Your Security Manager - UK based Independent Information Security Specialist

Welcome

Here to help you improve the security of your information

Information security is always hitting the news;

Facebook scandal: Who else has your data? (BBC News 10 Apr 2018)
Concern over Welsh police accessing texts and emails (BBC News 8 Apr 2018)
Equifax finds more victims of 2017 breach (BBC News 1 Mar 2018)
Equifax under pressure after data breach update (BBC News 12 Feb 2018)
Carphone Warehouse fined £400,000 over data breach (BBC News 10 Jan 2018)
Toy firm VTech fined $650,000 over data breach (BBC News 9 Jan 2018)
Millions caught in virtual keyboard app data breach (BBC News 5 Dec 2017)
Imgur confirms 1.7 million users hit by data breach (BBC News 27 Nov 2017)
Uber concealed huge data breach (BBC News 22 Nov 2017)
Cash Converters reveals customer data breach (BBC News 16 Nov 2017)

Just a handful of stories making the BBC's headlines recently. And of course let's not forget the GDPR; Firms warned to prepare for tougher EU data protection rules (BBC News 1 June '17). Of course, you were ready for that though, right?

For many small businesses it is a confusing minefield of technobable and jargon, with terms like "data protection" and "cyber safety" bandied about interchangeably with "information security". Potential customers may be asking you for security and incident response plans, BCP and DR plans, vulnerability scans, penetration tests... Your Security Manager is here to help clarify all these (and many many more!), and help you improve the way you protect data in your business, and so increase the amount of business you can do.

Contact Your Security Manager today to discuss how we can work together to improve your information security.

Our Services

Some of the services we can offer

Information security consultancy is a broad church, and Your Security Manager offers a huge range of services including;

ISO 27001 audit, gap analysis, and project kick off
Information Security Plans for Government (CESG/NCSC) contract tendering
GDPR compliance assistance
PCI-DSS self certification advice and guidance
Cyber Essentials guidance
Information protection, Risk Management, and Business Impact Analysis consultation
Capacity Planning, Business Continuity, and Disaster Recovery consultation
Independent 3rd party supplier audit
Internal compliance audits
Physical security audits
Documentation reviews
User awareness training
ICT support management consultation

I also partner with established service providers, in the Information Protection and Information Security consultation field, and IT Support businesses that have no in-house security expertise. As an ISO27001 Lead Auditor I am adept at sense checking implementations, where an external pair of eyes often finds those little missed details!

If you are seeking to improve the security of your business information then I can be Your Security Manager.

Contact Your Security Manager today to discuss how we can work together.

GDPR

The General Data Protection Regulation

Do not panic!

It might come as a surprise to see this bit of advice, but no official is going to knock on your door demanding proof of compliance with the GDPR, just as no one from the government ever asked for more than proof of your registration with the Information Commissioner's Office (ICO) as required under The Data Protection Act (1998) (DPA)^*. However, you should by now be familiar with the legislation, have the neccessary protocols in place, and be keeping evidence of compliance in the event that something occurs (like a breach) and you are called upon to demonstrate your compliance efforts. Doubtless your clients will be asking that you demonstrate compliance in some way, as is their duty under the legislation.

Now I am not suggesting you do nothing and just forget about it, this is a legal requirement that all businesses must comply with, but let's put some of the scary headlines into context. The DPA has been in force for 20 years, and the ICO presently has the power to fine organisations upto £500,000 for breaches. Last year (16/17) it processed over 17000 such cases and just 16 of these resulted in a fine. None of these fines reached anywhere near the maximum. The new Data Protection Act 2018 brings in to law the details set out in the GDPR, in which there is provision for a maximum of €20m fine! The ICO has is unlikely to be handling down fines of this magnitude for any but the most severe breaches. The reality for most small businesses (unless you are utterly incompitent at handling vast quantities of personal data!) is that you are extremely unlikely to be landed with such a cripling fine, if you are fined at all.

I'm sure you already do your best to comply with the DPA, so how does the GDPR differ from it? Primarily it defines personal data as any information "relating to an identified or identifiable natural person", and has these key provisions;

The right for EU citizens to access, correct, transfer or delete their personal information if it is held on your systems.
It applies globally, to any organisation offering goods or services within the EU, and will apply to UK businesses even after Brexit.
The requirement for you to notify authorities and customers within 72 hours of the discovery of a breach affecting their data.
Fines of up to 4% of global annual turnover (or €20 million, whichever is higher) for the most serious violations.
The requirement for citizens to give explicit consent for you to hold their data (where you do not have other legal reasons to have it), and for you to store this consent.

