Don t just write security policies! Its time to change your security culture!

Transcription

1 Don t just write security policies! Its time to change your security culture! Introducing a FREE training package for Public Bodies. Most of the costly, serious and well publicised data breaches of the last few years were not down to a lack of security policy, but to a failure to implement that policy. It is now clear that unless your policy is built into systems, processes and people (i.e. your culture) then it will not protect your business. The only way to change culture is through appropriate, cost-effective training at all levels of your organisation. I want to introduce a free package that is now available to help you get started. The added benefit is that good, cost-effective services depend on high quality, well protected data, that is always available when needed. Poorly handled data is a massive waste of resources and a massive overhead for a large organisation. Even FOI requests are cheaper to handle if your data is well organised and always at hand. Good data-handling is good business. To support the Government s new mandatory Data Handling Guidelines the Cabinet Office and the National School of Government (NSG) have produced two computer based training (CBT) packages called Protecting Information. Level 1 is for all staff that handle personal information. Level 2 is for those who manage staff, i.e. line managers and above. At the end of each package is a short assessment, the result of which is used as indication of basic understanding. Each package takes about 75 minutes to complete. All relevant Central Government staff have now completed these packages. These training packages are now available for free to Public Bodies. Staff can work through the package and take the test at work or at home. The results of the short test will then be stored, free of charge on their database. It should be stressed that this training is of huge benefit to staff in their personal and home lives, where privacy and identity theft are on everyone s minds.

2 For a long time, good quality CBT training has been out of the reach of many organisations but this package is free. I have included a few screenshots below. To get your hands on them then just register at the website below. People often do not know what their responsibilities are, or what they should do to protect the personal data that they use every day to provide their service. These courses tell them in plain and easily understood manner. You can see that this training is not about computers, it is also about awareness and behaviour of your staff. It tries to explain what personal data is, why it is important and why it needs protecting, not just by the ICT department but by anyone that handles it as they carry out their job. Your staff will learn to avoid the pitfalls of handling personal information. Having said this it is a fact of life that bad things will still happen. But the number of these incidents will reduce, and their impact on your service will be reduced because your staff will know how to identify and report them in their everyday work.

3 Finally, the assessment is not about computers either. It is about real life. Think about the question below. So where can you get at these excellent, free, training packages? Just take a look at the NSG website at the address below. (I have included a screenshot).

4 Government strategy is becoming clearer and many free resources are now available. The LGA and WLGA have worked closely with the Society of Information Technology Management (Socitm) and with central and local government, to prepare new guidance to councils on data handling. The above training packages should be seen as a part of an overall organisational strategy for data handling based upon the simple LGA Data Handling Guidelines. The Local Government Data Handling Guidelines highlight recognised best practice in secure data handling, and provide local authorities with a vital aid in discharging their responsibilities and accountability for secure and effective handling of personal information. The publication sets the standard for local government moving forward. The guidelines provide a key checklist of actions that set out the fundamental steps that every council should take to mitigate against the ever present risk that personal information is lost or that data protection systems fail. They provide chief executives, senior managers and elected members with a vital tool for the secure handling of personal information. You can get a copy of the LGA Data Handling Guidelines from It s all free.

5 Richard Roscoe is the Data Protection and Information Security Officer for Sefton Council and Deputy Chair of the NWeGG Information Security and Assurance Group (ISAG). Information Security Workshop One of the central government responses to data breaches is to align its security activity with ISO27001 more fully and reframe its Security Policy. Our new course will look at what that means in practice and how it affects the wider public sector, introducing the Seven Principles of the HMG SPF and aligning them with current information security, assurance and governance trends and requirements This revised workshop is facilitated by legal and information security expert (Andrea Simmons) and is designed to cut through the jargon and media hype. It will give delegates the knowledge to write their own action plan for bringing information security into their organisation. The legal and regulatory regime will be discussed as well as the practical options to prevent loss, damage and destruction of confidential/personal information. Details: