The recent high-profile incidents involving data loss have undoubtedly affected the public's confidence in the competence of local and central government. At a time when an increasing amount of information is being captured and retained, the public demand that their personal data is treated with the maximum respect, care and security. No excuse seems reasonable or satisfactory. But people do make mistakes. So how do you ensure your organisation does not repeat them? ============= "No authority can ever say it will never lose information, but by ensuring the standards in your authority are equivalent to or exceed best practice identified...the public will be reassured that all reasonable steps were taken to observe and protect their information." LGA Data Handling Guidance, October 2008 This vital new report provides a road map to stronger, more embedded information security that will meet and exceed current best practice. Information security is not simply an IT issue but a critical people issue. It is vital that a clear and definite framework is in place within your organisation, a framework that is understood by staff at all levels and as a result, is universally adhered to.
The Public Sector Information Security report clearly sets out the areas of risk within your organisation and, in the context of the relevant security standards, examines best practice for avoiding these potential security issues. Clear examples and solutions ============= Throughout the report real-world examples are identified, cross referenced to the specific security issue and then the ISO27001 control that would have reduced the risk and/or the impact of the incident is explained. A complete overview of ISO27001 is provided, as well as an examination of Principle 7 (the "security principle") of the Data Protection Act, the Payment Card Industry Data Security Standard and the Government Code of Connection. The Information Governance toolkit and the subject of ethics and professionalism are also discussed and the environmental issues that are now so prevalent both in the public and private sector are taken into account. About the author ============= Public Sector Information Security is written by Andrea Simmons (CISSP, CISM, MBCS CITP, M.Inst.I
SP, BS7799 LA) whose extensive experience of local government and other public sector bodies ensures this report provides you with a unique level of expertise when approaching this critical issue. These invaluable tools, techniques and strategies are presented in a format that is uniquely practical in comparison to other materials on the subject and are delivered with a clear understanding of other competing priorities that you are likely to be facing.
The recent high-profile incidents involving data loss have undoubtedly affected the public's confidence in the competence of local and central government. At a time when an increasing amount of information is being captured and retained, the public demand that their personal data is treated with the maximum respect, care and security. No excuse seems reasonable or satisfactory. But people do make mistakes. So how do you ensure your organisation does not repeat them? ============= "No authority can ever say it will never lose information, but by ensuring the standards in your authority are equivalent to or exceed best practice identified...the public will be reassured that all reasonable steps were taken to observe and protect their information." LGA Data Handling Guidance, October 2008 This vital new report provides a road map to stronger, more embedded information security that will meet and exceed current best practice. Information security is not simply an IT issue but a critical people issue. It is vital that a clear and definite framework is in place within your organisation, a framework that is understood by staff at all levels and as a result, is universally adhered to.
The Public Sector Information Security report clearly sets out the areas of risk within your organisation and, in the context of the relevant security standards, examines best practice for avoiding these potential security issues. Clear examples and solutions ============= Throughout the report real-world examples are identified, cross referenced to the specific security issue and then the ISO27001 control that would have reduced the risk and/or the impact of the incident is explained. A complete overview of ISO27001 is provided, as well as an examination of Principle 7 (the "security principle") of the Data Protection Act, the Payment Card Industry Data Security Standard and the Government Code of Connection. The Information Governance toolkit and the subject of ethics and professionalism are also discussed and the environmental issues that are now so prevalent both in the public and private sector are taken into account. About the author ============= Public Sector Information Security is written by Andrea Simmons (CISSP, CISM, MBCS CITP, M.Inst.I
SP, BS7799 LA) whose extensive experience of local government and other public sector bodies ensures this report provides you with a unique level of expertise when approaching this critical issue. These invaluable tools, techniques and strategies are presented in a format that is uniquely practical in comparison to other materials on the subject and are delivered with a clear understanding of other competing priorities that you are likely to be facing.
Sprache
Verlagsort
Verlagsgruppe
Globe Law and Business Ltd
Zielgruppe
Illustrationen
ISBN-13
978-1-906355-39-5 (9781906355395)
Copyright in bibliographic data and cover images is held by Nielsen Book Services Limited or by the publishers or by their respective licensors: all rights reserved.
Schweitzer Klassifikation
Andrea Simmons, M.Inst.ISP, CISSP, CISM, MBCS CITP, BA, independent information governance consultant, founder and director, Simmons Professional Services www.simmonsprofessionalservices.co.uk ANDREA SIMMONS is an experienced information compliance evangelist/business consultant and project manager with expertise in several disciplines: information security management (ISO27001 - ISMS, strategy and planning, policies and procedures development and implementation, and so on); information rights legislation/regulation and standards (including data protection and freedom of information) and information and records management. She has over 12 years' experience in the IT industry within both the public and private sector, implementing compliance programmes and information security management systems (ISMS). Andrea is currently running her own consultancy business (Simmons Professional Services Limited) and works associatively with several professional services organisations in the public and private sector. Andrea undertakes consultancy, speaking and writing assignments and enjoys a varied portfolio of activities across the information governance space. Andrea has also held the role of consultant security forum manager for the British Computer Society (www.bcs.org/security) and has been a member of the management Committee of IAAC(www.iaac.org.uk) for several years. She is also a full, chartered member of the BCS and its relevant specialist groups - security, audit, law - and is on the BCS Register of Security Experts. Andrea is also a member of ISACA, ISSA, ISC2 and the Cyber Security KTN, and a founding member of the Institute of Information Security Professionals, to name but a few! Andrea achieved Chartered IT Professional Status in February 2007 and M.Inst.ISP in 2008.
