security is a culture gb v 9
TRANSCRIPT
Garry Bolland
Information Security Officer / Data Protection Office x3671
Security is a Culture
Protection of Personal Data
Security starts at Home• Have an updated Virus (& Malware) checker• Use Strong Passwords• Don’t download from unknown sites• Don’t open emails from unknown sources• Keep your security software patches up to date• Back-up copies of important/precious files, etc.• Shop online Safely • Beware of Bogus calls for Computer help
Gameover (Zeus)
•http://www.getsafeonline.org/•https://www.getsafeonline.org/themes/site_themes/getsafeonline/pdf/GetSafeOnline_RoughGuide.pdf•https://www.cyberstreetwise.com/•http://ceop.police.uk/safety-centre/•http://www.bbc.co.uk/webwise/0/22717886•Victim of Malware – http://www.actionfraud.police.uk/scam-emails •Or call 0300 123 2040
Email – Phishing Scams
Don’t get hooked by a bogus eMailStop & Think
DON’T CLICK
What is a Phishing Attack?
• Phishing is the act of attempting to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.
• Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
Example – Phishing 1
Guidance from Tax Office
• HM Revenue & Customs (HMRC) will never send notifications of a tax rebate / refund by email, or ask you to disclose personal or payment information by email.
• Do not visit the website contained within the email or disclose any personal or payment information.
• http://www.hmrc.gov.uk/security/examples.htm
Guidance from RLBUHT• Don’t’ click on any links within the email• Do NOT respond• Save the email (Save As)• Forward to Server Team • They will get N3 network to BLOCK that email address• Brightmail should remove any Virus Component• Delete Email
Example – Phishing 2
Barclays - 2
Example - 1a
Example - 1b
Example – 2a
Example – 2b
Example 3a
Example 3b
What are Data Flows?
• Data Flows are a requirement that must be done every 2 years
• They are done per Department of every Data (PID) that flows into / out of the Trust
• They take the form of a spread sheet that asks for all process on how data flows i.e. by letter, fax, email, File Transfer Protocol (FTP), etc.
• Phase out Fax & send encrypted email (PGP).
What are Data Flows - Spreadsheet?
Email UsageEmail is a business tool and the language used in all correspondence should reflect this
Staff should not use abusive language or profanity in any correspondence regardless of who it’s being sent to
Email filtering software is currently in place that monitors all incoming and outgoing Email for abusive language and profanity
Staff must also not send any Personal Identifiable Data (PID) or commercially sensitive data insecurely. Here are some do’s and don'ts:
RLBUHT Trust to RLBUHT Trust - Secure NHS Mail to NHS Mail - Secure NHS Mail to the following domains: x.gsi.gov.uk .gsi.gov.uk; gse.gov.uk; gsx.gov.uk;
pnn.police.uk; csjm.net; scn.gov.uk; gcsx.gov.uk; mod.uk RLBUHT Trust to another Trust – not secure
RLBUHT Trust to NHS Mail - not secure NHS Mail to RLBUHT Trust - not secure
PGP – Email Encryption (sending)
• Within Outlook select Tags• Select Sensitivity Drop-down• Change Normal to Confidential• Select Close• Send as normal• Recipient gets re-directed to
RLBUHT portal• Recipient enters passphrase• No Patient, No., DOB names in
Header (Not encrypted).
PGP – Email Encryption (receiving)
Certificate Error
Initial Setup
PGP – Email Encryption (receiving)
PGP – Email Encryption (receiving)
PGP – Email Encryption (receiving)
Facebook & Twitter• Facebook is an online (internet) social networking
service• It enables people & groups to chat, share ideas &
photographs• The Trust allows the use of this facility during allocated
lunch breaks for personal use• It does not allow ‘posting’ of Trust related information• Do not post anything that may bring the Trust into
disrepute – Don’t be a Twit be a careful Tweeter• Warning - Facebook has a license to use your content
in any way it sees fit.
