GDPR: Third parties and training

legislation-3231548_640As GDPR approaches I thought I would share some thoughts.   Now I must admit to not being a GDPR expect, instead the below represents my thoughts taken from the perspective of managing the prevailing risks around GDPR.

Two issues which currently occupy my thinking in relation to GDPR are managing the use of third parties which either supply software which is used in school or which provide a service where they store school data outside of the school.    Another issue which is currently at the front of my mind is the issue of awareness training and how we ensure staff are suitably informed and aware of GDPR, its implications and particularly what it means for them.

Third Party solutions

Schools may make use of third party software within the school, some of which is locally hosted and stored in the school and some are cloud hosted.

Locally hosted

Locally hosted solutions might include the school management system.    In these cases, we are relying on the third-party vendor ensuring that the software they have created has adequate security measures in place to protect any data held within it.    From a GDPR point of view schools need to show their efforts to comply and in this case, I would suggest the easiest way is to ask third party software vendors to provide details of how they have ensured the security of their product either through their policies or through independent reviews such as audits, vulnerability or penetrations testing.    Although the school is responsible for the security of the infrastructure on which the solution resides, it is the vendors responsibility to ensure the security of the platform itself, independent of where it is hosted.

Cloud hosted

Where cloud hosting is used we have the same issues as for local hosting, in that the vendor must have ensured the security of the platform, however we have the added issue of the vendor supplying the hosting and the infrastructure on which the platforms sits.  My first port of call in examining third parties is their policy documents looking specifically at any GDPR, Data protection, privacy, data privacy or information security policies they may have.    In the best cases this will address issues around security of data, sharing of data, deletion and retention of data.      In my experience, most vendors will quote the security compliance of their hosting service somewhere in their documentation or in response to questions on security.   This usually addresses physical security concerns in that the larger data centres must have tight security to comply with the relevant standards.   This still leaves a requirement to ask questions around business continuity and disaster recovery, in what processes the vendor has in place in the event of a serious incident.    It also leaves questions around ensuring the security of the network on which the service is hosted.   Like with local hosting we can address this by asking questions around any penetration testing or external auditing which has been conducted.

Breach, security incident or vulnerability notification processes are also an important thing to look for across both local and cloud hosted solutions.   If a service is handling student data it is important to know that they have a process in place for notifying service users if an incident occurs or if a vulnerability is identified plus that they have a clear timeline and method of notifying users.

Awareness Training

I think a key aspect of GDPR is making sure the overall school community is aware of the new legislation and what it means for them.   As such training is a key feature of preparations.    I know many companies and individuals are offering training ahead of the introduction of GDPR however I think it is important to establish the purpose of training.   If the purpose is simply compliance then an annual presentation to all staff will suffice as it will provide that all staff have received training.  The issue here is that staff in schools are very busy and therefore the content presented to them is unlikely to stick.   Equally an online resource in my opinion has the same limitation.   The staff will complete the materials however little will stick.    For me the key is a multi-honed approach using various delivery methods including whole school sessions, sessions where discussions and materials are disseminated to department level, broadcast communications such as email campaigns and online training materials.    An awareness of GDPR and more importantly an awareness of the risks associated with processing data needs to form part of the culture, “the way we do things around here”.

Conclusions

GDPR is now fast approaching and the above are just two issues out of a myriad of issues.   Not mentioned above are the implications around developing appropriate privacy notices, the issue of establishing data retention plans, dealing with subject access requests or requests for limitation of processing, handling requests to be forgotten, handling services where data is stored outside the EU and the issue of identifying the legitimate reason or justification for possessing.   The GDPR rules are complex to implement and my advice on this continues to be to take a risk based approach.   For me, currently, the two items above in third parties and awareness training, represent to of the big risks.

 

 

 

Advertisements

Home network security and digital literacy?

Our home networks have been ever growing.   Originally it was just having a basic network for a PC at home, which at the time was usually just a desktop connected to a dial up connection.    Now however, we have a host of devices, games consoles, personal devices and home appliances all on our home network, all adding to the complexity and therefore the security risk of our home networks.

