{"id":5212,"date":"2016-10-18T13:19:54","date_gmt":"2016-10-18T12:19:54","guid":{"rendered":"https:\/\/stevepedwards.today\/DebianAdmin\/?p=5212"},"modified":"2016-10-18T13:19:54","modified_gmt":"2016-10-18T12:19:54","slug":"small-business-data-security-requirements-summary","status":"publish","type":"post","link":"https:\/\/stevepedwards.today\/DebianAdmin\/small-business-data-security-requirements-summary\/","title":{"rendered":"Small Business Data Security Requirements Summary"},"content":{"rendered":"
<\/div>\n

<\/path><\/svg><\/i> \"Loading\"<\/p>\n

<\/div>\n

Business Legal requirements under Data Protection Act 1998<\/strong><\/p>\n

Identify\/nominate the Data Controller:<\/p>\n

https:\/\/ico.org.uk\/media\/for-organisations\/documents\/1558\/getting_it_right_-_how_to_comply_checklist.pdf<\/a><\/p>\n

https:\/\/ico.org.uk\/media\/for-organisations\/documents\/1575\/it_security_practical_guide.pdf<\/a><\/p>\n

https:\/\/ico.org.uk\/media\/for-organisations\/documents\/1542\/cctv-code-of-practice.pdf<\/a><\/p>\n

10 practical ways to keep your IT systems safe and secure:<\/strong><\/p>\n

\"Keeping your IT systems safe and secure can be a complex task and does require time, resource and specialist knowledge. If you have personal data within your IT system you need to recognise that it may be at risk and take appropriate technical measures to secure it. The measures you put in place should fit the needs of your particular business...\"<\/em><\/p>\n

1:\u00a0Assess the threats and risks to your business<\/strong><\/p>\n

What aspects of your business are totally IT dependent? What is the worst case scenario e.g. catastrophic system\/hardware failure (then no current backups\/lost software licenses\/insurance etc) and best actions to prevent that, or then recover from total loss in that worst case? What functionality do you still have with no IT systems - if any?<\/em><\/p>\n

2:\u00a0The UK Government,s Cyber Essentials Scheme describes the following five key controls for keeping information secure. Obtaining a Cyber Essentials certificate can provide certain security assurances and help protect personal data in your IT systems.<\/strong><\/p>\n

a)\u00a0Boundary firewalls and internet gateways<\/p>\n

b)\u00a0Secure configurations (gear dependent - e.g. check for insecure default settings like Admin passwords, open ports)<\/p>\n

c)\u00a0Access control - username\/password for relevant access to specific resources<\/p>\n

d)\u00a0Malware protection - periodic automated malware scans with reporting set up<\/p>\n

e) Patch management and software updates (Windows, Apple and Linux) - set to auto updates as a general<\/strong> rule \u00a0(systems\/service\/software dependent!! Updates can break stuff!)<\/p>\n

3:\u00a0Secure your data on the move and in the office - physical media and data encryption considerations?<\/strong><\/p>\n

a)\u00a0The physical security (different to logical data access): e.g. a server\/patch cabinet - fire, theft, flood etc; use of off site backups - hardware\/cloud\/both?; user access to USB stick ports (data theft, virus introduction threats at user account priviledge); network access for unauthorised wifi hub\/device additions?<\/p>\n

4:\u00a0Secure your data in the cloud (and devices like work laptops, memory media, storage)<\/strong><\/p>\n

https:\/\/ico.org.uk\/media\/1540\/cloud_computing_guidance_for_organisations.pdf<\/a><\/p>\n

Do you use unencrypted cloud backup services??? You client lists, business plans etc. are at risk of a security breach of the provider. Even if encrypted, password hacking may be possible for access to it.<\/p>\n

5:\u00a0Back up your data - (storage is cheap now \u00a0- NO excuse for this not to be in place!!)<\/strong><\/p>\n

robust multiple data instances backup strategy in place - periodically check your backups WORK!<\/p>\n

off site physical media backups security checks and cloud backup provider obligations;<\/p>\n

6:\u00a0Train your staff<\/strong><\/p>\n

Why security and system use policies are required and need adhering to.<\/p>\n

\"Accidental disclosure or human error is also a leading cause of breaches of personal data. This can be caused by social engineering,\u00a0sending an email to the incorrect recipient or opening an email attachment containing malware...What can I do? Employees at all levels need to be aware of what their roles and responsibilities are. Train your staff to recognise threats such as phishing emails and other malware or alerting them to the risks involved in posting information relating to your business activities on social networks. You should encourage general security awareness within your organisation. A security aware culture is likely to identify security risks\"<\/em><\/p>\n

7:\u00a0Keep an eye out for problems<\/strong><\/p>\n

\"What can I do? Check your security software messages, access control logs and other reporting systems you have in place on a regular basis. You should also act on any alerts that are issued by these monitoring services. Make sure you can check what software or services are running on your network. Make sure you can identify if there is something there which should not be. Run regular vulnerability scans and penetration tests to scan your systems for known vulnerabilities make sure you address any vulnerabilities identified.\"<\/em><\/p>\n

8:\u00a0Know what you should be doing<\/strong><\/p>\n

Security policies put in place and knowing why:<\/p>\n

\"what actions you should put into place should you suffer a data breach. Good incident management can reduce the damage and distress caused to individuals.\"<\/em><\/p>\n

Basic Security Concepts – Principles For Any System or OS<\/a><\/p><\/blockquote>\n