Backup Anytime

This is being provided initially in list format only. It may be of use in this format to those who have a basic understanding of the terms used. More detail for each item listed will be provided in the coming days.

Any opinions as to the usefulness of work in progress would be appreciated. Normally we only publish documents after they are completed. This is our first pre-completion post.

1.Number of data stores.

his can be easily confused so please read carefully. By number of data stores we do not mean secure remote backup. We mean the number of local data store locations you have scattered about your local network and further afield. Each one poses increased risk and lock-down on an individual level generally has little global protection benefit. It is good practice therefore to limit where possible the number of general access data stores to enable increased per data store and global protection.

2. Type of data stores.

General access open data stores are still more common than one may assume. Nil should be the target.

Password level unencrypted data stores are the most common type but not the safest. Their usage should be limited by balancing in favour of protection over practicality.

Encrypted local data stores should be your target for all data store location local and remote.

3. Quality of data stores.

Quality from a data store perspective is a broad term covering encryption, general password protection, password policy, usage policy, procedure for adding and removing privilege and remote access. All of these will be dealt with on an individual basis throughout this document.

4. Age of data stores.

Most people at business decision making level (regardless of I.T. competence) will be familiar with the absolute necessity of ensuring that only data which you are entitled to store should be stored. Far less considered however is the cost and risk associated with storing information you are entitled to store but have no need or requirement to keep. Data relevance needs to be managed with data store permission.

5. Type of encryption.

Encryption is a developing discipline. The laws of mathematics have always been with us. We don’t invent them, we discover them. Encryption needs to be advanced with technology to protect against hack attempts. Every code becomes hackable in time so each encryption code should be issued with an expiry date and amended as a matter of procedure.

6. Encryption responsibility.

Nobody (including your provider) should be able to read your data. This position comes with a level of responsibility. The protection of vast quantities of data requires the manual retention of one code. If you want absolute protection, only you should know the code. Anyone you add to this privilege list should be added for good reason and with due diligence as the paramount deciding factor.

7. Security of unencrypted data.

Unencrypted data can be read, distributed, amended, published and taken advantage of by anyone. Failure to encrypt is the main deciding factor in any devastating data outage. It must be encrypted and only you can decide to do this.

8. Authorised users.

Your authorised user list is a list of those users registered and authorised to avail of I.T. services. The level of privilidge, passeord expiry and general policy should be detailed and the appropriate users should be kept informed of changes and individual user behaviour guidelines.

9. User shares.

In addition to user authorisation (both policy and permissions) each user will normally have access to specific areas which are appropriate to them. It is important that the default lock variable for all folders is “no access” and that access be given on a requirement basis. Any attempt to manage a default “unlocked” system will result in users deciding their own permission rights on an adhoc basis which is close to zero inside protection.

10. External connection policy.

External connections need to be managed very carefully. An external user of a poorly secured network could have access after ending their relationship with the company and possibly on bad terms. The enemy within should be forced to play away from home.

11. External connection system.

Regardless of the work put in to defining a clear rights policy, an insecure system will allow successful hack attempts which increase user rights or allow complete strangers access to data. Don’t allow staff to configure connections unless they are qualified authorised and trusted. This should limit the numbers to those most appropriate.

12. External connection reports.

Every connection should be documented automatically and not require or allow the intervention of the user in the finished report. Reports should be read as part of an overall security plan and not simply post breach.

13. User management.

User management needs to be considered on a number of levels. There is the traditional user management function of ensuring the correct privilege rights are maintained at server level and that all current users are configured with secure passwords while old users privileges are removed.

In addition a hands on approach needs to be taken with user policy are monitoring access reports. This crucial area of user management is often treated with less respect than is demands and to the detriment of the organisation.

14. Manual data carriage.

Manual data carriage should be avoided where possible. The days of sending tapes full of confidential data by road are thankfully over. Many people however see this as the only example of manual data carriage. Manual data carriage is the manual carriage of any data so it happens all the time. What is in the briefcase you carry to and from work? When representatives meet clients they bring laptops, forms, pricing info etc. These are examples of manual data carriage and everyone needs to be aware of your company protocol which must be adhered to with manual data carriage.

