With the many GDPR offerings & associated fear mongering out there, businesses would be forgiven for forgetting there has always been a legal requirement on the use and protection of Personal Data – The Data Protection Act. In fact, the ICO (Information Commissioner’s Office) has been tracking down & levying fines on many shady companies that have abused personal data for many years. Nobody is above the law, even Humberside Police have been fined £140 000 & the Royal Mail Group £12 000: 5th April 2018 – Humberside Police has been fined £130,000 by the Information Commissioner’s Office after disks containing a video interview of an alleged rape victim went missing. 6th April 2008 Royal Mail Group Limited has been fined £12,000 by the Information Commissioner’s Office after sending more than 300,000 nuisance emails. On two dates in July 2017, the company sent emails to 327,014 people who had already opted out of receiving direct marketing. – ICO Actions Taken The introduction of GDPR while protecting individuals & clarifying the requirements for business in my opinion has best served to re-focus on the need to protect information, but don’t lose focus – While the loss or mishandling of Personal Information can lead to one of the above fines, the careless handling of Business-Critical Information could affect the loss of your business. Long term I would recommend you incorporate all of your business in an Information Security Management System. Information Security isn’t just for the 25th May it is for the whole year and your entire Business. Use ISO 27001 guidance to set up an Information Security System that protects your whole business & ISO 27001 Certification to demonstrate Due Diligence & give potential customers that warm cosy feeling – FURTHER INFORMATION
The official announcement is: “From 1 October 2014, government requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme.” In reality this is primarily for Central Government suppliers, i.e. Dept Heath, Transport, Education, Defence, etc but the unofficial word is that this will be rolled out to local government i.e. councils, hospitals, police, etc over the next few years. Cyber Essentials covers 5 main areas of vulnerability: 1. Boundary Firewalls and internet Gateways 2. Secure Configuration 3. Access Control 4. Malware Protection 5. Patch Management Which include the types of controls found in the ISO27001 SOA: A.13.1 Network Security Management A.12.1 Operational Procedures and Responsibilities A.9.2 User Access Management A.12.2 Protection from Malware A.12.6 Technical Vulnerability Management Therefore people with ISO27001 are part way there already, the main difference is that Cyber Essentials in prescriptive and not optional so there is no opt out for any of the questions in Cyber Essentials, and the requirement for control by the 34 questions is much tighter in Cyber Essentials. For example, all software must be licensed and supported – so any PC’s that still use windows XP cannot be included in the scope and would need updating/replacing (this is just one example). The issues facing the take-up of the standard are: Lack of awareness of the Standard Lack of trained practitioners (only 100 or so in the UK) The trained Practitioners may not be IT savvy enough to implement effectively Big Headache for large business due to a lack of automated roll out tools to cope with the prescriptive requirements for each device within scope, causing resistance to implementation Implementation systems/methodology is new and not as efficient as it needs to be yet due to the learning curve. We do however now have one of our ISO 27001 Consultants fully trained & qualified as a Cyber Essentials Practitioner. ISO 27001 will continue to be the most recognised & accepted Information Security Standard. However if you do deal in or wish to enter the Gov & Public Sector arena, we would advise you start looking at this.