Tuesday, 10 December 2013

Seeing if you need to register with the ICO

If you are thinking about registering, or indeed wanting to know if you need to register, then your first port of call is the ICO website itself. They give a set of very simple questions to see if you need to register.

The questions they ask

At most you only need to answer 11 questions, and for many of you it will be much less than that. On the questions where it might not be completely obvious what they mean they have extra guidance (what is meant by a non profit organisation, for example). Each question has a simple yes or no answer, and each either leads to another question - or instead tell you that you must register or that you don't need to register (and then you don't need to answer any remaining questions). It only takes a few minutes of your time to go through the questions.

The questions they ask you are this :
  • Are you a not for profit organisation that qualifies for an exemption?
  • Does your business or organisation only process information for judicial functions?
  • Are you processing personal information?
  • Do you process the information electronically?
  • Is your organisation responsible for deciding how the information is processed?
  • Do you only process personal information for personal, family, household or recreational reasons?
  • Are you only processing personal data to maintain a public register?
  • Do you only process personal data for staff administration, advertising, marketing or public relations, or accounts or records?
  • Do you only process individuals’ information for staff administration?
  • Do you process individuals’ information for advertising, marketing or public relations?
  • Do you process individuals’ information for accounts or financial records?
Don't bother trying to answer all of these right now, you might only need to answer the first few for example once you are on the website. I'm just listing them all here so that you can see that they aren't too bad at all.

How to answer the questions

To answer the above questions on the ICO website, either go to the main page at www.ico.org.uk and look for a box at the top right that says 'Register my organisation', and follow the link that says 'Not sure if you need to register?' or just follow this direct link.

Don't need to register?

Now, having gone through these questions you might have found that you don't actually need to register - but the ICO allow you to register voluntarily too. My recommendation to you would be this - if you hold any personal information of living individuals at all, and even if the ICO say you don't need to register - I would still register. It will cost you very little (for most organisations we are talking in the region of £35 per year only (and you can do it via a direct debit too).  Isn't it worth it for a little peace of mind alone?

The registration process

I'll save talking about the registration process itself until next time.

Still stuck?

If there is anything you are still stuck on then feel free to contact me at any time either by email or phone - contact details are below.

About digitalTrust

We are an information security and information governance business based in the North-East of England, but with a national footprint.

Our services

digitalTrust has expertise in a whole host of inter-connected areas, such as :
  • Data protection
  • Information security
  • Information governance
  • Business continuity
  • Disaster management
We look at all these aspects from a very practical, hands-on, approach. We can help with :
  • Training
  • Process and procedures
  • Technologies
  • Virtual Information Security Officer functionality
Disclaimer. This information in this tip was accurate at the time of writing, and although the ICO website is unlikely to alter any time soon the information provided here should not be relied upon for any purpose other than general information and digitalTrust cannot be held liable for any loss or damage which may arise from using any information contained therein.

Wednesday, 2 October 2013

Bromance, space rockets and understanding your threats

OK, I admit it - I have a bit of a bromance brewing.

No Z-list celebrity or puerile X-Factor wannabe for me however. My target of admiration is a self-made billionaire and big thinker, he is CEO of Tesla  Motors (making electric cars) and also CEO of probably the coolest company on the planet, SpaceX (making rockets - yes, rockets). Oh, and did I mention that he’s also the real-life model for Tony Stark, aka Ironman?

Step forward, Elon Musk.

OK, maybe I have a bit of a problem - but what has this got to do with information security? Give me a second and I’ll get there.

I recently caught up with an interview Elon gave at a TED event earlier this year.  Around 14 minutes into the talk it was mentioned that SpaceX doesn’t patent anything on the rockets and spacecraft it makes, and then Elon caught my attention with this:

“Since our primary competitors are national governments, the enforceability of patents is questionable.”

And that made me think.

It made me think that Elon really understands the threats to his businesses - and from there it was only a short jump to my next thought - that many of my clients (small to medium sized businesses) don’t. And that is a fundamental issue.

Let’s step back a bit.

When you lock your door at night, why do you do it? Might you be murdered in your beds? Someone covets your TV? Or is it that you are sick and tired of your neighbour stealing the milk? If you didn’t lock your door, what would happen? Think about it for a moment.

Elon Musk
OK, so depending on who you are and where you live, your answers might be different to someone else in a slightly different situation to you. What you have done, in information security parlance, is a kind of risk assessment - you have perceived a threat of some sort (you could be burgled, for example) to your assets (your TV maybe), worked out your weaknesses (they could get in via a door or window), and come up with a control (I need to have a good lock on my front door, and use it). There are some threats that we as human beings are really good at getting a handle on, and others we are really bad at understanding - but I might save that for a future blog.

