Uncategorised

eDisclosure webinar: seven reasons why your firm should consider a managed service

SRM is hosting a free eDisclosure webinar on Wednesday 18th April at 3pm.

We find ourselves in an ever changing eDisclosure landscape. Join us for our upcoming webinar during which the head of our eDisclosure team Colin Gray will explore the seven reasons why your firm should consider a managed service rather than addressing eDisclosure on an ad hoc basis.

All you need to do is register here.

GDPR: 10 key issues facing UK higher education

The world of higher education is about to be turned on its head. This is due to the imminent enactment of the General Data Protection Regulation (GDPR) which will come into effect on 25th May 2018. It marks a new era in the world of personal data protection with accountability at its centre. Although the updating of data protection law is overdue and welcomed by consumers, it does put demanding responsibilities onto the shoulders of Chief Information Security Officers (CISOs) in higher education institutions across the UK.

True expertise in GDPR compliance is a rare commodity and few resident CISOs have had time to acquire the required skill set. For this reason, many are using the additional resource and support of specialists to ensure the compliance requirements are met and resilient strategies put in place. SRM’s GDPR team has operated in the information security environment for many years and our GDPR consultants have undergone GCHQ certified training and gained GDPR Practitioner certification. As such they are uniquely well–placed to advise on the strategic implementation of GDPR. Here, they identify the key issues facing the higher education sector.

1. Awareness

It is important that everyone is aware of the changes that GDPR will bring. Vice Chancellors, executive boards, deans, academics and lecturers will all need to be aware of how the changes in data protection legislation will affect them. The mantle of data protection usually falls to the Chief Information Security Officer (CISO) who is likely to take on or oversee the role of Data Protection Officer (DPO), which is a requirement of GDPR. To ensure this is done effectively, the CISO will need to have senior-level influence, with the relevant knowledge and authority to manage the process or be given the financial resource to secure additional support and expertise from an industry professional or Virtual CISO service.

2. Information life cycle audit

Institutions will be held more accountable for the data they hold. In addition to keeping records about what personal data exists with the organisation’s systems, GDPR requires a documented understanding of why information is held, how it is collected, when it will be deleted or anonymised and who has access to it. Data will include everything from phone records to employment details. Some information will be categorised as sensitive and some as non-sensitive and all this information needs to be mapped.

3. Incident Response

Keeping information secure is a primary requirement and there will be new obligations to report security breaches to the Information Commissioner’s Office (ICO) within 72 hours where it creates a risk to the affected individuals. This is likely to occur, for example, in cases of identity theft or financial loss and organisations will also be required to inform the individuals affected. Incident Response which outlines protocols to detect, investigate and respond to personal data breaches is an important element of this process.

4. Data Protection by Design

GDPR introduces new obligations on information-handling processes and the systems that are developed. Data protection should be built in with data privacy settings being the default. It is anticipated that GDPR will require ‘data protection by design’ to be extended to existing systems within three years. Formal data protection impact assessments should be undertaken as part of the design process.

5. Demonstration of consent

Not all data processing requires explicit consent, but where it is applicable, institutions need to be able to demonstrate that consent is ‘freely given, specific, informed and unambiguous’. This means individuals will need to specifically opt in, rather than simply fail to opt out.

6. Considering the necessity of data collection

Continuing with the concept of consent, institutions will be required to consider whether the collection of data and its processing is actually necessary. Recognised legal bases include contract, legal obligation, vital interest, public interest or legitimate interest of the organisation. If these apply then processes must meet the requirements of GDPR.

7. Reviewing privacy notices

When accessing individual’s personal data, these individuals must be informed of the legal basis for processing their data, the retention period and the individual’s rights to complain to the ICO if they consider there to be an issue. This will typically be in the form of a privacy notice.

8. Increased consumer expectations

High profile breaches have brought damaging publicity to a number of higher education institutions. With this heightened awareness comes an increased knowledge of the individual’s rights to data privacy. Those using an institution’s systems will expect to have their data protected and may challenge where this is not obviously being promoted. Communication about GDPR compliance will be a necessary aspect of the DPO role.

9. Ensuring an individual’s rights can be upheld

Under GDPR the rights of individuals have been enhanced. They include the right to subject access, having inaccuracies corrected, having information erased, data portability and the right to be excluded from direct marketing or automated decision-making and profiling.

10. Data breach notification

GDPR introduces the mandatory reporting of data breaches to the regulator without undue delay and no later than 72 hours of becoming aware of the breach. In some cases this will apply to the data subjects as well. Higher Education istitutions therefore need to give careful thought to breach prevention and to ensuring that there is a data breach procedure in place.  Awareness in-house training for staff is a vital element of this process. Having a coherent approach to data breaches will not only ensures compliance with GDPR but has the added benefit of minimising adverse publicity.

