| | 4.7 Facilities
04. In-House Data Center | | |
|---|
| In-House Data Center | | 1. The company with an in-house data center is both a data controller and data processor as far as legal obligations are concerned. | | 2. Physical security of equipment that is not in a place that is manned 24*7 is a significant issue that cannot have a secure solution. In a few moments, criminals may drive a vehicle through a wall to remove all computers and CCTV equipment with bolt cutters. Banks in the City of London has seen twenty people in motor cycle clothing at midday when the office was fully manned, strip a data center of all equipment. Every bank holiday presents an opportunity for criminals to break-in on Friday evening and remove all computers in the knowledge that nobody will notice until the following Tuesday morning. Physical locks are mandated on equipment and paper storage cabinets, but may be irrelevant to a criminal with bolt cutters, angle grinders and ten-pound hammers. | | 3. Physical storage media must be encrypted. Files and documents must be password protected. Where all the passwords are kept must be even more encrypted and even more secure. | | 4. Encrypted communications must be deployed when moving data from place to place. Data should be centralised where it can be encrypted and controlled. Data should not be stored on local computers. Data must not be stored on laptops, tablets and mobile devices that will be lost and trigger a reportable data breach. | | 5. Anti-virus software must be deployed with daily updates. System software and application software must be patched at least once a month on all machines. Firewall software must be maintained and all services that are not essential disabled. | | 6. A backup-recovery-restart plan is needed and must be practiced on a regular basis. The amount of time taken to do recovery from backups, then recover from log files before a restart can vary and be dependent on where backup data is stored. Backup data stored in the data center is at risk of being stolen when all the computers are stolen or when the building is burned down. Backup data being transported to other places is at even greater risk of theft - most data breaches are from backed up data storage. | | 7. Fall-back computers with redundancy is needed so the equipment does not have a single point of failure. Where a piece of equipment fails and a replacement needs to be ordered, then a significant loss of business may be suffered for the sake of a switch costing less than ten pounds. | | 8. UPS uninterruptable power supplies are mandated not only for the in-house computers, but the associated network equipment that is critical when power is out. A diesel generator is not a major investment, but it enables a gallon of fuel to keep the business running for many hours. The benefit of solar and wind generators to charge a battery pack with invertor is a minimum expectation. | | 9. Data loss prevention (DLP) is replication of data to isolated secure storage devices that are placed where they cannot be stolen. | | 10. Email archive indexing is mandated to find all data that identifies a names person - critical to subject access request preparation. Mobile data encryption and extract for SAR reporting becomes critical. | | 11. Emails must provide an "unsubscribe" service and evidence of when a person consents must be recorded. | | 12. Subject access request online service may be cheaper and more effective than a postal service. | | 13. Privacy and contact-us notices must be communicated with all business associates - an online service may be cost effective. | | 14. Staff security awareness training is mandated together with the recording of immutable evidence. | | 15. Monitoring for a potential data breach must take place 24*7 where data has the potential to be stolen or lost. | | 16. A data breach must be reported to the ICO within a few hours. | | 17. Evidence of what data has been lost or stolen must be discoverable. | | 18. By definition, it is just a matter of time before an in-house data center is the subject of ransomware attack. Once criminals become aware that a company is vulnerable to ransomware attacks, then many more criminal attacks can be expected. |
| Luddite: | | 1. One hundred years ago, factories with coal-fired steam engines would not switch to electic power for the same reason that a company will not switch from an in-house data center to the cloud. The staff in charge of the steam engine did not want to be retrained as electricians, so the company kept the steam engine long after it was no longer cost effective. Such companies were not able to compete in the market and whithered away. People who are not able to change are not able to have employment. | | 2. Today, people without a data center are kick starting disruptive brokerages using cloud computing without any capital investment. Such companies using smart phones are much more effective and productive than old companies still using twenty year old Microsoft technology. Its cheaper, faster and better to comply with UK laws when all business data is in the cloud and managed by a professional data processor. |
| Liability: | | 1. In the event of any legal dispute regarding Personally Identifiable Information: | | (1) the person who is the subject of the data breach is assumed to be innocent unless the company can prove otherwise, and | | (2) the company is assumed to be guilty of a data breach, until the company can prove otherwise. | | 2. Each company has a duty and legal obligation to capture and retain immutable evidence that adequate data protection measures had been deployed. Where the company fails to capture adequate evidence then the company is not in compliance with UK laws and is trading illegally. Fines and compensation to those affected will be ordered and trading may be suspended until adequate data protection is deployed. |
| Reportable Data Breach: | | 1. The company has an obligation to report a data breach within 24 hours of any data being lost or stolen. In the event that a laptop is stolen or lost, the data breach must be reported to the ICO and details of what data was contained on the laptop must be reported. The company may be the subject of "unjust enrichment" fines if the laptop did not have full disk encryption and password protected files. A laptop holding emails with attachments that are not encrypted may be a major data breach. | | 2. The company where staff can download data to a USB flash drive without encryption may be guilty of a data breach if the destination of that data cannot be secured at all times. Backups that are not encrypted and are taken off-site may be a data breach. | | 3. Where a person accesses a folder on a central server and deletes a set of files, then that loss of data may be a reportable data breach. If every file can be recovered from a Data Loss Protection (DLP) server, then no data loss took place and the incident is not reportable. |