15. Fire risk.

Fire risk to data should be reduced by employing fire safes for unconnected drives and by ensuring cooling, ventilation and power management are not compromised. Additionally cable management, drive handling rules and after hours risk assessment must be checked by the Fire officer and I.T. Electrical fires are a significant risk in commercial operations and must be protected against by using modern cabling, switch boards and cut offs. All employees should know the location of and how to use a fire extinguisher. Any data protection area of fire risk assessment must not be allowed to infringe on general fire safety.

16. Flood risk.

Flood risk has increased globally in recent years. Water damage (which can be the proximate cause to other damage types such as fire) can have devastating effects on data availability and protection. Flood insurance (while essential) will only provide funding and finance alone may not be capable of retrieving destroyed data. Flood risk must be considered as a separate and crucial component of of any overall data protection plan.

17. Theft risk (break in)

The obvious answer to the question of data theft is to keep data off-site. It is however a bit too obvious. Your safe off-site copy may very well be safe but it is a copy of what is in the office any you having a copy of the stolen data only solves one part of the problem. Someone else will still without any authority and having proven malice have a copy of your data. So you need to secure the office and use encryption. Sounds like two simple answers. The implementation needs to be comprehensive.

18. Theft risk (robbery)

We oft consider the possibility of a thief in the night. The truth is that data theft can occur at any time. Here we are looking at data compromise which has a proximate cause involving someone arriving on site and actually stealing data. No matter how unlikely you may consider this, you still need to take preventative action. Remember, this is not just your data, it is data relative to suppliers, clients and staff. Therefore you don’t have the right to take risks. Even if the data you hold is not attractive to a thief, the systems and media it is stored on will be. Laptops in particular are a second currency on the black market and regardless of where the thief visiting your premises is in the data food chain, your laptop could end up in the hands of just about anyone.

19. Theft risk (in transit)

Data theft risk arising from data in transit is best reduced by limiting transmission types to those of the lowest risk category. All things being equal, data which is physically carried from one place to another is at significantly greater risk than data which is transferred online. The number of instances of physical carriage must be reduced or this method of transporting data discontinued altogether. All data transmissions should be completed while taking advantage of the highest level of encryption available. Unencrypted data transmissions or transports should not be made in any circumstances.

20. Backup policy.

If you have read this far in this document you will likely feel you understand the importance of having  a backup policy. A policy however us not an understanding, a belief or a level of competence. A backup policy is a formal document produced to make clear the steps involved in completing, checking, monitoring and managing your data backups. If you do not have such a formal document with which users are familiar and which nominates alternative trained backup administrators should a main administrator be unavailable then any praise about your understanding is negated by a lack of implementation. If you do not have a backup policy (regardless as to the merits of your backup system) organise the implementation of a policy in your organisation as a matter of urgency. Once implemented, it needs to be revisited  on a scheduled basis and amended as required.

21. Backup system.

Backup should be viewed as a simple but essential job which is made successful through use of a specified component, software and procedure list. Each component should be identifiable and clearly understood. The system (as distinct from the procedures) should be made up of agreed, labled and individually tested components and should have at least a high degree of backup specific components.

22. Backup admin.

All too commonly, data backup is treated as a periodical house keeping verification task or worse still a fire and forget solution. Data backup systems (including automated systems) needs to be monitored, managed, amended and tested on an ongoing basis

23. Backup retention.

Having a copy of your data as it was yesterday is an asset should you need it. What if you need something from six months ago? Your data retention policy looks after the period of time you retain data for the number of versions of changing files you retain. How long back you want to look is any one area of retention. You also need to validate your right to hold data beyond specific periods of time. This is important for data privacy and validity and is an absolute must in a compliant data retention environment.

24. Network condition.

Anybody involved in administering a data backup system will be aware of the importance of putting considerable time in to ensuring that file selection is relevant, accurate, permissible, appropriate and inclusive. Selecting all of the files does not however mean they will be available for backup. The condition of your network is a major issue with regard to data backup completion on individual and percentage scales. Ensure that your infrastructure, connectivity, servers, workstations and network devices are of a standard which is appropriate and conducive to effective data backup.

25. Firewall.

A firewall protects your systems or network from unauthorised outside access. You knew that. Just about everyone knows what a firewall is. You may find it surprising however that most small business networks do not have adequate firewall protection. Some have none at all. This is due to many factors. The following are among the most common.

Increased wireless uptake above and beyond the level of adequate firewall protection required.

Lack of management level awareness coupled with poor or under financed I.T. support.

Incorrect assumptions about the capability of operating system bundled firewalls.

Incomplete configuration of router firewalls.

