Lee & White Consultants 24/7

LWC 24/7 Press Articles News Careers

Home

Guidelines

What we do

What we believe

Legal Advisory Service

IT Advisory Service

Team Information

Certifications

Archives:

November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
July 2008
August 2008
October 2008
November 2008
April 2009
June 2009
August 2009
October 2009

Labels:

Data Handling Manual

Data Theft

Government

Human Rights

Internet

IT

Organisations

Personal Data

Private Persons

RSS feed

If you would like to comment, please review our privacy policy and send an email to comments@leewhiteconsultants.com.

Comments will be moderated and can be edited for length and clarity.

LWC 24/7 Blog

29 August 2008

Protecting People's Data

One of the duties of being a data controller is to adequately protect the personal data entrusted to you by your data subjects. The law remains pretty vague and does not specify how much 'adequately' is.

Amongst others it means that you need to implement adequate technical means to protect the data, and put the necessary security measures in place.

Another point tells you to limit who has access to that data, ensuring that data is accessed only on a need-to-know basis. For example, the receptionist needs to know the name and company of customers who will visit the company today, but does not need to have access to their credit card data. The IT technician needs to know names and user access rights to perform his duties, but not confidential financial data.

Speaking of which, most companies' IT departments are a serious risk to security. Developers need to be able to develop their software and to do so, need access to code and data. Often this means that they have not only access to test data on test servers but also to real data on production servers.

They implement easy to remember user accounts - so called super users - which give them access to every part of the applications and databases, even the most confidential. These are rarely changed and are accessible to the complete development team, not to a specific developer. This also means that when a developer or IT consultant leaves the company, the password is not changed, and possibly the developer would still have access to sensitive personal data entrusted to the company.

According to Cyber-Ark, 9 out of 10 disgruntled IT staff would steal confidential or proprietary data from their former employer. The article on Contractor UK further states that one third of leavers would take lists with 'super user' passwords, giving them access to all kinds of sensitive company and personal data. Only 12% would be honest and leave empty handed, leaving all company confidential data behind.

Companies are required to ensure that the personal data entrusted to them is adequately protected, so this is certainly an issue they need to address. Do take note that implementing high security measures to secure personal and sensitive data is not sufficient as grudging staff will find a way to bypass these security measures.

Labels: Data Theft, IT, Organisations, Personal Data

posted by IT Observer on Friday, August 29, 2008

Comments: Post a Comment

<< Home

Contact

Legal Notice - Privacy Policy