Where is Your Data?

Leave a comment

Have you paused to consider where your data is at any given time in your organisation?

All but the smallest of organisations is likely to have notes, CV’s, financial records, personnel records, legal documents and the like, and that is just the stuff in paper form. Throw in electronic records, and you include emails, working documents, client deliverables such as code or documentation, even firewall logs or IT documentation and records.

Now that you have a picture in your head of what exactly might be out there, do you know where it actually is? Any organisation that operates in more than one country, and with the advent of the cloud any small organisation that uses third parties for any of it’s traditionally in house capabilities is very likely to find data in different countries. While this may come as no surprise to some, for many once they have carried out even a rudimentary analysis this is likely to come as a shock.

The problem I feel is that the pervasiveness of technology, and the ability in the modern business to operate without boundaries as result. By this I mean  when, for instance, someone looks at, alters, reviews or saves data of any kind more often than not they have no idea where that data resides. Is it in the server room across the hall, a colocation facility across town or in another continent? Even when the various professions in an organisation are aware of the various compliance and regulatory requirements (Human Resources, Legal etc.), because the location of the storage devices themselves are invisible to them the issue is not even considered.

For instance, a Hiring department in one country may take the personal details of a new hire such as name address and bank account and upload them to a file server in Excel or onto a SharePoint for the Finance department to set up into payroll. The server this data resides on may be in a second country, while the person who updates the financial systems resides in a third country. In many cases this may not be acceptable according to local data protection laws for the storage and access to a given country’s resident data. This is more often the case when one country has significantly greater (or better) privacy laws than another.

The solution to this is two fold, one legal and one common sense:

Legally, agreements can be put in place; these can include well known standards that can be adopted between reciprocal countries. Perhaps the most well known is the Safe Harbor Privacy Principles. This is a set of seven principles that allow for the streamlined compliance of US companies to the EU Directive 95/46/EC and was developed by the US Department of Commerce in consultation with the EC. There have however been concerns raised about the efficacy of this approach, but it still remains a common and well known one nonetheless.

Another legal approach, and one that appears to be be more commonly adopted in recent years is that of Binding Corporate Rules. Developed by the European Union Article 29 Working Party it is wider in scope than Safe Harbor as it applies to any country that may want to exchange or store data from an EU country. Both of these examples (and other alternatives) do require a lot of work to effectively adopt, the latter especially, and should not be entered into lightly. More often than not third parties/consultants will need to be employed to bring the very specialist skills required.

The second solution, and one in reality that should be taken in conjunction with the legal approach, is that of awareness. This is awareness on behalf of the organisation as to where it’s information and data is stored, and also awareness of the individuals who are managing and posting this data to the various locations required. IT moves faster than ever, and the location of your data store may well move with it. These individual teams will need to engage with IT and the CIO and become firm stakeholders during any kind of IT infrastructure upgrade and bring their specialist knowledge to the table. And the company will of course need to commission an international data location map!

The alternative unfortunately is a knock on the door from the Data Commissioners Office (or equivalent from outside of the UK) and a potentially heavy fine and the related embarrassing media frenzy. That is going to cost significantly more money than that cheap hosting deal in India.

An Anatomy of a Risk Assessment at BSidesLondon (Updated)

Leave a comment

(Updated) The lovely people at @twistandshoutUK and @j4vv4d have very kindly sent me the recording of my presentation. I have inserted it below, just above the slideshow so you can follow along and pause the slideshow in time with the presentation!

Here are the slides from my presentation at todays BSidesLondon. I will add the video of the presentation in a few days once I get a copy from the organisers and process it.

As always, comments are welcome; let me know if you loved it, hated it or were even perplexed by it. Every comment is a valuable piece of learning for me!

This slideshow requires JavaScript.

You can also find a downloadable version of the presentation directly here.

An Anatomy of a Risk Assessment

Leave a comment

The video below is my presentation to the RANT forum in London on “An Anatomy of a Risk Assessment”. In it I give a personal view on the mechanics underlying a risk assessment or audit. It is not a highly technical approach, and is not meant to be; for that purpose there are plenty of books and guidance available elsewhere. Instead I take a more human approach as to how to get the most out of an assessment, from both sides of the table. The slides are available at the link below, in Keynote, PDF and Powerpoint format or can just be viewed through your browser. Presenter notes are there and are my original presentation ideas, and so therefor may not accurately reflect the presentation on the night!

http://bit.ly/wF3pKe

Technically, this was my first ever public speaking engagement of any note (I did a two minute session in the November RANT), and so I am scrutinising my performance significantly to ensure I can improve upon this presentation for reuse at other venues. If you attended, or indeed if you care to review the video below I would welcome your feedback. I must say though, having watched it a number of times now, I am very much painfully aware of my annoying personal tics, mannerisms and expressions of speech! Still, it was an immensely enjoyable experience and one I am looking forward to repeating at some point in the next twelve months.

The book I make reference to at 16:00 is The Leaders Workbook by Kai Roer (http://amzn.to/xm3dy2), an inspirational book, but only if you use it properly!