Commonly, routers and firewalls come pre-configured with a basic level of protection. This is the case because the manufacturer can not know the general network setup of every intended user. For this reason a default level of protection is provided. Commonly this out of the box protection level will be far below the potential protection available should the device be configured with local network information made available. Ensure you are utilising your firewall configuration beyond out of the box defaults.

26 Failure to resubscribe to bundled trial firewalls.

Many small businesses use software firewalls. There is nothing wrong per-say with software firewalls once it is understood that software firewalls even when managed correctly can offer generally at most, protection for the system they are installed on only. A bigger problem is the existence of trial firewalls on systems such as new Dell workstations which commonly come with third party firewalls. These are commonly not subscribed to but the presence of the original software causes non technical operators to believe they are protected. When asked “Do you have a firewall”, this does not equate to “Do you have a vague recollection of reading something about one on a new computer”. It actually means, “did you subscribe to, pay for and renew a firewall service?” If you did, you will know. If you don’t know, well you most likely didn’t.

27. Antivirus.

The obviousness of the importance of antivirus is paralleled by the number of systems which have no antivirus protection or limited antivirus protection. This is common because of an assumption that a subscription has been continued. This should be the responsibility of a specific individual and should be kept up to date on all systems.

28. Email protection.

Email has become one of the most important business communication mediums. Managed incorrectly it is also on of the least secure. It is unfair to clients and staff to leave a vagaries in the methods and rules applies to email protection. Remember that emails will often contain confidential information of a very sensitive nature not only in relation to your company but also in relation to clients, employees and suppliers. You do not have a right to compromise it and have responsibilities to protect it. If you have the slightest concern about this crucial area, contact I.T. support and consider employing the services of a data protection expert.

29. Application security.

Applications by their nature of being compiled code can amend many general settings including security settings. A common example of this would be software antivirus applications with built in firewalls replacing windows integrated firewalls. You must ensure not only that all applications used are fit for their purpose and from a genuine source but that no incorrect assumptions are made about their suitability over other pre-existing applications for various tasks. Here we are focusing on the security aspect but this does apply to general default file data type software associations.

30. Support confidentiality.

Your I.T. support partners (particularly those on the ground providing desk-side support) will have access to a considerable amount of highly sensitive and confidential data. In many instances it is impractical to the extent of being near impossible to prevent I.T. support access to confidential data locations. For this reason you need to be ensured of I.T. provider (internal and external) confidentiality both legally (non disclosure sign off) and informally (supplier relationship conducive  to trust) while continually striving for as much I.T. provider data lockout as can be applied without making the I.T. administration task prohibitively difficult and expensive

31. Support remote login facility management.

In some circumstances it may be sensible from response time and cost viewpoints to allow a limited and well monitored level of outside connection privilidge for tech support. All of these sessions should be on an inside managed permission per session basis with full session logs and supplier reporting. Any level a la carte approach to remote connections will render your network a non viable entity from a data protection policy viewpoint.

32 Support competence.

The type and level of I.T. support used will have an enormous impact on the security of your data. Any mistake in selection or competence issues introduced since selection as a result of third party I.T. support staff changes could prove very costly. Be thorough with selection and insist on outsource providers appointing a representative for your business that you are comfortable with.

33. Data retention rights

Ensuring you have secure, encrypted copies of your data may sound like a commendable situation to be in. Indeed this may be the case. One very important data compliance prerequisite which this situation may be opposed to is your right to hold data. Your data archive must not only be safe but should be relevant and held in accordance to data privacy requirements. In short, ensuring no one else get the data and you don’t loose it do not on their own ensure you are entitled to retain specific information.

34. Removable drive policy.

This is a very serious area and is a major cause of data breach. Removable hard drives both bulk and more particularly mini USB drives must be managed from inventory, technology, policy and enforcement viewpoints. One disgruntled, incompetent or unlucky member of staff leaving the office with a pen drive containing confidential information could ruin a business.

35. Paper management.

With all the focus on protecting digital data, it can be forgotten that not all data is digital. The written word can be far more incriminating. In the move to the paperless office, any remaining paper is obviously critical and needs to be protected from unauthorised access. The absence of practical paper encryption methods mean this data is far more sensitive. In addition, any off site copy is at far greater risk than offsite digital data due to the encryption difference.