So, let’s move to your office and start thinking in terms of your business assets. What do you have to protect? Depending on your business there might be the office space itself, your staff, your data. I’m generalising here, but basically the office can be covered with forms of insurance and your staff likewise as well as with Health and Safety processes. But what about your data?

So what do I mean by data? By data I mean your business’ information assets (and ‘data’ is a pretty horrible synonym, but we will stick with it as it’s short and sweet).  They are the key assets on paper or in a computer hard drive that - without them - your business would not be able to trade. Now every business is different - for you it might be your list of customers and what they’ve bought from you, it might be some very specialised intellectual property that you are about to wow the world with, it might be very sensitive client materials or it could be your secret plans for world domination. I’ve yet to come across a business, large or small, that have the same information assets - your information assets are pretty much a unique fingerprint of your business.

Tony Stark (aka Ironman), um, no, wait...
Many businesses, large and small, are starting to get a handle on some aspects of threats to their data - for example, most people understand they need to use anti-virus software on their computers, or that they need to make backups (you do, don’t you?). But for many, that’s as far as it goes. They don’t tend to really consider the threats they face every day.

OK, have a go yourself.  Make a quick list of the key threats you think that your data faces every day. I’m guessing that what I consider the number one threat won’t be on your list.

Now, I’m not dismissing what’s down on your lists - I’m sure they are very real threats and need to be dealt with somehow, but I’m betting there is one very real threat that you haven’t considered. Ready to hear what it is?

It’s you.

You are the greatest threat that your business faces - because (on the whole) you are not taking information security seriously enough. I don’t say that lightly, it’s just that small to medium sized businesses are very poor at understanding, let alone applying, information security processes to their data  (excluding most businesses that are related to the health profession - in the medical sector the issue of information security and information governance is very high profile).

Information security isn't about the IT (well, mostly) but instead about the processes and the procedures and the people. I’ve seen very well intentioned staff make such horrendous mistakes (while meaning well) that have very nearly resulted in large fines from the Information Commissioner’s Office. I’ve seen businesses started on the back of stolen customer data. Honestly, it’s not pretty.

Information security is, at heart, about putting in place well-understood processes and keeping tabs on them. It’s about training your staff appropriately. With respect to Elon, it’s not rocket science.  I’ve made it my personal mission to try to get businesses more aware of the threats they face and what they can do to better protect their data. It’s going to take a while.

And finally, back to the target of my bromance, Elon Musk, advocate of sending humans to another planet, with probably one of the coolest quotes of all time :

"It'd be pretty cool to die on Mars, just not on impact."

Now that’s thinking big.

Monday, 23 September 2013

The mainstreaming of biometrics

Well, in the end, it took a day.

A day for someone to claim that they had hacked the fingerprint scanner on the latest iPhone 5S (Apple Touch ID fingerprint tech 'broken', hackers say - http://www.bbc.co.uk/news/technology-24203929 ).

And, frankly, it’s a bit worrying.

No, I don’t mean that it’s worrying that the iPhone 5S has been hacked - to anyone in the Information Security or IT Security fields this news is something that was expected. The scary bit for us is that biometrics are really starting to hit the mainstream - and if it's arrived for the Apple Fanboys then it'll soon be mainstream from other manufacturers too.

My worry is this - because it’s on their shiny new devices, your typical user will think their devices are secured, but instead the security issues are still as worrying as before but with a whole new dizzying bag of worms attached.

All this reminds me of something that Richard Feynman, a Nobel prize-winning physicist, once said about physical safes - people think their stuff is safe in a safe, because it’s called a safe.

But what are biometrics then?  Brief recap - biometrics are all about what you are (you have brown eyes, for example) rather than what you know (like a password) or have (like a key). And to me, they aren’t really about safety - they are about ease of use. And just like passwords or fences or concrete bunkers - you can have good implementations and bad implementations.

Biometric scanners of all sorts and types have been around for donkeys years and are implemented all over the place - but after the latest 'governments can read my data' scandal, suddenly there is a lot of concern about the use of biometrics in such a high profile device from such a high profile manufacturer.

Now, imagine that we start getting fingerprint scanners on every kind of device. Isn't it a bit like using the same password for everything (and we know how bad that is)? Basically, in security, it is generally a very bad thing to put all your eggs in one basket. So, the crux of the issue is this - you can change a password, how do you change your fingerprint?

If you have time, I would heartily recommend listening to the latest edition of the BBC Radio 4 programme 'Inside Science' - they have a great little segment on biometrics. It's available on iPlayer and starts around 17 minutes in.