Step 9 Data Breach Reporting

It may seem strange that today’s blog is step 9 in preparing for GDPR.

David Parish - Information Security Consultant David Parish – Information Security Consultant

The requirements to report Data Breaches to the supervisory authority in the UK, the Information Commissioners Office, is already a requirement of the existing data protection legislation.

Equifax data breach notified September 2017.

Was one of the largest data breach of recent times and identified areas of concern across the globe the key issue that will probably become part of the ICO current legislation

Equifax says it holds the personal details of 44 million UK citizens but many British victims will be unaware they have had details stolen as they will not directly be Equifax customers.

Equifax admitted hackers had exposed the personal data of 143 million customers in the US, which was stolen between mid-May and July this year due to a vulnerability on its website.

However the hack was not made public until now.

Security Events / Incidents.

A Security Event is when an issue expected or unexpected occurs that doesn’t impact on the confidentiality Integrity and availability of the physical or information assets. Events should be reported as they could escalate to a security Incident.

A Security Incident is an event or a series of events that impact on the CIA of Information or physical assets. The key is that a Security Incident is actively managed and will involve applying Risk Treatment processes to mitigate and reduce the threat to the business.

There are four broad categories of Security Events / Incidents

 

    1. Non-compliance with a policy or procedure, uncontrolled system changes, access violations, breaches of physical security.

 

    1. This can be an insider threat attempted hacking extracting sensitive material from systems.

 

    1. Firewall patching not completed, access to buildings not controlled effectively.

 

A computer security incident is an event affecting adversely the processing of computer usage. This can include:

Physical security incidents can include:

Ensuring efficient reporting and management of security events can help reduce the harm and can assist in the event be treated prior to the Impact becoming an Incident that could impact on the wider business  and in many cases, prevent incidents occurring.

Reporting Security Incidents

There will undoubtedly be occurrences that a compromise to the Confidentiality Integrity and Availability of data occurs. It is recognised that whilst Technical solutions can help reduce the risk there will be compromises caused and more importantly identified by colleague’s staff or non-technical methods.)

It is therefore essential that all staff are aware of how and when and to whom a potential data breach needs to be reported. The earlier an incident or potential incident is reported enables the contingency and risk mitigation plans to be adopted, thus preserving any further damage to the business.

IT Incident Reporting

IT Management along with the outsourced IT team will assess the service impact and make a decision regarding the priority of the call, taking into account how many users are affected and the business impact involved.

Physical Security Incidents

These will be reported in accordance with existing processes to the Accountable and Responsible person. This in essence means the Office manager / senior partner in regional offices. Head office will report to the management team department head. The responsible and accountable persons are shown below.

by David Parish, Information Security Consultant – IBITGQ Certified ISO 27001 and GDPR implementation Specialist MSC Security and Risk Management

About GDPR Academy

GDPR Academy is dedicated to GDPR and Cyber Security. These go hand-in-hand so you are up-to-date, day-by-day on the latest developments, white papers, laws and timings et al.

Become a Member

GDPR Academy is the only place you’ll find a comprehensive body of knowledge, resources and experts to help you navigate the complex landscape of tomorrow’s GDPR and Cyber Security issues.