36. Non electronic media management.

The paperless office is rare. Add to paper the many other media environments you retain data on such as CD, DVD, microfiche, printer paper, written journals, cheque stubs, lodgement stubs, deeds, legal documents, post, memos and receipts and you get an idea of all the unencryptable data in your posession. If your I.T. infrastructure is well managed, your non electronic media will be your biggest risk and must be managed accordingly.

37. Social engineering awareness and policy.

Social engineering is used to assist hackers with gaining access to networks and data which have technical I.T. level protection beyond the hackers capability. An example would be a hacker directly contacting a target company by telephone and after building up some rapport with the company Representative asking questions which may not seem out of context but which in addition to some technical capability can be used to compromise the I.T. infrastructure of the target company.

38. Web site privacy policy.

A web site privacy policy is not a text template posted to your site. It is a well considered policy which ties in accurately to your current and intended web site data policy plans and which conforms to legislation.

39. Forum membership policy.

This applies to your own forum if you run one and to memberships of third party forums as held by the company and staff with respect to work. Forum comments come with responsibility for the forum owner and the comment poster. All posts should be relevant, genuine, appropriate and accurate to the level of making sure options will be understood by readers to be opinions alone. Users should also know that a link back to the company URL and record of company i.p. addresses will likely be available to the forum host should they be needed.

40. User Internet and email usage policy.

Your Internet and email usage policy needs to be clear, available, understood and enforced. Any bending of the rules no matter how difficult politically and marginal behaviour wise a situation is, will only reduce your policy to the status of an inoperable kangaroo court and remove responsibility from those it is designed to direct back to the company. 

41. Sanctions.

Sanctions need to be legal, fair, simple, known to all and enforced. Any move away from these guidelines will result in favoured and unfavoured users as distinct from authorised and unauthorised users. This obviously unfair approach is also unsustainable.

42. Data protection commission registration.

Registration with the data protection commission will assist with the provision of information about compliance (and in itself avoid one area of obvious non compliance) and will also be a source of general information about data protection. Remember, the data protection commissioner does not want you to suffer a breach and should be seen by well intended organisations as an essential member of your team in the fight against data breach.

43. Credit card payment system management.

One of the most targeted and commonly compromised data types (which also has among the most devestating consequences) is credit card information. If you accept credit card payments through any system be it web, mail order, telephone, subscription or front of house you need to put in place the strictest level of vigilence possible. A breach in this type normally preceeds significant financial, credit, publicity and payment type facility difficulties.

44. Social etiquette. Understanding the true meaning of confidentiality.

“absolutely confidential” and “strictly confidential” are phrases which far too easily roll of the tongue. Confidiality in the true and traditional sense goes beyond policy and sales talk and in truth has more to do with the organisational intentions and respect for clients, themselves and the public in general. Confidentiality goes beyond systems, encryption and policies and to the core of the personalities of all members of an organisation. Organisational ethos must precede any promise of confidentiality.

45. Non disclosure agreements.

Often talked about, rarely used. Non disclosure agreements can allow you to talk in increased confidence about confidential subjects. Talk to a solicitor and develop non disclosure agreements. Anyone taking issue to signing one is a possible candidate for you to take issue with talking in confidence to.

46. Wireless network security.

Wireless networks pose serious risks for confidential data. The fact that intended perpetrators can even attempt to access data without taking the risk of physically turning up at the intended target companies offices increases the likelihood of attempts at this type of intrusion. Wireless networks should only be employed at all if there is no reasonable possibility of working without them and at that with the most stringent of security employed and frequently revisited.

47. Dual broadband. Separation of non commercial connections.

It is common for even small companies to have more than one broadband connection. One reason is that above. The provision of a connection for staff to use for personal purposes. This would normally be provided for use on specific systems only. The planning, investment and work in providing this is only of any benefit from a network protection viewpoint if this connection is kept completely separate from the main commercial connection. Any compromise at that level would negate the benefits.

48. Client and provider common areas documentation privacy.

Inside the door of the office is normally a far cry form inside the doors of a data stronghold. Management and staff must be aware of the risk of leaving even moderately contentious data in public or shared areas of the office.

49. Client and provider common areas terminal privacy.

It is not unusual for receptionists or cashiers to require the use of a terminal in open or client access areas. The type of data accessible on these terminals,  the level of security employed and the physical view angle are important factors which should be considered before making these facilities available.

50 Client and provider common areas telephone privacy.

Telephone conversations are rarely as private as they should be. Placement of phones should take in to account the privacy of the intended users and anyone who may be contacted through their usage. This should be examined literally down to acoustic level.

