Security Features - December 2011

Facilitating secure data destruction
By Russell Harris, Chairman, BSIA Information Destruction (ID) Section
It is imperative, when facilities managers go out to tender for an information destruction service, that is ultimately going to be tasked with the handling and disposal of the most confidential and sensitive of their organisation's data - and the media it is held on - that they resist the obvious temptation to appoint the lowest priced provider, particularly, given the extent of the dangers that are out there, with the cost of identity fraud to the UK economy estimated by the Home Office to be in the region of £1.7 billion per year. The reality is that once information gets into the wrong hands - and there are plenty of criminals out there who will engage in activities such as data fraud - there can really be little control exercised over how it is ultimately used.
Recent research, undertaken on behalf of the BSIA's ID Section, and announced for the first time at the Total Workplace Management event, has taken a closer look at the experience of public and private sector organisations across the UK with regards to secure data disposal and discovered that nearly a fifth (19 per cent) have been the victim of a serious information breach. The survey also underlined that there can be no room for complacency with the vast majority of respondents - 79 per cent - believing that the threat posed by the loss of confidential information to their organisations had either increased or remained the same over the past 12 months.
A Question of Standards
When it comes to the handling and safe disposal of confidential waste in a professional manner, and to meet their corporate and personal liabilities under the Data Protection Act, facilities managers really need to look to waste management companies that actually specialise in this area and adhere to a structured code of ethics, comply with the security requirements set out in the European Standard EN 15713 which covers key elements such as: site security, material specific shred sizes, the actual recording of the destruction process and the vetting of their staff who will be handling the sensitive material to BS 7858.
For our part at the BSIA's ID Section we have been promoting best practice, and helping to develop industry standards, for over a decade now and we were heavily involved, through a Code of Practice and a British Standard, in what ultimately became EN 15713.
Addressing the Data Disposal Gap
Unfortunately, the adoption of a 'sticking plaster' approach by some organisations to measures such as shredding, when dealing with their confidential material, whether it be paper-based information or stored on computer hard-drives, and who they ask to handle it has created what we would see as a worrying data disposal gap. Although cost can be a legitimate concern for facilities managers when outsourcing disposal, in these tougher economic times, price should only ever be judged as one of a number of factors, and not as the prime driver when a decision is being made to implement an information destruction service. We would argue instead that when searching questions are being put to prospective providers, a request for concrete evidence of EN15713 compliance should be at the very the top of the list rather than in many instances being an afterthought, or not mentioned at all.
Cutting corners may appear attractive at first glance but taking risks with information destruction stores up future problems, issues which are liable to come back to hit organisations when they least expect it. The 2009 study by BT and the University of Glamorgan where they bought up 300 second hand computer hard-drives and found that 34% still contained sensitive data - from patient details to a missile defence programme - starkly illustrates this point. A growing number of organisations are suffering at the hands of unscrupulous providers only finding out later, when data is exposed, that hard-drives they thought were wiped, or documents shredded, had not been processed professionally but simply sold-on, dumped with normal waste, or disposed of through fly-tipping. One worrying statistic that emerged from our recent ID Section survey is that a third of those who replied are still relying on standard municipal waste disposal to deal with even the most sensitive of their data, with all the dangers which this entails.
It was also disturbing to discover that whilst 50 per cent of those questioned claimed that their organisation used a professional service for information destruction, in reality only half of this number were able to confirm that their provider met the EN 15713. So the bottom-line is that only a quarter of organisations actually have a service in place which, in our experience, could be deemed to be appropriate. Given that our own members who all meet stringent best practice standards destroy in excess of 300,000 tonnes of confidential waste every year, the amount of waste that is not being handled correctly, and open to criminal exploitation, at a conservative estimate could run into hundreds of thousands of tonnes.
Detailing Data Breaches
In terms of where data breaches are actually happening, we discovered in the ID Section research, for instance, that half of these involved paper and the rest where attributed to computer hard-drives. Sadly data breaches, by their very nature, are not going to be flagged up ahead of time so when they do occur, critically, there can be serious ramifications for the organisations involved, their employees and their customer base which can take months or even years to resolve. The financial impact and reputational damage are likely to be considerable. To put this into context, the average cost of a data breach reached £1.9 million in 2010, having risen for three successive years (according to an annual UK study sponsored by data protection firm PGP Corporation).
