Sample Dissertation: Data Security Management in the Public Sector in UK
DATA SECURITY MANAGEMENT IN THE PUBLIC SECTOR IN UK
CHAPTER I: INTRODUCTION
The recent slew of high-level data security scandals has brought data protection and data security in particular into the spotlight, and to the attention of enforcement authorities as well as the public. Any organisation handling personal data should therefore take data security seriously.
The most prominent scandals include a series of incidents over the last year in the UK. In November 2007, two CD-ROMs containing 25 million records of child benefit recipients, including names, addresses and bank details, were lost by Her Majesty’s Revenue and Customs (HMRC) when sent by courier. In December 2007, sensitive data, including religious beliefs and sexual orientation, relating to junior doctors were accessible to anyone accessing a website of the Department of Health. In the same month, the Driving Agency’s US contractor lost a computer hard drive containing contact details of three million candidates for the driving theory test. In January 2008, the Ministry of Defence lost a computer containing 600,000 staff records (Navuluri, 2009).
Security breaches are, however, not limited to the public sector. For instance, in February 2008 Skipton Financial Services was found to be in breach of UK data protection law for the theft of an unencrypted laptop from a contractor which contained names, dates of birth, national insurance numbers and investment amounts for 14,000 customers. In early 2008, an investigation by the UK Information Commissioner’s Office (ICO) revealed that a laptop which contained unencrypted details of the pension arrangements of 26,000 Marks & Spencer employees was stolen from a contractor’s home. In April 2008, a British bank lost a CD-ROM with data on 370,000 of its clients (UK, 2008). Two other companies were found to be in breach of data protection, following the loss of an unencrypted CD containing the personal data of more than 3,000 customers.
Since the HMRC event in November 2007, the ICO was notified of over 100 serious data breaches. The number of cases which have not been reported is likely to be considerable.
Other countries have also been affected. In October 2008, it came to light that in 2006, 17 million sets of customer data had been stolen from Deutsche Telekom’s mobile telephone branch. Another security gap was discovered only recently: the personal data of more than 30 million Deutsche Telekom customers were found to be relatively easily accessible via the internet. A similar security breach affected the Springer group, as the personal data of several thousand of its advertising customers were accessible via the internet.
Press reports indicate that personal data are easily available on the internet. For instance, in August a server with the bank details of one million UK clients was sold on by a party using auction hosting website eBay. In Germany a consumer association bought six million data sets, including contact and bank account details, via the internet.
Besides encryption, calls for mandatory data security breach notification are increasing. Whilst the EC Directive on data protection and most national data protection laws in the EU do not currently provide for such an obligation, it is under discussion for telecommunications service providers in a proposal for the e-privacy Directive, and there have been calls to extend this obligation to all controllers. Despite the absence of a provision in the law, the ICO also now encourages organisations to report data breaches, which is supported by the ICO’s new guidance on data security breach management, and the draft amendment of the German data protection act requires that the data protection authorities and data subjects concerned must be notified in the event of a security breach.
Data breaches do not only result in significant costs for assessing, containing and remedying breaches but also have severe consequences for organisations’ reputation and brand image. Deutsche Telekom, for instance, has been criticised for its lack of security controls as well as poor information. The CEO of Deutsche Telekom publicly apologised and announced the creation of the new post of Chief Privacy Officer.
In addition to a loss of trust and confidence by employees, data breaches can even affect business relationships. For instance, the UK Home Office decided to terminate its contract with an external contractor and is considering whether to terminate other contracts in place.
All this demonstrates that companies can no longer afford to ignore data protection and management policies. Rather, data security and protection must become a management priority as data protection authorities take breaches of data protection seriously and are less likely to show leniency toward offenders.
Indeed, following the scandals, greater regulatory scrutiny is expected. National authorities are stepping up their enforcement activities and are likely to receive more powers. Following a recent amendment of the law, the ICO has the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the UK Data Protection Act. The ICO has also called for increased enforcement powers, including the carrying out of audits – a power which data protection authorities in many other EU Member States already have.
Considering these challenges of the security breaches, it is imperative to better manage data security in the public sector in the UK. However, there is a paucity of research on data security management in public sector. Although data security problems have been reported often and there are many articles criticizing the indifferent attitudes of organizations to fully implement security measures, no coherent study has been done which would have investigated this issue from all the dimensions like data encryption, physical security, security policies and methods to secure the data. This dissertation intends to fill this gap by reviewing and analyzing the existing security system in the UK public sector and recommend strategies for protecting the valuable personal and public information from unauthorized access and manipulation.