51. Meeting room chart and handout management.

Almost all meeting rooms are shared. Even company owned meeting rooms for departmental use only will have traffic which no one team is likely to have full control over. The risk increases when meeting rooms are shared between companies or are on hire to the public. Any material used for a presentation or handed out to participants must be protected. All parties must understand the importance of not leaving any material behind after the meeting or unprotected during a break.

52. Supplier and client etiquette. It is your responsibility.

No matter what level of discretion you and your staff employ, people visiting your office could through a lesser level of confidence be clearly audible when discussing their own private matters or indeed those of others. These situations are not to be bore out but handled professionally and appropriately at the outset without causing offence or allowing such a situation to continue.

53. Mobile workforce.

Mobile workforce (generally laptop users) need significant support to ensure they are not encouraged to take any data shortcuts (such as carrying more data than is needed or appropriate) for fear of connectivity issues rendering presentation of head office material as not possible at a crucial moment. In addition, the high theft and loss rate of laptop computers needs to be taken in to account. All laptops should use encryption. All staff must be aware that encryption is no replacement for vigilance. Indeed many encryption systems (as opposed to algorithms) have inherent weaknesses such as a laptop being stolen while in session or data being copied from a port. 

54. Home workers.

Home workers can suffer work life home life differentiation difficulties and while that is not the crux of this topic it does need to be taken in to account. The complex balance of company confidentiality being paramount and an employees home being the natural domain of his family requires preparation and agreement before anyone can use company data assets in a home environment. Any discrepancy, lack of respect (either way) or misunderstanding on these points could lead to serious difficulties.

55. Outside of office I.T. asset usage.

This has to a point been addressed in points 53 and 54 above. One clear distinction however is that while mobile workers and home users are in a different environment, they will have built up experience of this. For employees and management normally based in the office, the procedures, permissions and limits with regard to using company I.T. asset outside of the office must be understood far beyond the point of physical asset value and very much to the broader and more important point of data which may be stored on office media and the requirement not to take these media types off site unless the purpose of the move is to secure the data.

56. Appointment of a data protection officer.

Even the smallest of organisations need to appoint a data protection officer. This person can have other duties in the small office environment. At a minimum this person should be the contact for internal and external data protection queries and should have the support of I.T. and the company solicitor combined with access to data protection commission publications.

57. Data protection training.

Formal external data protection training is available to all companies. In addition, local I.T. support and industry memberships such as chamber of commerce are a good resource for general information and guidance.

58. Password policy.

A password policy goes beyond syntax usage and number of characters. Password policy should include rules and guidelines as to the lifespan of a password, password sharing rules and archive password removal.

59. Wired connection protection.

The healthy fear of wireless connections can in some cases lead to a lack of wired connection protection. All network connections need to be protected, particularly those in client, public, meeting and common areas outside of staff only areas.

60. Mobile and land line messaging passwords.

This is a common targeted breach area and can be used by unscrupulous individuals to gain information which they should not be privy to. The method is simple. They call your voice mail and try the default password. Very often this works. Change your default voicemail password. Why not do it now. This page will still be here for you to read.

61. Respect for registered snail mail.

When you get a registered letter, you sit up and take notice. Use this method when you want someone top sit up and take notice of you. If you implement a policy you want people to observe, consider a registered letter. This will cause people to take the company data and usage policies far more seriously.

62. Make your network non-boffin territory.

I.T. people are normally paid quite well. Make sure they do their work by ensuring no one else is doing it for them. In the world of I.T. a little computer literacy can be a very dangerous thing. A non I.T. staff member with computer experience and an obliging attitude is a poor recipe for data protection. Ensure that non I.T. staff do not attempt to resolve I.T. issues no matter how well meaning they are.

63. Personal I.T. property rules with regard to company data.

It is all too common now for employees to carry company data on employee owned hardware such as laptops and USB drives. The main difficulty here is the right of a person to share their own property with others and the serious difficulties arising from that property containing data about someone else and in the responsibility remit of the hardware owners employer. A simple example is an employee with authority to use company data on his own laptop and the conflicting right of that employee to allow his spouse, children and friends to use his laptop. This area is rife with data compromise possibilities and must be addressed in a clear and simple manner. A  good approach (but not the only one) is to issue employees with company laptops for employee use in company business only.

