There’s a line to be drawn between Data Protection and Information Security and if your charity is confused about where that line is, or insists that the Information Security Officer doubles up with Data Protection duties, or worse still vica-versa, then maybe it’s about time to review your Data Protection procedures, not to mention your policies, especially given the requirements of the General Data Protection Regulation. Compliance with its requirements should be a strict matter of governance and not confused with many faces of the field that is information security.
The prescribed principles of Data Protection enshrined in law are there to be adhered to. Whether data must be processed fairly and lawfully, for example, is not a discretionary decision. Crafting policies and procedures to enable your organisation to safely use mobile tech to enhance it’s work however, may indeed require insight and expert understanding in order to devise safe and secure processing of personal information.
It’s best not to let one run away with other, and to make sure that data is kept safely and securely. Don’t get the ‘GDPR jitters’ though – your friendly helpful information security officer is part of the team and will bring the methods to deliver on the actions.
The price of free isn’t the same as ‘no cost’. Likewise ‘open source’ doesn’t equal free. Also ‘free subscription’ doesn’t mean that you don’t pay. The price of free, often or not, is yourself. You my friend are the product and the systems you sign up for as ‘free’ are a contract to your willing participation in being sold. Sorry for the harsh reality but folks really need to be able to differentiate between corporate and personal, and make a value judgement on what they’re prepared to sell in return for a service. As an individual it’s your choice and there are some services that I will happily use in return for being the recipient of some blatant, if ill-targeted, advertising. We should however be professionally concerned with the attraction of our charity colleagues to these so-called ‘free’ services. It might be easy on the budget to sign up for free web hosting but what will your supporters think when your website is surrounded by garish banner ads selling dodgy medication and worse? This and many more real examples can be shared by your CSF colleagues so don’t let the price of free be your reputation.
They say that imitation is the sincerest form of flattery. Well, I’d say that identity theft is taking that a step too far. The urge to masquerade as someone else may have deep roots in the human psyche but as usual the ‘bad guys’ have put a more sinister spin on things and are only too ready to exploit an alter-ego given half a chance. Bogus passports, fraudulent bank loans, even online relationships, are all the province of those hiding behind the ‘front’ that the anonymity of the internet can purvey.
For charities dealing with the most human of interactions, taking their operations online is a challenge in establishing not only a verifiable identity but also establishing the trust that must ensue to ensure they can be trusted with that most precious collection of information which makes up that thing we call our identity.
Identifying the precious attributes that define your benefactors will help you to identify which information assets your information security controls should be protecting. Keep ’em safe.
“There are no computers, only networks.” We might not be too far off that reality. And that reality puts a lot of responsibility on whoever runs your network. It’s likely that one way or another your network is your weakest link, and that as an information security officer you’ll know that your ‘data in transit’ is the most vulnerable state of your most precious asset.
Wrongly configured and ill-protected networks are the stuff of infosec nightmares, and routers with default passwords are the genesis of such dreams. Check now with your network guy/gal (or with yourself if you have the responsibility in your charity) that there isn’t a router with a default password remaining in your network. If you have to, try logging in to each and every router with the default username and password. (Google will be your friend here) If you can log in then it’s time to take action. Your choice. Just sayin’
To paraphrase a saying “There are no old, bold, DBA’s”. That’s “database administrators” in case you were wondering, and one might go even further to say that there may not even be any DBA’s before too long. Demonstrably secure relational databases should be a thing of wonder; users who can ‘write down’ but not ‘write up’ should be revelling in the knowledge that they will never accidentally overwrite the major donor address records, let lone be able to access them; and information security officers should be rejoicing in the knowledge that their corporate databases embody the only ACID test that matters. But all this database stuff seems to have been a bit too complicated. Codd and Date must be weeping.
Our trendy web developer colleagues seem to treat the database (if we really must have one at all) as a bucket of bits to be hooked up to some web front-end, and off we go. Hey presto! Instant access via the internet to that particular piece of precious data. And what of SQL injection attacks, what of transactional integrity, and what of security?
If a security model is too complex then there is every chance that folks will work a way around it; or worse, they might ditch it completely in favour of a system that doesn’t have any security to get in the way of ‘progress’. Keep your data safe – it’s why we invented databases.