 

SRM’s GDPR team provides a business-focused service to organisations and higher education institutions of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses and higher education institutions operate, working with clients in the GDPR compliance process with the focus on delivering robust and effective compliance, not on selling products.

For more information on our GDPR services visit our GDPR page or our Virtual CISO service page.

To gauge your level of GDPR readiness, complete our GDPR Self Assessment Questionnaire.

Or read our blog:

How does GDPR differ from the UK Data Protection Bill?

How a CISO can exert influence at board level

 

Emerging Trend: Persistent JavaScript Ecommerce Malware

Our analysts report another trend that Administrators should be aware of.  This is a JavaScript-based eCommerce malware that enables the malware to re-infect websites automatically upon incomplete removal.  It has been identified as a new technique being used by cyber criminals.

This type of malware obtains its persistence by modifying databases to force the injection of a malicious JavaScript file into an eCommerce webpage. By targeting databases, the malware therefore becomes resilient to normal removal attempts. Cyber criminals have recently used this technique to target eCommerce merchants by successfully injecting the JavaScript code into a database field of a merchants website and compromising payment card data.

This malware reinfection method can be used on any eCommerce platform that uses database fields to populate content on the shopping cart webpage. Reinfection of websites can be done with the following processes:
1. A database trigger is added to the order table, which injects the malicious JavaScript link into the website template fields.
2. The trigger is executed every time a new order is made.

Scanning for malicious code in HTML files is not sufficient enough to detect this malware alone. Analysis of the database is required to ensure a proper clean-up of JavaScript eCommerce malware is conducted.
Regular scanning of webservers for malware is one recommended mitigation measure eCommerce websites can take to identify security vulnerabilities. Another recommended best practice is to check for malicious database triggers on eCommerce websites and subsequently remove these.

If you are in doubt, contact the SRM  team who can arrange to run a check for you!

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

The uncertainty of Brexit, the certainty of GDPR and the responsibilities of the CISO

As Britain navigates its way through the choppy waters of Brexit, there is a great deal of uncertainty about exactly what form our new relationship with Europe will take. In many ways our trading relationships will change; this is the inevitable uncertainty. But on one level the situation is significantly clearer: UK businesses will still be required to comply with EU law if they wish to maintain any trade links with European customers. So the General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018 will still apply to most of us.

But the trouble with certainty is that it is rarely ever that simple. When it comes to our relationship with Europe it appears that the words of John Allen Paulos, an American Professor of Mathematics apply: ‘Uncertainty is the only certainty there is’. So where does this leave the CISO, whose responsibility it is to ensure compliance with not only GDPR but also any future UK and EU regulations? Well the clever mathematician went on to say that ‘knowing how to live with insecurity is the only security.’ And this is the key.

By accepting a degree of insecurity and establishing a means by which to manage it, a CISO can maintain compliance and provide strategic direction for the company’s information security agenda. The following steps will help to navigate this difficult course.

  1. Continue to steer towards whole company compliance with the existing information security standards like PCI DSS, Cyber Essentials, ISO 27001 and ISO 9001. Embedding these standards within your business will ensure you are well placed to deal with new challenges on the horizon.
  2. Work with an established professional team which will not only help you set your course but will also support, enhance and resource your information security strategic agenda. As industry experts they will know about impending changes and will ensure your compliance objectives take these into account.
  3. Make sure everyone on your ship is heading in the same direction. To do this you will need to exert board level influence. With access to high level of technical expertise and strategic guidance the CISO will be able to articulate the state of information security to the company stakeholders and lead employees, accessing company-wide support and making the case for adequate resource. This will set you up to be flexible and responsive to change.

SRM’s VirutalCISOTM has been developed to provide a cost effective bespoke solution to organisations without a CISO or where a board level strategic adviser is required to ensure Information Security remains high on the board agenda. The SRM VirutalCISOTM has access to an extensive portfolio of professional services to help embed Information Security throughout your organisation.

A Cautionary Christmas Tale

present-1893643_960_720

‘Twas the night before Christmas, and all through the house,

Not an iPad was stirring, nor PC or Mouse;

 

The shopping had been done on the internet with care,

In hope that the presents soon would be there;

 

The payments were processed, at least in their heads,

Until they found out their account was in shreds;

 

What should have resulted in toys in gift wrap;

Had led them into an elaborate trap,

 

The fraudsters had found an outdated website;

And changed the checkout so it wasn’t quite right,

 

Away to the next site, Dad went like a flash;

Not knowing his card was in the fraudsters stash

 

The website looked fine but ‘twas misdirection;

He’d fallen foul of Sequel Injection,

 

The site wasn’t bad, that should be made clear;

But the standards ignored, no PCI here.

 

With hackers so many, so lively and quick;

The change was so easy, it was done in a click,

 

So please spare a thought, when you next do your shopping,

And check that the site that you found while you’re hopping,

 

Is up to the standard to which we’re reliant;

And make sure it’s one that is PCI compliant.

 

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

SRM Blog