Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Monday, 22 September 2014

E-Mail and security

Email is a staple of modern living; it would be very difficult to get things done without it.  We have all been shocked when suddenly email is not available due to some technical or mechanical failure.  This communication media however, is not secure; I liken sending email to writing the test on a post it note and placing it outside the street door, making it available to anyone who cares to read it.

Perhaps we should all encrypt our email?   This would bring the internet to its knees as the additional data would cripple the system.

Perhaps we should send our attachments as encrypted documents?  This is better but relies on a method of decryption.  Sadly I have seen encrypted attachments accompanied by the key in the body of the email, rendering it totally useless.

Perhaps we shouldn’t send anything sensitive by email at all?  This is the safest option but in practice totally unworkable.

We use a system which has proved successful:

We encrypt an attachment using bitlocker or similar rather than a straight password protection.  It is very easy to delete a password from a protected document.  Encryption to 256 AES ( Advanced Encryption System) renders the attachment pretty secure.  I say pretty secure because nothing is 100% secure, but the possible number of keys is  1x1x1077 a truly enormous number.

 We send the encrypted attachment by email and then send a SMS message to the recipient with the decryption key.  Using this method the attachment cannot be readily opened without the key and the Key is useless without the encrypted file.

Clearly anything that is classified should not be sent over the internet but over a secure channel and also encrypted.

The most effective way to pass highly sensitive information is by hand only and the receipt signed over to authorised persons only.

Monday, 8 September 2014

ISO27001 and Data Protection Act

We are all aware of the importance of taking computer back up on a regular basis to allow for the recovery of data in case of computer failure or corruption. 

The ICO (Information Commissioners Office) recently levied a huge fine of £180K on the Ministry of Justice for loss of data.

The fine was for the loss of an unencrypted hard drive used for backing up data at one of HM Prisons.  This was a repeated offence in that the ICO was advised in 2011 that an unencrypted hard drive containing the sensitive data of some 16,000 prisoners and vulnerable members of the public including victims had been lost.  To prevent a recurrence the Ministry issued hard drives to be used for backup which contained encryption software to protect data on these hard drives.  

In 2013 another hard drive containing sensitive prisoner data was again lost.   Unfortunately the Prison concerned had not activated the encryption and as such the data was saved in an unencrypted format; this continued for a whole year.  It seems the encryption was not activated by default. When the disk was lost, the data was once again freely available.  This was the reason the ICO levied such a large fine.

The ICO said that government departments should be an example of best practice in handling sensitive information.  Sadly this was not the case.

The Ministry of Justice is now taking steps to train users and ensure that all hard drives used for computer backup are fully encrypted.

It is clear that organisations should ensure that those tasked with protection of data should have sufficient knowledge and skills to use appropriate levels of protection so that no data is lost or compromised. 

Quality Matters

P.O.Box 5479

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design