personal data can be used in such studies would hinder the evidence that is the basis of the research and, in some cases would totally invalidate the research.
With the emergence and growth in data analytics “Big Data”, the potential to unlock hidden benefits from vast volumes of data (especially in developing countries) may sadly remain unlocked.
The proposed changes to data protection regulation have been pending for over 18 months and have yet to be finalised. It is clear there are key areas (e.g. research) that urgently need to be considered, otherwise the benefits to our health and well being and of the generations to come may remain undiscovered.
Is there a danger that Data Protection will impact our well being?
In September 2012, the European Commission produced a strategy paper titled “Unleashing the Potential of Cloud Computing in Europe”.
The strategy was quite simple, stating that embracing cloud technology across all industry
sectors would lead to significant economic gains across Europe. The paper estimated that 2.5 million new jobs would be created across Europe, adding an estimated €160 billion to the European economy by 2020.
Concerns over privacy and security have acted as a barrier to migrating data to the cloud as the procuring organisation is liable for any data protection breaches. Whilst there are financial savings to be made from cloud computing, there is an expectation that the levels of security control should be commensurate to a non-cloud environment.
In August 2014, the British Standards Institute (BSI) published BS ISO/IEC 27018:2014 Information technology – Security techniques – Code of practice for PII protection in public clouds acting as processors of personally identifiable information (PII). The standard is designed to work alongside ISO27001 which security professionals are very familiar with and will also be supported by ISO/IEC 27017 –
Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services which is currently in draft and due to be published in 2015.
ISO27018 sets out a number of cloud provider obligations which will enable organisations to measure and audit a cloud provider against the standard and also create a culture of transparency between both parties. It is also designed to assist both parties on how to enter into a contractual agreement.
The standard is a significant step towards ensuring compliance with the principles in the Data Protection Act but only time will tell if it addresses the key concerns of customers with regards to the use of cloud technology. The standard may well lead to a significant increase in the adoption of cloud technology that could generate the predicted economic benefits across Europe.
Don’t let things cloud your judgement
Bridewell Consulting LLP, Soane Point, 6-8 Market Place, Reading, Berkshire, RG1 2EG, tel: +44 (0)1189 255 084
To discuss what Bridewell Consulting can do for you please e-mail [email protected]
www.bridewellconsulting.com
Ongoing update on developments in security and risk assurance
Promoting discussion between business leaders and security professionals
Celebrating the value information security brings to business
Objective perspective on current issues
Building awareness and understanding
Dispelling fear
February 2015
INFORMATION &TECHNOLOGY RISK
CYBERSECURITY
SECURITYTESTING
DATAPRIVACY
INFORMATIONSECURITY &ASSURANCE
CLAS Consulting, ISO27001 Advisory and
PCI Compliance
Security Operations, Security Architecture and
Network Security
Risk Management, Risk Assessment and
Risk Treatment
Application and Infrastructure
Penetration Testing
Data Protection Consultingand Audits
Is the vision of 1984 becoming a reality?
To discuss what Bridewell Consulting can do for you please e-mail [email protected] www.bridewellconsulting.com
The Bridewell of knowledgeFebruary 2015
Ongoing update on developments in security and risk assurance
Promoting discussion between business leaders and security professionals
Celebrating the value information security brings to business
Objective perspective on current issues
Building awareness and understanding
Dispelling fear
And finally… Hacking... it’s a PIZZA cake Looking back at the news items over the past year, one hack stands out.
We all know what data matters to us and needs safeguarding. However, how would you feel if it became public knowledge that you were a HOT & SPICY person? Would you feel like your privacy had been invaded?
In June 2014 hackers stole information relating to 600,000 Domino's pizza customers, threatening to make public their details if they were not paid £24,000. The hackers managed to break into vulnerable servers that were shared by Domino's stores based in France and Belgium. Dominos did admit they had a problem with a server but were quick to point out that no customer financial (credit/debit card) data had been stolen.
That said, the information stolen did contain customers' full names, addresses, phone numbers, email addresses, passwords and delivery instructions. Also, perhaps most importantly, the individual’s favourite pizza toppings. As Dominos decided not to meet the ransom demand, the hackers will most likely be looking for another buyer for this data.
On a serious note, it does highlight that hackers are always looking for weak links and will try and gain some form of financial benefit from an organisation. Regardless of Dominos reassurances, a significant amount of personal information was stolen and in all likelihood user names and passwords may well be valid on sites where personal financial details could be obtained.
In this instance, the hackers were looking for financial gain. Whether they deliberately targeted Dominos or they simply found the company had vulnerable servers by chance is unclear. There is the possibility that the hackers just preferred Pizza Hut or Pizza Express where they were planning to spend most of their ransom money!!
The recent story of the Morgan Stanley employee in the US who stole data relating to 350,000 clients and posted some of it online, highlights the potential need to monitor employee actions.
Security operations and monitoring of user activity is becoming more common with the secondary benefit that such technology can also monitor employee productivity. So how much should organisations routinely monitor their employees?
Employers can see the potential benefits of having an employee monitoring program. Organisations can increase productivity by identifying and managing employees struggling with certain tasks. It is also possible that employers will identify tasks that are time consuming for employees with little benefit to the business. It can also help organisations identify top performers and top performing departments, as well as being able to see the impact a change to organisational strategy can
have on the productivity of the organisation.
Security and risk professionals can also see the value and benefits, for example reducing risk by being able to detect fraudulent activity early; improving investigative ability in compiling case information against an employee thereby reducing the need for specialist forensic investigations and most importantly preventing such activity as undertaken by the now former Morgan Stanley employee.
There is however the other side of the argument which comes from privacy lawyers, HR professionals and employee welfare groups, who see it simply as an invasion of employee privacy.
Employees are subject to an organisation’s rules by agreeing to abide by all security policies, processes and procedures by signing computer use policies as well as the codes of ethics and working practices.
It can often seem potentially difficult for organisations to balance their needs against the right of their employees to privacy.