Following on from our basic dial up connection our home network started to grow, first with the addition of Wi-Fi capability to allow internet access for laptops and also mobile phones.   Next, with the introduction of broadband and fibre, our children might have introduced a gaming system such as a PlayStation or Xbox into the house again linked to the network and the internet.   Next we start introducing networked and then Wi-Fi enabled printers before moving on to add home helper devices such as the Amazon Echo or Google Home.   We might even have added Internet of Things devices to our home network such as remote managed heating and lighting, or an internet enabled fridge freezer or kettle.    Internet enabled, and therefore network connected, surveillance may have been added in the form of a home security system or possibly a baby monitoring system.   The list of network connected home devices continues to grow and with that the complexity of our home networks.   They are now at a point where the complexity of a home network may equal or even exceed that of a small business network.

The issue here is security.      When we pick up our laptop to go on the internet to access our personal banking we assume it is safe to do so due to the various safety features on our laptop and on our Wi-Fi router.     We think about our security largely in terms of separate devices however our network security is largely based on the sum of all devices connected to the network.      Therefore, the more devices we have connected, the more complex the network becomes and the weaker the network security becomes.

Our network security is largely based on the security of the weakest devices.  So have we taken time when connecting a new device to review the available security options and to change the default passwords?    Actually, have we considered security when purchasing the device in the first place?    And in the longer term do we revisit the device and perform updates to ensure that the software on the device is such that any identified vulnerabilities have been addressed?

We talk about digital literacy and how we want our students to be literate in the use of technology however the security aspect of our home networks if largely overlooked.     The question is can you truly be digitally literate if you are using your home network without considering security?   Can you be digitally literate if you happily add additional devices to your home network without concern for the security implications?     Another question is where do we cover these issues in our teaching of digital literacy within schools?

Free (or not!) Wi-Fi

lockWhen out and about we consider Wi-Fi to be an essential and as a result of this businesses are seeking to meet the need.    Cafes, hotels, shops and shopping centres, as well as conference venues to name but a few are now generally providing free Wi-Fi.       It’s not a difficult process for them; pay a service provider and buy a few wireless access points and you are up and running, and the general public will connect and use without a thought.

And herein lies the issue as I became aware during a recent visit to a hotel.    During the visit I was provided with a Wi-Fi key in my hotel room so I could access the free Wi-Fi however for some reason something did not quite feel right.   After a few minutes of basic checking I found that the routers management console was accessible via the Wi-Fi connection as opposed to requiring a wired connection.   A rather basic security precaution had not been taken in disabling Wi-Fi access to the console however the worst part was yet to come.    It turned out that the default username and password for the router was still enabled and as such anyone could gain access and reconfigure the router and Wi-Fi network to meet their needs.  For me this represents a grave and serious lapse in the security setup.     Although it had been easy for the hotel to set up its free Wi-Fi provision, they had failed to set it up securely, in a way which I would have considered to have been “properly” set up.

The above highlights the risks associated with free Wi-Fi.    Someone could easily setup a man in the middle attack using the lax security of this Wi-Fi network.   People would then access and use the Wi-Fi unaware of the fact that a threat actor was gathering or monitoring their data.     Truly nothing is free in this world, and in this case the free Wi-Fi may be free of cost but it certainly isn’t free of risk.     And in this risk there may be a future financial cost in fraud or identify theft based on the data harvested.

I do not think this one hotel is unique in its poor Wi-Fi network security.   I suspect that among the many establishments offering free Wi-Fi there will be many where the security is equally poor and that this will be especially common among smaller organisations where an IT department is likely to either be limited or not to exist.

As end users it is our responsibility to look after our own data security when out and about.   We cannot assume that others such as the providers of free Wi-Fi are doing this for us, especially where there is no is financial contribution paid to them towards the costs associated with doing so.    And for those providing free Wi-Fi I would ask that they engage a suitable professional in order to ensure their setup is at least provided with the basic security precautions.   If you aren’t willing to do this then you shouldn’t provide the service!

I also think there is an educational aspect to all this;  Are we adequately discussing the risks and required precautions with the students in our schools.   I would suggest we need to do so with some urgency.