Data Protection Good Practice

Computer security

Your computer security will need to be appropriate to the extent of your system and what you use it for. The Data Protection Act requires that organisation should take into account technological developments when they decide on security measures but it is a frequent misunderstanding that the Act requires ‘state of the art’ technology. This is not the case. The Data Protection Act specifically allows organisations to take cost into account. But the measures you take must be appropriate for the harm that could result and the nature of the information you process.

A networked system will need more controls than a stand-alone computer. A stand-alone that is connected to the internet and email will need more protection than one that is not. This is because of the greater vulnerabilities and threats networking and connection to the internet poses. Taking into account the nature of the information will also affect what security controls you need to adopt. You can use tools such as the information security physical security checklist to help you but, depending on the sophistication of your system and the technical expertise available to you in-house, you may well need specialist information security advice. Remember that you will need a contract with these advisers if they are going to have access to the personal information you have on the system.

You should consider whether you have sufficient security arrangements to manage the system securely. Here are some prompts for you to consider what action is right for your organisation.

  • How do you manage the operation of your computer systems? Is this done with procedures and by documenting change or is it on ad-hoc basis? Do you have checks and balances in the job roles to help prevent unauthorised changes or even fraud?

  • If you have servers they will need extra security and you will need to limit access to them. You will probably need specialist security help to address these security needs. There is advice on this topic at the government and business sponsored website Get Safe Online: Look after Servers

  • Do you have protection against the possible loss of information because the power supply fails? Do you make sure your equipment is properly maintained to prevent against loss or interruption to your work?

  • Do you control the access to your computer systems? Do staff have their own password and only use the system using their own and no-one else’s? Do you require a password strength that will not be easily broken? If you have information that only certain people should see, do you control access to it? For example, by setting the privileges to certain parts of your network? How do you control access to your computers when they are unattended?

  • Do you regularly get the security updates for your software that fix any vulnerability that has been discovered?

  • Do you have laptops and portable media (such as memory sticks, disks or so on) containing personal information that could be taken out of the office? Are they transported securely and with your permission? How sensitive is the information? Could it cause damage or distress to the people concerned? Are hard disks or individual documents encrypted to keep the information secure? Is the encryption product you are using of a good quality? Please read the ICO’s our approach to encryption

You may also find the information sources at the end of this article helpful.

  • Do you have procedures to securely delete information held on computers? Information can be recovered even if someone thinks they ‘deleted’ it using the delete button. Securely deleting information will mean using techniques like overwriting the material a number of times or, if you are getting rid of the equipment, destroying the hard disk. Getting rid of equipment containing personal information without securely removing or destroying the information on it is a frequent reason for a security breach.

  • Do you take back ups of the information you hold? How often? Are they stored in a different location so that if, for example, you have a fire, your information is recoverable? Do you test recovering information from your back ups to see if it works?

  • Do you use the internet or email? If you do, then you need to review your security measures carefully to detect and protect against malicious software that could be downloaded onto your system. You should make sure your firewall and virus protection is kept up to date. Do you have procedures and systems in place to use if your computers do become infected or are hacked into? Do you warn your staff about the insecurity of email and make sure that any sensitive information sent electronically is encrypted or sent by other means?

  • If you trade electronically have you taken proper steps to make sure any personal information that is obtained is protected from being disclosed or changed? Do you have the means to check that someone is who they claim to be, for example, by use of log on details and passwords?

Crown Copyright © 2014

1 2 3 4 5 6 7

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>