This is not withstanding, of course, the potential for fines that can be imposed as a consequence of failing to comply with the Data Protection Act. The Information Commissioner's Office (ICO) now has the ability to issue penalty fines of up to £500,000 to those who do not meet their obligations. Surprisingly, of those questioned in the ID Section research, only 41 per cent knew about the toughening of the ICO's enforcement powers so there is still much work to do in communicating the message regarding the action that can be taken against those who are failing to comply. 
 Avoiding the Pitfalls
There really is little sense in such a security-critical area of making a choice based on a single criteria like price, when choosing the wrong provider can have such far reaching ramifications. The question that needs to be asked, if your organisation is using a provider that has not instituted appropriate security measures to handle your sensitive waste, is what are you really achieving from having such a service in the first place? It is certainly not providing the peace of mind that information is being disposed of professionally or will convince the authorities that you and/or your data controller are acting in an appropriate manner.
Of course some will counter that they have been using an information destruction company that is not accredited without any problems. The response to this would be that without the right framework in place it is likely the positive outcome to date will have been more the result of luck rather than design. Where confidential information is concerned the last thing you should be doing is gambling given how high the stakes are if things go wrong.
The customer facing end of a prospective supplier may seem convincing with smart uniforms, a slick website and vehicles, but if there is not the substance behind this shiny facade and, critically, they are not actually working to the EN 15713 standard, then there can really be no confidence that they are in a position to deliver a secure service.
Another major issue which organisations need to be aware of when they go down the route of using cut price, sub-standard, suppliers is the serious lack of staff vetting taking place to pick-up on criminal elements who may seek employment at such firms so they can gain access to data, and sell it on, before it is disposed off.
Securing Disposal
The message therefore has to be to facilities managers, who are increasingly playing a pivotal role in the decision making process on secure data disposal, to remember why such a service is needed in the first place. They should have uppermost in their minds the far-reaching implications if the process is handled in a less than professional manner, and, crucially, the importance that the information destruction provider selected complies with the EN 15713 standard.
For more information about secure data destruction please log on to www.bsia.co.uk/shredding. A video interview with Russell Harris on the findings of the ID Section's research can be found on the BSIA's YouTube Channel at:
http://youtu.be/7ieh03Vhp30

An IT Security Experts View on the Six Steps to Policy Excellence
Dominic Saunders Senior Vice President at Cryptzone gives an IT security experts view on best practice policy management
Striking the right balance between risk mitigation and the commercial demands of the business is an essential skill, which must be adapted according to the nature of your industry and the size, culture and risk appetite of your organisation. This role needs to have clear ownership at senior management level.
Organisations need to take a systematic and proactive approach to risk mitigation if they are to be better prepared to satisfy evolving legal and regulatory requirements, manage the costs of compliance and realise competitive advantage.
Achieving and maintaining policy compliance becomes more difficult to sustain as organisations grow, become more geographically dispersed and more highly regulated. But, it doesn’t have to be this way.
The purpose of policies and procedures
Policies and procedures establish guidelines to behaviour and business processes in accordance with an organisation’s strategic objectives. Whilst typically developed in response to legal and regulatory requirements, their primary purpose should be to convey accumulated wisdom on how best to get things done in a risk-free, efficient and compliant way.
Policy Pitfalls
Here are some of the most common grounds for policy non-compliance:
- poorly worded policies
- badly structured policies
- out-of-date policies
- inadequately communicated policies
- un-enforced policies
- lack of management scrutiny
So, what is the secret for effective policy management?
Policy excellence in six steps
Step One: Create/Review
It is important to understand, when creating policies, that those created purely to satisfy auditors and regulatory bodies are unlikely to improve business performance or bring about policy compliance, as they rarely change employee behaviour appropriately. While satisfying legal departments, and looking impressive to auditors and regulators, busy employees will instantly be turned off by lengthy policy documents full of technical and legal jargon.
