7CCSMSEM
Security Management
Tutorial Week 6 (Sketch of Solutions)
Recall GANT from a previous tutorial:
Group of Appreciation of the Natterjack Toad (GANT)
The Group of Appreciation of the Natterjack Toad (GANT) is a conservation group that is keen to promote and preserve the well-being of the Natterjack Toad. It is a UK-registered charity and has a significant number of members world-wide (100,000 members across 42 countries) who are all keen to promote the work of GANT. Unfortunately, it is an endangered species that is gradually being destroyed by the development of new areas. For example, it was locally extinct in some areas of Wales due to development work and it had to be re-introduced.
All information for the group can be accessed using a web-based application or by contacting the group¡¯s honorary secretary Dr Jane Peabody for the paper-based records. This information includes the group¡¯s member records, its activities, meeting places, natterjack toad habitats, confidential aspects about their work, etc. In the past, members have raised concerns about information assurance as the website has been previously compromised owing to the server containing no significant security controls.
The chairman Ms Rachel Jackson has heard about information security and believes it is the right time to take it more seriously, but she doesn¡¯t know that much about it. This is where you come in. Ms Rachel Jackson has hired your group to learn more about protecting their information.
Question 1. Which Security Roles and Teams would you suggest GANT to have?
Given the size of GANT, it would probably make sense to have a CISO, or alternatively somebody that could partially play the role of a CISO at the board level, together with a Security Forum of people playing a different role in the organisation contributing to information security from their day-to-day job. This could also include specific security roles, including system administrator (most notably of the website and related systems), but others may be possible too if GANT has enough resources (see slides).
Question 2. Ms Jackson is unsure about the level a CISO may be placed in the GANT¡¯s hierarchy. Where should a CISO be put and why?
The CISO should ideally be part of the board of directors of GANT. This is due a number of reasons, including:
– To ensure the CISO is seen as a senior role, demonstrating from the ¡°higher-ups¡± a real commitment to information security in GANT.
– A director or board member has the necessary status to ensure appropriate focus is placed on information security.
– Sarbanes-Oxley (USA) and The Companies Act (UK) also require this level of accountability/responsibility.
– There is a responsibility to ensure adequate service continuity requirements are in place. If there is a major problem, the company won¡¯t go out of operation.
– If measures are not properly implemented, the accountable person can face a custodial sentence.
Question 3. Ms Jackson has asked you to prepare an end-user code of practice for GANT. Identify the main areas that you would include in the policy.
An end-user code of practice for GANT could include, but not exclusively, statements on:
access to GANT systems; protection of passwords; leaving information unattended; measures required to protect information about GANT members; protection of information and equipment if taken out of GANT¡¯s office; acceptable behaviour when using GANT systems; use of the internet while using GANT systems; use of GANT systems for personal use.
Question 4. Ms Jackson is worried that after the information leak, GANT¡¯s controls for protecting personal information may be weak. She has asked you to carry out a review of the privacy legislation affecting GANT to ensure that the organisation is compliant. What are the main areas that you would look at?
The Data Protection Act in the UK would be the main source. It is a refinement of the European GDPR. Then, it would be a matter of looking at how GANT is storing and using personal information and whether that is compliant with this body of legislation, particularly in terms of which systems in GANT deal with personal information and what kind of security controls (if any) are in place. It seems clear that the database that powers the website with members¡¯ details would be a good place to look at together with the paper-based information GANT holds. Also, is personal information used/passed on to other legislations (note at the beginning that GANT has 100,000 members worldwide from 42 different countries)? This would be important to understand too. Other issues that could be discussed would be: identify if there a policy in place to specify how personal information should be held and whether it is up to date; identify who has access to the information and whether they understand their responsibilities; identify if any information is shared with third parties and if so what controls are in place; understand what monitoring takes place and whether this complies with local legislation; identify whether the enterprise has communicated to individuals what monitoring takes place; etc.
Question 5. Following up from the previous question considering the protection of personal information according to the applicable laws in the UK, see at the end of this document the
real example of the Data Protection Policy of King¡¯s College London, and answer the following questions:
– Who does this policy apply to?
All members of the university including staff, students and others acting for, or on behalf of, the university or who are otherwise given access to the university¡¯s information infrastructure.
– Who is responsible at KCL to undertake internal audits of data protection?
The Data Protection Officer (the Assistant Director of Business Assurance (Information Compliance)).
– What legislation is this policy trying to comply with?
The General Data Protection Regulation (GDPR) and any legislation enacted in the UK in respect of the protection of personal data.
– According to the Policy, what type of data are political opinions? How sensitive the college considers them to be?
Special category personal data, which are particularly sensitive and private in nature, and therefore more likely to cause distress and damage if compromised.
– Are the specific steps the university must take to comply with the points raised in ¡°III. Policy¡± contained in the document? Why?
They are not included because this detailed information of how to do something is not usually part of policies. Instead the policy redirects to the ¡°Data Protection Procedure¡±, where the procedures to achieve this are detailed.