7CCSMSEM
Security Management
Tutorial Week 6
Recall GANT from a previous tutorial:
Group of Appreciation of the Natterjack Toad (GANT)
The Group of Appreciation of the Natterjack Toad (GANT) is a conservation group that is keen to promote and preserve the well-being of the Natterjack Toad. It is a UK-registered charity and has a significant number of members world-wide (100,000 members across 42 countries) who are all keen to promote the work of GANT. Unfortunately, it is an endangered species that is gradually being destroyed by the development of new areas. For example, it was locally extinct in some areas of Wales due to development work and it had to be re-introduced.
All information for the group can be accessed using a web-based application or by contacting the group’s honorary secretary Dr Jane Peabody for the paper-based records. This information includes the group’s member records, its activities, meeting places, natterjack toad habitats, confidential aspects about their work, etc. In the past, members have raised concerns about information assurance as the website has been previously compromised owing to the server containing no significant security controls.
The chairman Ms Rachel Jackson has heard about information security and believes it is the right time to take it more seriously, but she doesn’t know that much about it. This is where you come in. Ms Rachel Jackson has hired your group to learn more about protecting their information.
Question 1. Which Security Roles and Teams would you suggest GANT to have? Question 2. Ms Jackson is unsure about the level a CISO may be placed in the GANT’s
hierarchy. Where should a CISO be put and why?
Question 3. Ms Jackson has asked you to prepare an end-user code of practice for GANT. Identify the main areas that you would include in the policy.
Question 4. Ms Jackson is worried that after the information leak, GANT’s controls for protecting personal information may be weak. She has asked you to carry out a review of the privacy legislation affecting GANT to ensure that the organisation is compliant. What are the main areas that you would look at?
Question 5. Following up from the previous question considering the protection of personal information according to the applicable laws in the UK, see at the end of this document the real example of the Data Protection Policy of King’s College London, and answer the following questions:
– Who does this policy apply to?
– Who is responsible at KCL to undertake internal audits of data protection?
– What legislation is this policy trying to comply with?
– According to the Policy, what type of data are political opinions? How sensitive the College considers it to be?
– Are the specific steps the university must take to comply with the points raised in “III. Policy” contained in the document? Why?
IC001: DATA PROTECTION POLICY
Policy Category: Subject:
Approving Authority: Responsible Officer: Responsible Office: Related Procedures:
Related College Policies:
Governance
Compliance with data protection legislation
Senior Management Team
President & Principal/designate
Office of the Chairman and College Secretariat
Data Protection Procedure https://www.kcl.ac.uk/aboutkings/orgstructure/ps/audit/complianc e/data-protection/Data-Protection-Procedure.aspx
Data Breach Management Procedure https://internal.kcl.ac.uk/about/secretariat/business- assurance/compliance/data-protection/dataloss.aspx
Requests for Personal Information Procedure https://www.kcl.ac.uk/aboutkings/orgstructure/ps/audit/complianc e/data-protection/Requests-for-Personal-Information.aspx
Records Management Policy https://www.kcl.ac.uk/governancezone/InformationPolicies/Record s-and-Information-Management-Policy.aspx
Information Security Policy https://www.kcl.ac.uk/governancezone/InformationPolicies/Inform ation-Security-Policy.aspx
Email Policy https://www.kcl.ac.uk/governancezone/InformationPolicies/Email- Usage-Policy.aspx
Research Data Management Policy https://www.kcl.ac.uk/governancezone/Research/Research-Data- Management-Policy.aspx
25 May 2018
7 October 2015
25 May 2021
Effective Date: Supersedes: Next Review:
I. Purpose & Scope
This policy covers all university activities and processes in which personal data is used, whether in electronic or hard copy form.
This policy applies to all members of the university including staff, students and others acting for, or on behalf of, the university or who are otherwise given access to the university’s information infrastructure.
This policy takes precedence over any other university policy on matters relating to data protection.
II. Definitions
The following terms are defined in data protection legislation:
1
III.
Policy
• •
Personal data – any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier (e.g. name, identification number, location data or online identifier).
Special category personal data – the following types of personal data (specified in data protection legislation) which are particularly sensitive and private in nature, and therefore more likely to cause distress and damage if compromised:
o Racial or ethnic origin
o Political opinions
o Religious or philosophical beliefs
o Trade union membership
o Health related conditions (physical or mental health)
o Sex life and sexual orientation
o Commission or alleged commission of any criminal offence
o Genetic data
o Biometric data, where processed to uniquely identify an individual
Data subject – the individual to whom the personal data relates
Data controller – determines the purposes and means of processing personal data
Data processor – responsible for processing personal data on behalf of a controller
Data breach – a security incident that affects the confidentiality, integrity or availability of personal data. A data breach occurs whenever any personal data is:
• • • •
o lost;
o corrupted;
o unintentionally destroyed or disclosed;
o accessed or passed on without proper authorisation; or
o made unavailable and this unavailability has a significant negative effect on the
data subjects.
King’s College London (“the university”) is committed to complying with the General Data Protection Regulation (GDPR) and any legislation enacted in the UK in respect of the protection of personal data (together “data protection legislation”). To do this, the university will:
1. Only use personal data where strictly necessary, and will rely on an appropriate lawful basis for processing personal data.
2. Inform data subjects of the lawful basis and explain the purpose and manner of the processing in the form of privacy notices and other similar methods.
3. Keep personal data secure and manage incidents effectively when things go wrong.
4. Observe the rights of individuals under data protection legislation.
5. Ensure staff are trained appropriately in managing personal data.
6. Ensure that records containing personal data are managed effectively.
7. Only share personal data with third parties where adequate standards of data protection can be guaranteed and, where necessary, contractual arrangements are put in place.
8. Implement comprehensive and proportionate governance measures to demonstrate
compliance with data protection legislation principles.
Further details on the meaning and the steps the university must take to comply with these points is contained in the Data Protection Procedure.
2
IV. Roles and responsibilities
Every individual who works for, or on behalf of, the university must ensure that any personal data they handle is processed in accordance with this policy and the data protection legislation principles
(see Data Protection Procedure).
The Senior Management Team is responsible for approving this policy and assuring Council that the
university meets its data protection legislation obligations.
The Data Protection Officer (the Assistant Director of Business Assurance (Information Compliance)) is responsible for:
• Informing and advising the university of its data protection obligations
• Monitoring compliance
• Awareness-raising and training of staff involved with processing operations
• Undertaking internal audits of data protection
• Providing advice on data protection impact assessments
• Cooperating with the Information Commissioner and acting as the contact point for any
issues relating to processing
Heads of Services and Executive Deans are responsible for ensuring awareness of, and compliance with, this policy in their respective areas.
The Information Compliance team is responsible for:
• Maintaining this policy
• Providing guidance, support, training and advice on data protection compliance
• Processing all subject access requests for the university
• Supporting the responsibilities of the Data Protection Officer
The Security Operations Group is responsible for managing information security across the university. The purpose of the group is to review the information security landscape (both digital and physical), assess the university’s performance and readiness, and ensure risk reduction, remediation and response.
3