External factors that affect policies are evolving all the time: for example technology advances may lead to information security policies and procedures becoming obsolete. Additionally, changes in the law or industry regulations require operational policies to be frequently adjusted. Some policies, such as Payment Card Industry DSS compliance, have to be re-presented and signed up to on an annual basis.
Typically, most “policy” documents are lengthy, onerous and largely unreadable – many are written using complex jargon, and most contain extraneous content which would be better classed as procedures, standards, guidelines and forms. Such documents should be associated with the policy. Documents must be written using language that is appropriate for the target audience and should spell out the consequences of non-compliance. Smaller, more manageable documents are easier for an organisation to review and update, whilst also being more palatable for the intended recipients. Inadequate version control and high production costs can be reduced by automating the entire process using an electronic system.
Step Two: Distribute
A key step in the policy management lifecycle is to ensure that staff are aware of relevant policies and procedures. Organisations need to effectively distribute policies, both new and updated, in a timely and efficient manner. These need to be consistently enforced across an organisation. After all, what is the point of expending considerable effort and cost to write and approve policies, if they are not effectively distributed and read?
Step Three: Achieve Consent
In many cases, regulatory requirements call for evidence of policy acceptance, demanding a more pro-active and thorough approach to the policy management lifecycle.
A process needs to be implemented that monitors users’ response to policies. Policy distribution should be prioritised, ensuring that higher risk policies are signed off earlier by users than other lower risk documents. For example, an organisation may want to ensure that a user signs up to their Information Governance policy on the first day that they start employment, whilst having up to two weeks to sign up to the Travel & Expense Policy. Systems need to in place to grant a user two weeks to process a particular document, after which the system should automatically force the user to process it.
Step Four: Understanding
To monitor and measure staff comprehension and effectiveness of policies and associated documentation, organisations should test all, or perhaps a subset of, users. Any areas that show weaknesses can be identified and corrected accordingly. Additional training or guidance may be necessary or, if it’s the policy that is causing confusion, it can be reworded or simplified.
Step Five: Auditability
In many cases regulatory requirements call for evidence of policy acceptance, which demands a more pro-active and thorough approach to the policy management lifecycle. The full revision history of all documents needs to be maintained as well as who has read what, when and, if possible, how long it took; who declined a policy and why. This record should be stored for future reference and may be stored in conjunction with test results.
Step Six: Reporting
To affect change and improve compliance it helps if key performance indicators relating to policy uptake are clearly visible across all levels of an enterprise. Dashboard visibility of policy uptake compliance by geographical or functional business units helps to consolidate information and highlights exceptions.
Being able to quickly drill down for specific details in areas of poor policy compliance dramatically improves management’s ability to understand and address underlying issues.
Bringing it all together
To check the level of policy compliance that exists within your organisation you need to periodically answer the following questions:
- where are you current policies? – Are they accessible to staff?
- who has seen your current policies?
- who has read your current policies?
- do your staff understand them?
- are your policies being followed by everyone?
- are your policies effectively managed?
- are your policies up to date?
- and can you prove this to the Auditors?
For those organisations that are serious about staff reading, understanding and signing up to policies, they should consider adopting automated policy management software. This raises standards of policy compliance and provides managers with practical tools to improve policy uptake and adherence.
Ultimately, policy compliance is about getting people to do the right thing, in the right way, every time. Ensuring everyone understands what is expected of them and how they are required to carry out their jobs according to corporate policies and procedures is not a new practice. Embedding an automated policy management solution into an organisation is really the only viable way to create and sustain a culture of compliance, where people understand their responsibilities and the importance of adhering to corporate standards.
Doing so empowers people to do their jobs within an acceptable governance framework rather than constrained by a rigid set of unenforceable rules. By effectively handling the policy management lifecycle you can create a firm foundation for effective risk mitigation and governance. Automation helps the benefits of policy compliance for The Board, line managers and the general workforce get to grips with policy compliance and puts forward a cost-efficient approach for achieving policy excellence.

