The ICO, DPA, UK-GDPR and ISO 27001
In today’s digital age, it’s easy to consider only cyber security when securing your data and there’s no question this is essential. Even the strongest cyber security can be rendered useless if someone gains direct access to your system. If I am considering how to attack your business, it may be easier and far more effective to attack your data physically, rather than using the internet. Physical and cyber security are interdependent and it’s quite easy for each side of this equation to think the other has the solution. To bridge this gap, employee training and a holistic approach is required.
This is reflected in the Information Commissioner’s Office (ICO) guidance on compliance with UK-GDPR regulations. What’s important to remember is that penalities for breach of GDPR reflect not only the severity of the breach, but also the effort made to mitigate the risks. Demonstrating that you take information security seriously can turn a fine from the ICO into advice and instruction. The list of organisations and individuals prosecuted on the ICO website shows they aren’t messing around.
The ICO helpfully list how you can comply with their expectations and we have identified just some examples of where Styx Security can help. There is significant overlap with ISO 27001. We can help develop evidence of compliance for certification, surveillance and recertification within our areas of competence (e.g. demonstrating employee awareness and training, physical security, physical attacks on data systems, etc).
ICO Says:
The “Security Principle” of GDPR requires risk analysis with physical and technical measures to mitigate these risks.
Styx Says:
Our in depth threat modelling complements your own risk assessment as we look to emulate the real world threats to your business.
ICO Says:
You should demonstrate robust physical security including the quality of doors and locks, alarms and CCTV.
Styx Says:
We are on a hunt for the perfect door. Too many doors can be bypassed or opened in unconventional ways. Where we find problems, we also look for cost effective mitigations which make our job of getting in harder. Our expertise includes identifying security products with weaknesses advertised all over social media.
ICO Says:
Access control and visitor’s policies should be robust.
Styx Says:
Expensive electronic systems can give a false sense of security, promoting the assumption that anyone on the premises is there legitimately. We can test your visitor’s policies and make sure they’re working but we can also make them far more robust with little extra investment and just a few changes to your policies.
ICO Says:
Confidential waste disposal and mobile devices should be secure. Clear desks and clear screens policies should be in place and enforced.
Styx Says:
We have a soft spot for confidential waste bins. They show us where you keep the good stuff that you don’t want us to see (to the point you plan on shredding it). We also love mobile devices like laptops. With our help your staff will remember to secure their laptops, clear their desks and lock their computers.
ICO Says:
Protect areas where data is stored with adequate doors, locks, access control, cameras and alarms. Additional protection is required in critical areas.
Styx Says:
A critical part of our holistic approach is viewing your security from the perspective of the threat, not from a specific area of interest. Where we find weaknesses, we also find cost-effective solutions. We don’t sell hardware and do everything we can to avoid replacing existing infrastructure. Should a breach happen, you can demonstrate you did your best without breaking the bank.
ICO Says:
Consider placement of office equipment.
Styx Says:
Does this really deserve it’s own point? We see confidential waste bins ripe for rummaging and computers with exposed USB ports which are begging for a keylogger, ransomware virus or worse. Positions of printers or fax machines are usually chosen for convenience, not security. Things which stand out to us are often ignored by all but criminals.
ICO Says:
To meet our expectations, decision makers should lead by example.
Styx Says:
Fostering a security culture is one thing. Demonstrating it is another. We can help you demonstrate that you lead from the front and can evidence the proactive steps you have taken. This overlaps with awareness training below.
ICO Says:
A lot of stuff that can be mostly fulfilled with e-learning and a multiple choice assessment.
Styx Says:
The theory side of information security, the DPA, GDPR and so on, is essential. Being honest, how much does it really help secure your data? Or, is it an exercise in box-ticking (or worse, an exercise in shifting blame)? How do you prove to the ICO that this training helps in the real world? E-learning has its place, but can be perfunctory and seen as a hassle. With direct impact experiential learning, we demonstrate the importance of the e-learning you’re paying so much for, to the people who need to implement it. Experiential learning turns your employees into an effective screen against security breaches, not only making your business more secure, but demonstrating to customers, staff and the authorities how seriously you take information security.
ICO Says:
You should regularly raise awareness around data protection and associated policies, your staff should show how they implement training in practice and you should ensure training is effective. You should demonstrate the efficacy of risk mitigations.
Styx Says:
Educational security engagements take the idea of test phishing emails and brings it into the real world. We work with you to create an irrefutable demonstration of your efforts to raise awareness, employee compliance with policies and ensure your training and risk mitigations work in practice.
ICO Says:
Staff should be aware of policies around data management, including destruction.
Styx Says:
We’ve already declared our love for your confidential waste bins, but we also like hard drives, old PCs and other data storage devices which are often left unsecured. With our help, your staff will understand the importance of securing USB drives and ensuring data is secured from creation to destruction.
ICO Says:
Demonstrate effective access control systems.
Styx Says:
This does not just apply to passwords which are often written down. This applies to door codes which can be found on their associated door frames, doors left unlocked and computers left logged in to databases. Through direct impact we communicate the importance to your staff of avoiding these careless mistakes which are an immediate red flag to the ICO.
ICO Says:
You should have appropriate training in place so staff can recognise a data breach, know how to escalate it and you should test these responses with external auditing.
Styx Says:
Our direct impact security awareness training does exactly this. We can work with you to simulate a suitable data breach and demonstrate your staff’s response. You’ll have evidence of real world training, response auditing and improvement where needed. A paper exercise audit is one thing and certainly has it’s place. Demonstrating your staff respond properly in the real world is quite another.
Styx Security – Enhancing your security culture with impactful, real-world training and assessment. Safeguard your assets, data and people.
Styx Security 