| Communicated Data Leaks: | | 1. It is no longer acceptable to leak private, confidential or sensitive business information by phone or email. | | 2. Phishing by phone and email is a major cause of data leaks - most criminal attacks involve some degree of phishing by phone and email. | | (1) Intimidation is a method used to pressure innocent people to disclose information that they should not disclose. | | (2) Impersonation is a method used to make innocent people believe they are somebody else in need of help and assistance. | | 3. Staff security training must begin by explaining that every phone call is being recorded and every email is copied by agencies in all parts of the world. Email facts are consolidated and sold to the highest bidder. Personal opinions in phone calls and emails will be used against a person in 20 and 40 years time. An innocent opinion in one culture may be classified as treason or blasphemy by another culture at later time. | | 4. Every phone call must be assumed to be a phishing attack until the caller can prove otherwise. Any verbal reply must be limited to an executive and legally authorised standard script. | | 5. Every email must be assumed to be a phishing attack until the sender can prove otherwise. Any email reply must be limited to an executive and legally authorised standard message. | | 6. Phone and email messages must not offend the recipient and only the recipient can define what offends them. To comment on a persons health is not acceptable. A disabled person with a few months to live does not wish to be asked if they are feeling well. To comment on a persons gender is not acceptable. A persons contemplating a different gender may not wish to receive comments implying gender. Never comment on religion, politics, referendum, sexual orientation, gender, disability, race, ethnicity, health, age, family, church, monarchy, democracy or anything else. | | *. A Self-Service Message Service is provided for all business associates to communicate encrypted information with the company so phone and email will only be used by criminal phishing attacks. A Business Message Service is provided to communicate encrypted information with all business associates so data leaks by phone or email can be eliminated. |
| Basic Data Protection: | | 1. The company has an obligation to report a data breach within 24 hours of any data being lost or stolen. In the event that a laptop is stolen or lost, the data breach must be reported to the ICO and details of what data was contained on the laptop must be reported. The company may be the subject of "unjust enrichment" fines if the laptop did not have full disk encryption and password protected files. A laptop holding emails with attachments that are not encrypted may be a major data breach. | | 2. The company where staff can download data to a USB flash drive without encryption may be guilty of a data breach if the destination of that data cannot be secured at all times. Backups that are not encrypted and are taken off-site may be a data breach. | | 3. Where a person accesses a folder on a central server and deletes a set of files, then that loss of data may be a reportable data breach. If every file can be recovered from a Data Loss Protection (DLP) server, then no data loss took place and the incident is not reportable. |
| Duty of Care: | | 1. The company has a duty of care to protect its staff from criminal threats. A threat is that staff must get the criminal some business data or something bad will happen to their family. A threat is that a physical attack by a criminal gang to steal server and local computers will put staff at risk. A threat is that staff a home with their laptop will be physically attacked by a criminal who wants the laptop and can sell the data to competitors. A threat is that staff a home with their laptop will be physically attacked by a criminal who wants the laptop and can sell the data to competitors. A threat is that staff travelling with the mobile containing emails and attachments will be physically attacked by a criminal what can resell the phone and its data. | | 2. The ASP eliminated the job title of "system administrator" when it became known that system administrators were being attacked because it was implied that they could steal a copy of all business data. At the same time, security measures were put in place to ensure that all business data was encrypted so any business data that was stolen is meaningless and worthless. | | 3. The ASP eliminated all off-site backup procedures because it became known that criminals were attacking off-site data storage locations. Some of the most spectacular data breaches in the world have been attacks on email backup stores with no encryption, with no replication and negligible physical security - like somebodies home. | | 4. The ASP provides complete online bespoke application services that have eliminated the need to store any business data on a laptop, tablet or smart phone. All portable equipment is a commodoty to be replaced from time-to-time without any installed software and without any stored business data. Business message service provides an encrypted email service that is safe to use with any laptop, tablet or smart phone. | | 5. All business messages are directed to a job title and not to a personal private inbox. A team of people provide cover for each job title 24*7 so nothing is lost or overlooked. A customer who authors a business message to "sales@domain.co.uk" will get a reply within the hour because at least one sales person is on duty 24*7. The company has a duty to permit its staff have scheduled holidays and unscheduled sickness, and to provide business continuity with messages being responded to as if everybody worked 24*7. | | 6. The company has a duty of care to protect its staff names from Linkedin so people who choose to work for many companies at the same time may do so. Staff names are Personally Identifiable Information (PII) and by law, PII must not be disclosed without prior written agreement of who it can be disclosed to. An internal telephone list is no longer a legal way to disclose PII and can be avoided by using job titles. Members of Parlement (MP) have learnt that names of people can be replaced with names of places. |
| Document Control: | | 1. Document Title: In-House Data Center. | | 2. Reference: 164705. | | 3. Keywords: In-House Data Center. | | 4. Description: how to protect an In-House Data Center. | | 5. Privacy: Public education service as a benefit to humanity. | | 6. Issued: 11 Dec 2017. | | 7. Edition: 1.1. |
|
|