A guide to consultancy services
Theft of equipment and confidential information, internal security breaches and vandalism are only some examples of the multi-faceted threats that organisations are faced with on a daily basis. Adding to these the continuous terror threat and the need to demonstrate return on investment means it is almost impossible for facilities managers to be able to put together and manage all-encompassing security strategies that will effectively protect their staff and assets without expert advice.
One of the main risks is that, in the face of budget cuts, this lack of expertise can result in companies overlooking the quality of suppliers and using price as the key measure to benchmark products and services. Needless to say, this approach can prove costly and detrimental to the business in the long-run. The best security providers, in fact, bring real insight, know-how and enthusiasm to their work, which translates into better security, the delivery of a solutions-led approach, and ultimately lower costs.
Security consultancies are therefore a great place to start when looking at introducing new security strategies or simply reviewing or updating existing ones. Reliable consultants will have experience of providing advice on all manner of issues for all types of operations, whether these be construction sites, high profile governmental or business buildings, depots or small business concerns.
The role of the security consultant has evolved in the years, as has the nature of threats faced by organisations, and the scope of security technology. Nowadays, consultants are able to provide invaluable insight every step of the way, from the initial risk assessment through design considerations and solutions, design detailing and testing of security solutions, to providing information, technical or HR security consultancy. Moreover, consultancies are ideally placed to advise on the overall integration of security systems and services such as access control, intruder alarms and CCTV, and how to increase their value by utilising them beyond their traditional security function, such as for health and safety, training, people counting or energy management purposes. Working independently, security consultancies also act as a guide to the many products and services on the market and provide unbiased recommendations based on an assessment of the individual requirements of their clients.
To help navigate the wide range of services they can offer and the ways in which they can help ensure the effectiveness of your security strategy, the British Security Industry Association (BSIA) has put together a useful guide, entitled “Security Consultancies - Expert advice on protecting your business”.
Chris Lawrence, Chairman of the BSIA’s Security Consultancy section, said about the guide: “The scope of the services provided by security consultancies is often not fully understood by procurement specialists, so I hope this guide will provide businesses with a first port of call to appreciate what consultancies can do for them. There is an expert out there available to give independent and tailored advice regardless of the size and type of business you run, or the industry it operates in.”
The guide is available for download on the BSIA’s website http://bsia.co.uk/publications.php?r=OXFPYA592061
Members of the BSIA Security Consultancies section provide independent professional support to ensure that measures required by clients correspond to both existing and emerging threats whilst complimenting the client's business environment and operation. To find out more about the work of the section visit  www.bsia.co.uk/consultancies

ISACA Guide Offers Tips for Secure Mobile Payments
With the increased use of mobile devices to pay for goods and services, traditional wallets with cash and credit cards could one day be obsolete. A new ISACA white paper, “Mobile Payments:  Risk, Security and Assurance Issues,” examines this growing trend and offers guidance on managing risk and increasing security. Mobile Payments: Risk, Security and Assurance Issues
A study found that the value of mobile payments for digital and physical goods, money transfers and other transactions will reach almost US $630 billion by 2014. The Mobile Payments white paper, available as a free download from ISACA identifies consumer benefits, including the speed and convenience of not carrying cash and credit cards, the consolidation of many cards and an enhanced layer of security. Enterprises benefit by reaching more consumers, reducing the amount of stored data needed to meet compliance requirements, improving transaction security and fraud detection, and engaging in location-based marketing (geo-marketing).
“Mobile payments offer many benefits, but we also need proactive planning and measures to manage risk, which can include anything from theft of identities and services; loss of revenue, brand reputation and customer information; and money laundering and terrorist funding,” said Nikolaos Zacharopoulos, CISA, CISSP, IT auditor for Geniki Bank, Greece, and chair of ISACA’s project development team for the white paper. “This guidance identifies the risk types and the countermeasures that should be in place to mitigate them.”
The Mobile Payments white paper provides practical advice for enterprises:
•Build robust controls into the planning process.
•Ensure that transactions are carried out only by the authorized
    person.
•Identify the data that are considered personal and sensitive,
    and ensure it is protected.
•Ensure that third parties involved have robust security
    governance in place.
•Pay specific attention to the originating point of a mobile
    transaction—the customer device and the user