Blogs• A blog (a truncation of the expression web log)• A personal website or web page on which an individual
records opinions, links to other sites, etc. on a regular basis
• As for Facebook don’t bring the Trust into disrepute• And certainly don’t start to record medical information
even if anonymised.• You will be ask to remove and delete
Why shouldn’t ‘we’ be using XP?• Microsoft no loner supporting XP since July
8th 2014• Anti-Virus Vendors may stop supporting XP
(MSE to July 2015)• A greater risk to vulnerabilities• Patch Tuesday fixed latest IE Flaw• Migrate to Windows 7 (or Windows 8)• But not all process’s run on Win7/8 (Risk)• Residual Risk or Accept
Why are some Sites Blocked?
• Both large and small companies block sites to cut down on security breaches
• and boost productivity (Facebook etc. now OK)• To prevent downloading virus's and malicious
code• To prevent unauthorised software• To prevent any licensing copyright laws
Why can’t I just download any software?
• Control of Software• Trust Process
– IT Asset Management Policy - Section 9– Design Board – Meets every 3rd Tuesday of the
Month– Project Mandate Form
Software Request Form
Why do I need an NDA?
• Non–Disclosure Agreement (NDA)– Is required when dealing with outside contractors
dealing with patient, staff or financial Trust data– is a legal contract between at least two parties that
outlines confidential material, knowledge, or information that the parties wish to share with one another
• Information Sharing Agreement (ISA)
Why do I need an ISA?
• Information Sharing Agreement (ISA)– Is required when dealing with outside contractors
dealing with patient, staff or financial Trust data, when data is shared, copied, moved of site (or viewed by external Contractors
– is a legal contract between at least two parties– Data Controller– Data Processor
What is the IG Toolkit?• It is a requirement placed on all NHS organisations
(or partners)• The Information Governance Toolkit (IGT) is an
online tool that enables organisations to measure their performance against the information governance requirements
• To provide NHS organisations with a means of self assessing performance against key aspects of information governance
Who are the ICO?• The Information Commissioner’s Office is the
UK’s independent authority set up to uphold information rights in the public interest,
• promoting openness by public bodies • and data privacy for individuals• And they have the ability to fine the Trust up to
£500,000 per incident if a breach is caused
Why do I need a Clear Desk Policy?• Information needs to be Protected (especially outside
normal working hours)• Need to Know Principal• Lock unused documents in desks or lock whole office• Lock PC’s when not in use• File documents so that can easily be referenced or
located• A Tidy Ship is a Happy Ship
What is an IAO/IAA?• Trust systems that store information (patient, staff or
financial) are information Assets• If you are a Manager of a Department or a System
then it is likely you are an Information Asset Owner (IAO) or if you administer it you are an Information Asset Administrator (IAA)
• AS an IAO/IAA you have to manage this asset and any risks associated with it and defined by Policy
_
What is DATIX?• Software for Patient Safety
– A tool to register clinical incidents within the Trust• Software for IT Risks
– A tool to register IT incidents/risks within the Trust– Additional access over & above clinical risks for IT
Project Risks (TB)
I am being Monitored?• Data Loss Prevention (DLP) is a automated tool that
monitors all outgoing email for patient, staff or financial information (Outlook or Web Mail)
• Websense is an automated tool that monitors all web traffic and blocks certain web sites
• All Clinical Systems have account log in details & monitor who logs in and when
• Note Tablets/Laptops & Desktops have tracking• You have been Warned.
Programme Managers• Need to know how IG relates to programs• IG Checklist
– Privacy Impact Assessment– NDA/ISA & Data Flows– Does it contain PID– Is it being transferred Securely– Asset Register and Risk Assessments (IAO/IAA)– Design Board– Requirements to satisfy IG Toolkit
On Line IG Training - ESR•Use Your Smart Card and sign into ESR
They are Watching
Any Questions?
Questions?