64. I.T. asset tagging.

I.T. asset tagging in its’ most basic format is the implementation of a physical, identifiable and recordable tag on I.T. assets. Modern usage can involve i.p. address, system locater service or G.P.S. tracking along with hidden electronic fingerprints and third party asset track services. An element of asset tracking should be employed in all organisations. Simple, inexpensive asset tracking systems are available for small office environments.

65. I.T. asset homing system.

As per the above, some asset tracking systems have a homing device which may be based on its’ own GPS systems or a firmware function which “talks to home” on the next web connect. These should be employed on critical systems and laptops where affordable.

66. I.T. asset audit regularity and procedure.

Your I.T. asset database may once have been required as a balance sheet entry. It is now also a required data protection tool. Put simply, if you do not know the accurate I.T. asset inventory (regardless of device value) you have no way of ensuring that I.T. assets with data have not been removed from the business and this is a data outage black hole regardless of the permission status of any asset removal.

67. I.T. usage audit regularity and procedure.

Here we are dealing in the main with permitted usage of I.T. assets. We need to take this a step further and actuallty define the permitted usage as permissions to use I.T. assets with no usage limitations offers no protectional distinctions as to the user or the data on said devices.

68. Reporting and dealing with suspicious activity (external)

While inappropriate external activity may be more difficult to discover and trace, reporting of external activity is more likely than reporting of internal activity. This is principally because inappropriate external activity is less likely to involve someone from inside and therefore amounts to the reporting of activities by an unknown third party. This is less likely to infringe on the reporters working relationships and is therefore commonly reported. Inappropriate external activity is generally more serious than internal activity and this also lends itself to an increased likelihood of reporting regardless of work relationships. Illegal external activity relating to company data does not always involve unknown criminal elements and can often be traced backup to past or present staff. This equates to the enemy within working from outside. 

69. Reporting and dealing with suspicious activity (internal)

Internal reporting is often hindered by witnesses not wanting to report an incident for fears of possible workplace difficulties be the perpetrator a friend or anon co worker. There must be a procedure for workers to report incidents or suspicions without the fear of reprisal or being “sent to Coventry”.

70. Air temperature.

All computer systems have recommended, minimum and maximum air temperatures. An added paradox is that most of these systems will generate a certain amount of heat and they are often positioned in close proximity to each other. Ensure all systems are used in an environment to which they are suited.

71. Airflow.

The outside temperature being lower than the system temperature can only be of assistance if the air can flow between both environments. Blocked vents, heavy dust or laptops used on carpet or cloth environments can cause systems to overheat, fail or even go on fire. Some users remove covers from workstations and servers to enhance airflow. Most moden computer cases are designed to provide maximum airflow to the hot areas and removing covers may cause serious overheating problems.

72. Telephone security.

Telephone security may seem to some to be a movie level concern only but in  reality it is of great significance not only at every business level but also in every circumstance of domestic phone usage. If someone can overhear, interpret, work out or follow private communications without those communicating being aware of the interception, this amounts to a most serious data privacy breach. One common issue is the area of handheld corlesss telephones broadcaasting conversations over radio to receivers or other cordless telephones. The positioning of phones and aucustic design

73. Staff selection.

The basic tenet here is that no matter how well thought out you data protection policy is, it will fail to offer the intended protection if the system is infiltrated by people with little concern or any amount of negative intent. This is an obviousness yes, but that is one of the reasons it can be overlooked.

74. Media contact training.

The media will often knowingly get in touch with a person unsuitable to dealing with them. This can be to their advantage and not so much to yours. All staff must know that unapproved media contact (no matter who made the approach) is forbidden and approval to discuss any business with the media must be acquired from the highest office.

75. Data destruction.

Data destruction is far more complicated than many expect. When you delete data from a hard drive it is not actually deleted. Yes that is a contradiction in terms. When you choose to delete data all you are doing is telling the system to make that space available should it be needed. With a minimal amount of expertise the data can be undiluted. It is for this reason that data destruction is required. As the name implies, it is commonly a physical process but it has specific requirements for correct completion which a sledge hammer will not provide. If you want data destroyed (and ensure that is a final and legal decision) hire a specialist to do it.

76. Computer disposal.

While data loss can occur because of even the slightest infringement on good data management policy, data destruction is actually a very complicated task. No system should be disposed of until the data is destroyed. Please ensure your staff are aware that data deletion (even drive format) does not entirely delete data. High level deletion simply tells a system to make the space available if needed and hide the file indexes. Format leaves shadows which may be reconstructed. Hire a data destruction expert when disposing of computers.

