There’s a line to be drawn between Data Protection and Information Security and if your charity is confused about where that line is, or insists that the Information Security Officer doubles up with Data Protection duties, or worse still vica-versa, then maybe it’s about time to review your Data Protection procedures, not to mention your policies, especially given the requirements of the General Data Protection Regulation. Compliance with its requirements should be a strict matter of governance and not confused with many faces of the field that is information security.
The prescribed principles of Data Protection enshrined in law are there to be adhered to. Whether data must be processed fairly and lawfully, for example, is not a discretionary decision. Crafting policies and procedures to enable your organisation to safely use mobile tech to enhance it’s work however, may indeed require insight and expert understanding in order to devise safe and secure processing of personal information.
It’s best not to let one run away with other, and to make sure that data is kept safely and securely. Don’t get the ‘GDPR jitters’ though – your friendly helpful information security officer is part of the team and will bring the methods to deliver on the actions.
When you buy stuff online do you pay with a debit card or a credit card? Me? Well I’m in the credit card camp mainly ‘cos I reckon that there’s just that little bit more protection – or shall we say less transference of risk. I may be woefully wrong. But whichever camp you feel happiest with, it’s likely that your charity will be taking online donations, and possibility running some sort of trading operation. With each of these activities comes the requirement to comply with PCI-DSS. And if you don’t know what that acronym stands for then you’d better get googling quickly.
Arguably one of the data items that truly qualifies for the ‘hot potato’ tag, the PAN (another acronym to google) is one data item you do not want in your database. Or your spreadsheets. Or written on neat little piles of paper. Or in someone’s homemade website. There’s a whole payment card industry out there (that’s a clue by the way), and a whole stack of experts (some of whom are CSF members) who can help guide us through this morass. But remember that when your supporters supply their payment card credentials in exchange for a warm fuzzy feeling they expect you to take great care of what amounts to the keys to their bank account.
There’s a definite conference season when it comes to infosec and for those tasked with organising events it can be a proverbial nightmare to find a date, a venue, and a compelling programme that will suit the majority of delegates. And along with the seasons programme of infosec events comes the inevitable deluge of emails advertising, encouraging, and promoting each event. It’s great to feel wanted but how do you verify the genuine from the ingenuous? The scams and spams from the silver-plated invitations to the must-attend events? Sometimes it’s easy to differentiate and a good line-up of top-flight speakers will help ensure that there is something to learn and some insights to be gained. For infosec pros working in charities it’s sometimes difficult to justify the cost of a ticket to conferences and events but the cost needs to be balanced against the speed and depth of knowledge that expert speakers can impart to their audience. Choose wisely, minimise the cost, and learn lots.
Do you filter the content that comes flooding down your internet pipe and straight to the desktops of your users, or maybe to the devices of your beneficiaries? If not then you might want to consider ensuring that at least your bit of the internet is ‘safe to surf’. Perhaps your charity has a particular stance on, say, gambling, so it would be rather ironic if your users were spending their lunch hour in a virtual casino. Of course the other side of this coin, so to speak, is the company-imposed censorship and the lock-down of liberty experienced by hardworking staff. After all the internet is just a bit of fun right? Wrong. The internet, and all that it contains, good and bad, is the very fabric of business these days. Go down the wrong road and your staff may find themselves in a part of town that’s not very friendly. Maybe it’s better to guide and signpost, and yes, to bar access to certain parts of the cyberworld in which we operate.
The mysterious art of penetration testing shouldn’t be a mystery to us information security professionals, in fact it should be a staple of our infosec diet along with policies and awareness campaigns. Yet for many charities the thought of paying for what is properly termed ‘ethical hacking’ is often deemed a step too far. Perhaps it’s the thought of what will appear on the invoice, or what will appear in the report and need fixing. For some, ignorance may be preferable to bliss. But as a means to seriously raise the stakes when you know that your external facing defences may be a little flaky, the power of the pentest can be second to none. To know that your firewall isn’t properly configured will give you the chance to address that particular problem before some curious outsider makes off with a copy of your company confidentials. Getting a proper pentest carried out may cost a bob or two, but even a simple and free ‘do it yourself’ scan will give you valuable insight into how you appear to the outside world. And if the results don’t make much sense, your colleagues in the CSF are dab hands at translating and interpreting the contents into an action plan. Or helping you celebrate the security of your organisation!