Key points in ensuring you comply with the GDPR;

you must fully understand what personal data you hold, where the data is stored, and who has access to it, from the moment you receive the information, to the moment it is deleted from your systems.
you must have organisation-wide data protection policies, auditable record keeping, perform data protection impact assessments on particular types of data, and verify that any businesses you partner with are also compliant.
you must have the capability to detect and report data breaches, and the processes in place to find, modify, and delete personal data when requested, all within prescribed time limits.

Technology improvements have meant that personal data became very cheap to hold store and process, so much so that many businesses have vast stores of it. That is changing. Personal data is becoming what is known as a "toxic asset", that is, the risks of holding and storing it are potentially very damaging to your business.

Think of it in the terms of toxicity, and you'll be on the right path. Do you need that personal data in order for your business to function? If not, then remove it. If you do need it, consider anonymising it. If you really need that personal data, then you need to make sure that it is properly protected, and should consider encrypting it.

Do not panic!

I can help you achieve and maintain your GDPR compliance. Please contact me for an initial informal assessment, which will look at your existing approach to data protection and information security. I'll provide you with a simple checklist of recommended actions, to point you in the right direction.

Contact Your Security Manager today to discuss how we can work together.

* The ICO’s register of data controllers is a publicly accessible register. I’m always amazed at how few local businesses appear on it.

About Us

Information Security is my speciality

I am Alex Burnham, an enthusiastic advocate for Information Security, and ISO27001 Lead Auditor. I enjoy working with non-technical SME's that struggle to understand how to improve their data defensibility, and do my utmost to help them comply with DPA and new GDPR regulations. I have practical hands on experience, and a pragmatic approach, in delivering secure technical environments, and implementing ISO27001, PCI-DSS, and CESG/NCSC (including Cyber Essentials) compliant Information Security Management Systems (ISMS).

I have worked with small businesses my whole life. I returned to university as a mature student in the mid '90's to complete a BSc (hons) in Computer Communications. In the early 2000's I was Director of Technology for a web development company, then spent several years as ICT Infrastructure and Support Manager for a national training provider, managing the roll out one of the first virtualised datacentres in the sector. In recent years as an Information Security Officer in financial services, I worked with the compliance teams of major lenders and government departments, including HMRC.

I am committed to providing you with the best advice, solutions, and value, in all your information security requirements. I understand your need for workable, cost effective, solutions to support the growth of your business. Whether you need assistance completing a security plan for an important customer, help with understanding the GDPR, development of your ISMS, or full ISO27001 compliance, I can help in every case. And if you are running a small business with no in-house information security capability, I can be Your Security Manager.

Connect with me on LinkedIn Dyfi Computer Services on Facebook Follow me on Twitter

What is InfoSec?

An explanation for real people

According to several definitions, the term "Information Security" (InfoSec) means "protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction" in order to provide;

Confidentiality: preserving authorised restrictions on access and disclosure, and means for protecting personal privacy and proprietary information. i.e.: only those that need access, have access.

Integrity: guarding against improper information modification or destruction, and ensuring information nonrepudiation and authenticity. i.e.: the data is correct.

Availability: ensuring timely and reliable access to, and use of, information. i.e.: you can find your data when you need it.

It can be helpful to think of Information Security as Health and Safety guidance and compliance for your business data and information. Just like health and safety, some of it is common sense, some of it is advisable, and some of it is governed by legislation. You have to comply with the legislation, but the rest of it is up to you, depending on how you view the risk, the likelihood of something happening, and the resultant consequences should something happen.

Your Security Manager can give you as much, or as little, assistance as you want or need in making the journey to better protecting your business information and data processing systems. Just like health and safety, there is no one size fits all solution to becoming secure. It's not just about technology either, in fact, most of it is about management, evaluating risks, and changing working practices to be more safe. Sometimes you'll need hard hats and harnesses, but often it's about making sure the floor is clean, and you're using a ladder instead of a chair!

Contact Us

Contact us now by any of these methods!

Email us at info@yoursecuritymanager.com
Use our Tawk.to web-chat
Phone us on 01650 558227
Connect with me on LinkedIn
Message Dyfi Computer Services on Facebook
Message us on Twitter
Write to us at: Dyfi Computer Services, Ty Capel, Darowen, Machynlleth, SY20 8NS

And if you happen to be in our beautiful part of the world, maybe pop in for a coffee!

https://Add-Map.com
We're pretty much off the beaten track, so we don't get many visitors, and to be honest, we like the peace and quiet!

YourSecurityManager

Independent Information Security specialist helping your business with data protection, resilience, compliance and auditing.