77. Sub office and branch investment.

Substantial head office I.T. investment is to be condoned. If the consequence of head office investment is limited sub office and branch level investment you may be missing security areas at sub or branch level which could be the proximate cause not only of local level data protection issues but also protection issues at head office level. In small business multi branch environments this often manifests itself in the “where you sit” situation. In this scenario, the area in which management or I.T. work is secured but other areas which are neglected can cause not only issues their but result in data protection issues with any data communicated between supposed secure locations and those lacking in security. This is an obviousness but it is all too common in environments where sub office entities are small and numerous.

78. Written notes policy.

With all the effort which goes in to protecting digital data, it is often forgotten just how damning written notes can be. They can be even more problematic as they can be traced back due to handwriting. All staff members should be aware of this. Important written notes should be protected. When finished with they should be shredded.

79. Expert legal advice.

General information, web content (even pages like this) and conversation may be a source of ideas but any policy with regard to data protection should be the fruit of professional legal advice. If you use a solicitor before the event you may save considerable post event costs.

80. Memo voice recorder policy.

Voice recorders being used for notes to self or dictation of formal correspondence are a rich source of highly confidential information. Release for general listener-ship or reading would in most cases have disastrous consequences for the owner and those the recordings relate to.

81. Typist dictation system management.

Anything which records needs to be managed. A devices which records senior partner communications and more specifically the preedited versions, must be managed in a way which lends itself to ensuring the devce and content do not get in to the wrong hands. This includes disallowing inter department system loans.

82. Physical visibility of information from outside windows.

Another obvious one. So obvious it is commonly no even considered. Your windows are a display area. If you are in the retail business they are where you present your goods. If you are in any non retail business your windows are where you display a sensible, impressive and reliable looking corporate presence. Any data shown in this area will be seen and any unintended display of data will more than likely end in a serious breach. We are not just speaking here of intentionally displayed window posters but also of data left on desks, visible monitors and cabinet labels.

83. Cordless phone broadcast risk.

Cordless phones can broadcast locally. The effect being that calls could be listened to on another device locally. Locally may be outside the building! You do not need to be under surveillance for this to happen. Most broadcasts are picked up accidentally by other phones or even on the radio. Ensure your cordless phone does not do this. If you are unsure, bin it.

84. Intentional phone line or office bug placement.

This is more rare and involves a targeted attack. The consequences however can be serious given the information was sought by the perpetrator.

85. Media leak.

There are many types of media leak. They can come from outside or with your organisation. They can relate to an actual data breach which should be made public but preferably officially by the affected company subsequent to informing the data protection commission and the affected parties or they can relate to inaccurate stories leaked and spun with aggression. Either way, protections must be put in place to avoid leaks and procedures put in place to deal with them

86. Insider trading.

Amazingly this is often sniffed at. Possibly because of the Hollywood connotations. Insider trading is often thought of as simply illegal. It needs to be considered from the perspective as to why it is illegal. It is not victimless. In short it hurts and it has dire consequences for those caught flouting, facilitating or failing during their watch. Your data (and that data you hold pertaining to others) should be protected in a manner which prevents its usage in any insider trading event.

87. Profiteering as a consequence of confidential client information.

This is distinguished from the above in that it relates specifically to client trust and eliminating risk of members of your organisation actively and intentionally profiting from client information in commerce which is outside of the scope of client facilitation and your normal business. 

88. Criminal investigation.

A procedure must be in place to deal with criminal investigations as they relate or may relate to your organisation. This is not limited to your company being investigated regarding practice but also individual directors or indeed clients being investigated and information relating to your business with those clients being required by law enforcement. One important point is not to confuse law enforcement cooperation with any limitation of your right to hand over client information. Any request for client information, even from law enforcement should be handled with the assistance of independent legal advice.

89. Drive shadows.

A hard drive may have considerable shadow data beyond that which is obviously readable on the drive. Shadow data relates to previous configuration levels and commonly previously loaded operating system level data stores. What this means is that even if you format a drive and reload a new operating system on it, the data from the previous load (and other previous loads) may be available through shadowing. See data destruction above.

90. Webmail security.

Webmail is a great facility but since it can be used on non organisation computers users must ensure they are logged out post session. Advanced webmail