Information Security

Steven Hall 21st Jan 2009

Today’s Presentation• Why do this now?• What is information?• The effects of lost information• Newcastle University Policies• Techniques to prevent ‘Data Loss’• Q & A

Why do this now!• High Profile Cases from 2007:-• Nationwide Building Society fined £1m following

the theft of a laptop containing details of 11 million customer.

• Halifax apologises after 13,000 mortgage details went missing along with a stolen briefcase.

• Parliament revealed that the personal details of 25 million Britons sent by standard delivery on un-encrypted discs had been "lost in the post".

• Newcastle University: “No reported loss of confidential data”.

YET

Information Policy

• A major loss of confidential information will be very damaging to the University.

• Management wish to avoid this happening.

• New Information Policy approved by Executive Board.

• Formal presentation of an ‘Information Policy’ to be announced shortly.

What is InformationElectronic Data on

computers, disks and tapes

Paper based records, notes, exam papers

and memos

E-mails, passwords, bank details, exam

details

Types: Confidential and Non-Confidential

Confidential InformationAny record which contains personal information about a living individual :•Questionnaire or other data collected under an understanding of confidentiality.•Correspondence or other documents that reveal the contact details or any financial details of a named living individual. •Correspondence or other documents which reveal personal details or pass comments on a named living person.•Staff personnel records•Staff or student discipline or appeal records•Student records•Grant applications•Job applications•Interview notes•Admissions records•Redundancy records•Sick pay records•Maternity pay records•Income tax and National Insurance returns•Wages and salary records•Accident books and records

Non-Confidential Information

•Mission statements•Regulations•Published directories•Internet websites•Published minutes•Published reports•Press releases•Prospectuses•Timetables•Presentation materials•Course guides and outlines•Publicity material•Blank examination papers (post exam)•Theses (accepted)•Data which has been wholly anonymised•Published surveys•Published circulars

Generally any record or copy of a record that is already in the public domain e.g.

The Effect to You!• Possible Financial Implications• Embarrassment• Repeated work for you• Repeated work for others (ME!)• Legal Problems• Employment Problems• SPAM

HASSLE

The Effect on the University

• Legal Requirements(Data Protection Act 1998)

• Reputation• “Bad Headlines”

(An organisation like Newcastle University would make a national story)

How is Information Lost?

McAfee Survey Results 2007McAfee Survey Results 2007

•Only 23% malicious (65% of this, an inside job!)

•Only 8% of total loss due to Hacking, Phishing etc

•77% an ‘accident’ or ‘only doing my job?’

Worst Culprits?•Malicious Act

•Accidents

•‘Doing my Job’

•Not informed of regulations

•Sharing passwords

•Publishing personal e-mails

Staff Guidance

• Communication at start of employment.• Communication at end of employment.• Think before you disclose personal

details.• Ask if you are not sure.

Passwords!Treat you passwords like a pair of knickers:

•Have different ones for different purposes.

•Make them a BIG as possible

•Change them often

•Never lend them to your friends

E-Mail• Phishing the easiest way to get

information.• You haven’t won a laptop!• You won’t get a share in $32 Billion!• You haven’t won the Dutch Lottery!• You didn’t place that order!• Your username and password will

never be asked for in an e-mail, no matter who it says it is from!

Worst Culprits?

•Lost

•Infected Easily

•Used as ‘Backup’

•Lent to others

•Data Corruptions more common

Worst Culprits?

•Stolen

•Left at airports, on trains etc

•Hard disk corruption common

•Connected to many networks

What can we do about it?• Laptops and Memory sticks should

never have a unique copy of important information.

• All confidential information should be encrypted.

• Staff informed of good working practises.

• Make Sure Laptops are ‘Patched’ (windows update)

Hot from the Press!!!!

Demonstration of TruCrypt

Security Policy

• Full Policy to be announced soon

• Information at:http://www.staff.ncl.ac.uk/steven.hall/users.php

Q&A

Thank You.

Steven Hall (xt 6881)