Data security breaches can be avoided if data security is given a higher priority. Even though serious institutional deficiencies concerning the handling of personal data have been established, including a lack of transparency, accountability, training and guidance, there are still a lot to be done to enhance data security in the UK.
In the context of increasing incidents of data security breaches, the main aim of this study is to offer an overview of the existing data security management leading conclusions based on the current practices and recommend strategies for effective control of security threats. Thus, in this context, the specific objectives of the project are:
- To analyze the existing data security management in public sector in the UK
- To examine various data security methods available in IT market
- To recommend the most suitable data security measures
Structure of the Study
Before the 1970’s, businesses, for the most part, relied on labor, land, and capital to compete in their respective industries. The advent of the Internet and telecommunications technologies has shifted organizations’ sole reliance on labor, land, and capital to also include technology (Drucker, 2001) and human capital (Davenport & Prusak, 2000; Drucker, 2000; Novak, 1998; Randeree, 2006; Romer, 1986, 1990). For an organization to compete successfully today, its workers must have timely access to complete and accurate information to conduct daily business operations (Drucker, 2002; Guffey, 2006). While it is essential for workers to have timely access to complete and accurate information to make business decisions, researches in the information security (IS) literature have pointed out various security risks that can cripple an organization’s IT infrastructure (McCrohan, 2003; McNamee, & Sally, 2001; Misra & Kumar, 2007; Troutt, 2002; Wade, 2004; Warren & William, 2000; Willison & Backhouse, 2006; Wright & Dean, 2007).
The role of security practitioners is to protect their organizations’ information assets (Ramirez, 2006; Willison et al., 2006). Successful protection of information assets, however, requires that security practitioners accomplish three goals: confidentiality, integrity, and availability of information (Easttom, 2006). In general, IT practitioners use hardware and software coupled with various communication protocols to implement network infrastructures. However, it is a well-known fact in the IT field that hardware fails, software has bugs, and communication protocols have flaws (Callaghan & Carol, 2005; Christophe, 2005; Leighton, 2006; NIST, 2002; Stange, 2003). The combination of hardware, software, and protocols will, at times, lead to events that violate one or all of the three information security goals. If not a failed system due to hardware or software fault, at any given time, it is possible for an attacker to successfully violate one of the three security goals of an organization’s information-based assets. Even in the absence of a purposeful human attacker or equipment failure, studies conducted in the IS literature (Gunter, 2006; Kraemer & Pascale, 2007; Neumann, 2006; Wagner, 2006) pointed out that human error, not technology is the number one problem in information security.
Nowadays it is not uncommon to hear of national and international bodies passing laws and regulations aim at protecting information assets in both the private and public sector (Harris, Harper, Eagle, & Ness, 2008). The intent of these laws and regulations is to ensure that personal identifiable information and critical information assets of corporations and governmental agencies are adequately protected. Research in the financial sector showed that customers are reluctant to conduct business activities with organizations that pay little or no attention to protection of personal identifiable information (Dingler, 2006; Macleod, 2006; Mokady, 2006). To effectively compete in this global information economy, businesses must do more than give customers their word when it comes to protecting personal identifiable information.
Researchers in information security outlined three major components that make up a successful security program. The three components are people, process, and technology (Contos, 2007; Semple, 2003; Wade, 2004). In some studies this is known as people, operation, and technology (Teare, 2006). The ability to recognize sources of risks in relation to these three components and to develop suitable countermeasures to mitigate such risks to information assets is at the core of an effective security program.
The PWC Enterprise Security Architecture proposed that IS practitioners be adequately trained to ensure that security devices are installed according to manufacturer recommendations and best practices in the IS field. The PWC framework also proposed that end users be trained in accordance to their level of access to critical information or job function (Boren et al., 2000). Proper installation of security devices and well-trained end users are useful but not sufficient to secure the digital assets of an organization. In the end, business processes used in an organization should not violate the security policy of the organization (Teare, 2004). The protection of information assets can be a daunting task even for the most experienced IS practitioners. In order for an information security program to be effective, IS architects and practitioners need to utilize a layered security approach to mitigate risks to their organizations’ information assets (Baghaei & Ray, 2004).
IT Security Framework
On a daily basis, end users interface with IT systems to make business decisions (Mamaghani, 2006; Schubert & Leimstoll, 2007; Torkzadeh & Lee, 2003). The use of such systems; however, comes with a set of risks that include spyware applications monitoring an end user’s activity to denial of service of IT resources. The dependence on such systems requires a well-developed security strategy that can effectively mitigate risks to IT assets (Gavin & Marquette, 1998; Purser, 2004). The information provided in Figure 2 guides the approach used throughout this research to mitigate risks to IT data. Note that major emphasis is placed on deterrence and prevention. The scarcity of resources in d public sectors requires a cost-effective security solution of IT assets (Joshi, Aref, Ghafoor, & Spafford, 2001). Reliance on detection and protection alone would provide a less than ideal protection of information assets.
