GDPR - Part 2
A Technical Perspective

GDPR - Part 2

Part two: Preventing Breaches, Access Control and Network Security

Types of security to consider

When evaluating your organisation’s cyber security, it is important you look at all aspects of your IT infrastructure. A good way of making sure you address all potential issues is to map each person’s role and how they interact with your network, customers and data.

I’ll use ‘Company A’ from my previous post:

‘Company A’ has three departments; Sales, Accounts and Warehouse. All three access the customer data in some shape or form. The Data Protection Officer starts by reviewing each role and how they access and use various parts of their IT infrastructure and data.

Item Sales Accounts Warehouse Considerations
PCs Each staff member has their own PC with a password protected profile Each staff member has their own PC with a password protected profile Each staff member has their own PC with a password protected profile Implement password policy to include regular password update
Printer Staff members do not print personal data Only staff members within this department has access to this printer and confidential waste is destroyed securely Only staff members within this department has access to this printer and confidential waste is destroyed securely
Telephone Wi-Fi is shared throughout the building and is shared with guests Create a second guest access which is restricted to a separate subnet. This will provide an isolated network which can still access the internet.
Network This department uses the same 192.168.1.x network Provide a separate subnet for the Accounts department, which will isolate the data they hold from the rest of the company.
Shared Drive / NAS No Shared Drive Staff has access to a password protected NAS No Shared Drive
Bring Your Own Device (BYOD) Staff have access to their emails on their smart phones. Staff connect to the Wi-Fi when in the office Ensure anti-virus software is installed on every device. See note 1 below for additional advice.
Removable Media Staff in this department uses USB drives to transfer large sales datasets No removable media used No removable media used Scan removable media regularly and avoid connecting third party devices.
Server Access (via terminal or PC) No access
Server Access (physical) Server is stored within this department Consider securing the server in a locked room or cabinet.

Note 1. – It is advised that you have a BYOD policy in your Employee Handbook. This is to ensure understanding of each individual’s responsibilities if they choose to use their own device. Also consider data Protection/GDPR implications where remote monitoring software is used (like cloud based antivirus which allows you to scan a device).

Passwords

One of the main security vulnerabilities within any network is human error. The main human error which can affect many businesses is password integrity (or the lack thereof). Many people use the same password for multiple services or use personal details which can be found on social media.

One suggestion is to use three or four random words strung together, e.g. christmasdoorfrog.

Also, change passwords regularly. Keeping the same password for too long increases the chance of someone guessing it.

User Access and Permissions

Most software allows you to restrict what a user can access or do. By implementing this you can tailor access and privileges to the user’s role and requirements. You can also prevent users from installing software on their PC by using the UAC feature in the Windows Operating System.

Secure Disposal

When disposing of equipment, it is advised that if it has any kind of memory or hard drive (NAS, PC, laptops, etc) that you dispose of it securely. Many services will provide this and supply you with a certificate of destruction.

In the next part of this series of articles, I will look at emerging technologies and their implications on GDPR and Data Protection.

EL Direct

Request a Trial

-





By submiting this form, you agree to our terms and conditions available here.

I don't have Microsoft Office or Microsoft Word, what should I do?

If you don't have Microsoft Office, or Microsoft Word installed on your PC or Mac, don't worry - you can still use our products. You can get a free alternative from Open Office.

Open Office Org is open-source developed alternative to Microsoft Office, developed by a large software company called Oracle. Open Source means the company who build the software, allow 100% use of it, 100% free.

Since Open Office is specifically developed to be exactly the same as Microsoft Office, with all the same programs in the suite (Eg: Word, Excel, Access and Power Point) - it will freely open any Microsoft Office file-format. Meaning, just because a document was written in Microsoft Word, doesn't mean it can't be opened in another program. Open Office will do that, and vise versa.

To download and install Open Office;

  1. Go to www.openoffice.org.
  2. On the left hand side, click 'I want to download Open Office'. In the green box, click the main link which starts with 'Start downloading OpenOffice.org...'
    • Windows Only:When the program has downloaded, click Install and wait for the program to install.
    • MAC OSX Only:When the program has downloaded, a notification box will pop up with an arrow from the Open Office Icon to the Applications Folder in Finder, drag the icon to the Applications folder to install the program.
  3. You are now ready to use Open Office, and the documents you have purchased from us.