Andrea Simmons, M.Inst.ISP, CISSP, CISM, MBCS CITP, BA, independent information governance consultant, founder and director, Simmons Professional Services www.simmonsprofessionalservices.co.uk ANDREA SIMMONS is an experienced information compliance evangelist/business consultant and project manager with expertise in several disciplines: information security management (ISO27001 - ISMS, strategy and planning, policies and procedures development and implementation, and so on); information rights legislation/regulation and standards (including data protection and freedom of information) and information and records management. She has over 12 years' experience in the IT industry within both the public and private sector, implementing compliance programmes and information security management systems (ISMS). Andrea is currently running her own consultancy business (Simmons Professional Services Limited) and works associatively with several professional services organisations in the public and private sector. Andrea undertakes consultancy, speaking and writing assignments and enjoys a varied portfolio of activities across the information governance space. Andrea has also held the role of consultant security forum manager for the British Computer Society (www.bcs.org/security) and has been a member of the management Committee of IAAC(www.iaac.org.uk) for several years. She is also a full, chartered member of the BCS and its relevant specialist groups - security, audit, law - and is on the BCS Register of Security Experts. Andrea is also a member of ISACA, ISSA, ISC2 and the Cyber Security KTN, and a founding member of the Institute of Information Security Professionals, to name but a few! Andrea achieved Chartered IT Professional Status in February 2007 and M.Inst.ISP in 2008.
Chapter 1: Introduction; Why is information security important? Regulatory and moral drivers for improving data security; Chapter summary. Chapter 2: Once more into the breach; Roll call; Handling; The summer of reporting; Security policy framework; The influence of the ICO; Chapter summary. Chapter 3: It's all about the data; In defence of the DPA; Principle 7 internally; Principle 7 externally; Adequacy; Principle 7 - Defence in depth; Principle 7 - Key steps to compliance; Chapter summary. Chapter 4: Information governance; Introduction; The five initiatives; Supporting evidence; Chapter summary. Chapter 5: ISO27001 explained; Introduction; What is an information security management system (ISMS)? PDCA - Plan, do, check, act; Understanding ISO27001 - Part 1; What are the benefits of ISO27001? Certification; Chapter summary. Chapter 6: Putting it all together; Risk assessment; Information security policy; Organisation of information security; Ownership and asset management; Human resources for information security; Information security awareness; Physical security; Communications and operations management; Access control; Information systems acquisition, development and maintenance; Security incident management; Business continuity management (BCM); Compliance; Chapter summary. Chapter 7: Payment Card Industry Data Security Standard (PCI DSS); Introduction; What is required? Protecting sensitive data; Chapter summary. Chapter 8: Government Code of Connection (CoCo); CoCo overview; Chapter summary. Chapter 9: The environmental angle; Introduction; Energy consumption; Reduce, reuse, recycle; Where security fits in; Questions to ask your (actual or potential) service provider; Best practice; Applicable standards; Chapter summary. Chapter 10: Ethics and professionalism; The ethical dimension; The IA community; The competent professional; Chapter summary. Chapter 11: Summary of best practice; Technical recommendations; Chapter summary. Chapter 12: Legislative and regulatory drivers; Data Protection Act (DPA) 1998; Freedom of Information Act (FOIA) 2000; Code of practice on records management; Environmental Information Regulations 2004; Regulations on the Reuse of Public Sector Information (RPSI) 2005; Protective marking; Human Rights Act (HRA) 1998 and the European Convention on Human Rights; Children Act 2004; Disability Discrimination Act 1995; Common law duty of confidence; Public Records Act 1958, etc.; Local Government Acts; Town and Country Planning (Electronic Communications) Order 2003; Civil Contingencies Act 2004; Regulation of Investigatory Powers Act (RIPA) 2000; Computer Misuse Act 1990; Privacy and Electronic Communications Regulations (PECR) 2003; Retention of Communications Directive; Telecommunications (Lawful Business Practice) (Interception of Communications); Regulations 2000; Convention on Cybercrime; Electronic Communications Act 2000; Intellectual property; Official Secrets Act 1911; Private Security Industry Act 2001; Public Interest Disclosure Act 1998; Chapter summary. Chapter 13: Further Reading; Index.