A comprehensive compliance strategy
Companies are therefore well advised to reconsider the way in which they handle personal data and to implement a comprehensive data protection and security management and compliance system. Such a system requires a strong privacy organisation with sufficient resources and support by senior management. Whilst taking individual security measures, such as encryption of data carriers, may provide a quick security gain, in order to achieve and maintain a sufficient level of data protection compliance in the long term a more comprehensive approach is required covering the whole life cycle of personal data, from collection to deletion.
Rather than quick fixes, a structured processoriented strategy is needed. In addition to a general data protection policy, there should be more specific policies and procedures, including for records management and data retention, which translate the abstract principles of the general policy into day-to-day business practices. Data protection considerations should be built in from the start. A significant change in culture and attitude is
Companies should implement a data protection and security management and compliance system
thus required, including in dealings with external parties that have access to personal data.
Moreover, any compliance strategy must not only make use of technical means but also address the fact that many breaches are caused by staff members, such as employees downloading malware from the internet or copying whole databases on mobile data carriers or laptops. Employees are also increasingly being manipulated to disclose confidential information (so-called social engineering). In addition to providing detailed guidance, staff members therefore need to be educated and trained. There must also be effective control mechanisms in place and a plan for monitoring compliance, eg, through occasional audits and spot checks, and for taking disciplinary action in the case of breaches.
As regards data security in particular, a security policy for the protection of personal data should be developed. Clear responsibilities must be attributed and security roles documented. Security measures must be in place at all stages of personal data processing, including at the time of deletion and destruction. Different security measures, appropriate to the nature and sensitivity of the personal data and the risks involved in the processing, are required to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, including during transmission. Organisational security measures should be backed up by technical measures, including the use of privacy-enabling technologies. Security measures include such diverse measures as alarm systems, user account management systems, control of mobile data carriers, virus protection and back ups, to name but a few. Any security measures will only be as good as the people applying them. Staff members must therefore be educated and trained on data security. In addition, companies should develop a procedure for the handling of data security breaches, including an escalation process.
Besides fending off sanctions, data protection compliance constitutes good business practice and helps keep personal data secure. More and more companies realise that it brings about real benefits, such as better information management. Moreover, data protection compliance can increase the confidence of employees, customers and other data subjects and some companies even use it as a marketing tool. All these are good reasons to give management priority to data protection and security.
Due to recent advancements in computer speeds and to the worldwide interconnected nature of computers, the need for an authentication scheme that cannot be cracked easily has increased dramatically. Since forcing users to use a specific authentication scheme might be resisted, user freedom in selection from a variety of password authentication scheme is motivating and commercially viable.
Textual passwords are the most common authentication techniques used in the computer world. Textual passwords have two conflicting requirements: passwords should be easy to remember and hard to guess. Users tend to ignore the second requirement, which leads to the creation of easy-to-break passwords. Most commonly, users face constant challenges in selecting and remembering textual passwords. For security reasons, an effective password authentication scheme should not be written down or shared with friends. Consequently, users usually select passwords that have linguistic meaning. Therefore, using dictionaries is the easiest way to crack a system protected by textual passwords.
The strength of graphical passwords comes from the fact that users can recall and recognize pictures more than words. Most graphical passwords are vulnerable to should-surfing attacks, where an attacker observes or records the legitimate user’s graphical password by camera. Moreover, many graphical passwords have a probable password space that is less or almost equal that of textual passwords. Currently, many graphical password schemes are under study. However, it might be some time before they can be successfully applied in the real world.
Token based systems such as ATMs are widely applied in the banking industry and in secured laboratory entrances. However, tokens are vulnerable to loss or theft. Moreover, the user must remember to carry token whenever access to a system or location is required.
Many biometric schemes have been released to consumers in recent years. Fingerprints, palm prints, hand geometry, face recognition, voice recognition, iris recognition and retina recognition are all different biometrics schemes. Each biometric recognition scheme is different considering consistency, uniqueness, and acceptability. Users tend to resist some biometrics recognition schemes because of concerns for personal privacy. Moreover, iris and retina password recognition schemes require the user’s to willingly expose their eyes to a laser beam. Also, in the case where a user’s biometrical data has been forged, biometrics cannot be revoked.