Your Security Manager - UK based Independent Information Security Specialist

Welcome

Here to help you improve the security of your information

Information security is always hitting the news;

Rights group loses mass surveillance appeal (BBC News 29 Jul 2019)
Social media is like 'a crime scene' (BBC News 26 Jul 2019)
Wiltshire Council 'hit by cyber attacks after Novichok poisonings' (BBC News 2 Jul 2019)
E.On 'error' reveals 498 customers' email details (BBC News 5 Jul 2019)
How a ransomware attack cost one firm £45m (BBC News 25 Jun 2019)
MI5's data use was 'unlawful', watchdog says (BBC News 11 Jun 2019)
Personal alarms hackable using phone numbers (BBC 14 May 2019)

Just a handful of stories making the BBC's headlines recently. And of course let's not forget the GDPR; Firms warned to prepare for tougher EU data protection rules (BBC News 1 June '17). Of course, you were ready for that though, right?

For many small businesses it is a confusing minefield of technobable and jargon, with terms like "data protection" and "cyber safety" bandied about interchangeably with "information security". Potential customers may be asking you for security and incident response plans, BCP and DR plans, vulnerability scans, penetration tests... Your Security Manager is here to help clarify all these (and many many more!), and help you improve the way you protect data in your business, and so increase the amount of business you can do.

Contact Your Security Manager today to discuss how we can work together to improve your information security.

Our Services

Some of the services we can offer

Information security consultancy is a broad church, and Your Security Manager offers a huge range of services including;

ISO 27001 audit, gap analysis, and project kick off
Information Security Plans for Government (CESG/NCSC) contract tendering
GDPR compliance assistance
PCI-DSS self certification advice and guidance
Cyber Essentials guidance
Information protection, Risk Management, and Business Impact Analysis consultation
Capacity Planning, Business Continuity, and Disaster Recovery consultation
Independent 3rd party supplier audit
Internal compliance audits
Physical security audits
Documentation reviews
ICT support management consultation

I also partner with established service providers, in the Information Protection and Information Security consultation field, and IT Support businesses that have no in-house security expertise. As an ISO27001 Lead Auditor I am adept at sense checking implementations, where an external pair of eyes often finds those little missed details!

If you are seeking to improve the security of your business information then I can be Your Security Manager.

Contact Your Security Manager today to discuss how we can work together.

GDPR

The General Data Protection Regulation

Do not panic!

It might come as a surprise to see this bit of advice, but no official is going to knock on your door demanding proof of compliance with the GDPR, just as no one from the government ever asked for more than proof of your registration with the Information Commissioner's Office (ICO) as required under The Data Protection Act (DPA)^*. However, you should by now be familiar with the legislation, have the neccessary protocols in place, and be keeping evidence of compliance in the event that something occurs (like a breach) and you are called upon to demonstrate your compliance efforts. Doubtless your clients will be asking that you demonstrate compliance in some way, as is their duty under the legislation.

Now I am not suggesting you do nothing and just forget about it, this is a legal requirement that all businesses must comply with, but let's put some of the scary headlines into context. The previous DPA was in force for 20 years, and the ICO had the power to fine organisations up to £500,000 for breaches. In the 2016/17 financial year the ICO processed over 17000 breach cases and just 16 of these resulted in a fine. None of these fines reached anywhere near the maximum. The new Data Protection Act 2018 brings in to law the details set out in the GDPR, in which there is provision for a maximum of €20m fine! The ICO is unlikely to be handling down fines of this magnitude for any but the most severe breaches. The reality for most small businesses is that you are extremely unlikely to be landed with such a cripling fine, if you are fined at all, unless you are utterly incompitent at handling vast quantities of personal data!

I'm sure you already did your best to comply with the old DPA, so how has the GDPR changed the new legislation? Primarily it defines personal data as any information "relating to an identified or identifiable natural person", and has these key provisions;

The right for individuals to access, correct, transfer or delete their personal information if it is held on your systems.
The GDPR applies globally, to any organisation offering goods or services within the EU, and will apply to UK businesses even after Brexit.
The requirement for you to notify authorities and customers within 72 hours of the discovery of a breach affecting their data.
Fines of up to 4% of global annual turnover (or €20 million, whichever is higher) for the most serious violations.
The requirement for citizens to give explicit consent for you to hold their data (where you do not have other legal reasons to have it), and for you to store this consent.

Key points in ensuring you comply with the GDPR;

you must fully understand what personal data you hold, where the data is stored, and who has access to it, from the moment you receive the information, to the moment it is deleted from your systems.
you must have organisation-wide data protection policies, auditable record keeping, perform data protection impact assessments on particular types of data, and verify that any businesses you partner with are also compliant.
you must have the capability to detect and report data breaches, and the processes in place to find, modify, and delete personal data when requested, all within prescribed time limits.

Technology improvements have meant that personal data became very cheap to hold store and process, so much so that many businesses have vast stores of it. That is changing. Personal data is becoming what is known as a "toxic asset", that is, the risks of holding and storing it are potentially very damaging to your business.

Think of it in the terms of toxicity, and you'll be on the right path. Do you need that personal data in order for your business to function? If not, then remove it. If you do need it, consider anonymising it. If you really need that personal data, then you need to make sure that it is properly protected, and should consider encrypting it.

Do not panic!

I can help you achieve and maintain your GDPR compliance. Please contact me for an initial informal assessment, which will look at your existing approach to data protection and information security. I'll provide you with a simple checklist of recommended actions, to point you in the right direction.

Contact Your Security Manager today to discuss how we can work together.

* The ICO’s register of data controllers is a publicly accessible register. I’m always amazed at how few local businesses appear on it.

About Us

Information Security is my speciality

I am Alex Burnham, an enthusiastic advocate for Information Security, and ISO27001 Lead Auditor. I enjoy working with non-technical SME's that struggle to understand how to improve their data defensibility, and do my utmost to help them comply with DPA and new GDPR regulations. I have practical hands on experience, and a pragmatic approach, in delivering secure technical environments, and implementing ISO27001, PCI-DSS, and CESG/NCSC (including Cyber Essentials) compliant Information Security Management Systems (ISMS).

I have worked with small businesses my whole life. I returned to university as a mature student in the mid '90s to complete a BSc (hons) in Computer Communications. In the early 2000s I was Director of Technology for a web development company, then spent several years as ICT Infrastructure and Support Manager for a national training provider, managing the roll out one of the first virtualised datacentres in the sector. In more recent years as an Information Security Officer in financial services, I worked with the compliance teams of major lenders and government departments, including HMRC.

I am committed to providing you with the best advice, solutions, and value, in all your information security requirements. I understand your need for workable, cost effective, solutions to support the growth of your business. Whether you need assistance completing a security plan for an important customer, help with understanding the GDPR, development of your ISMS, or full ISO27001 compliance, I can help in every case. And if you are running a small business with no in-house information security capability, I can be Your Security Manager.

Connect with me on LinkedIn Dyfi Computer Services on Facebook Follow me on Twitter

What is InfoSec?

An explanation for real people

According to several definitions, the term "Information Security" (InfoSec) means "protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction" in order to provide;

Confidentiality: preserving authorised restrictions on access and disclosure, and means for protecting personal privacy and proprietary information. i.e.: only those that need access, have access.

Integrity: guarding against improper information modification or destruction, and ensuring information nonrepudiation and authenticity. i.e.: the data is correct.

Availability: ensuring timely and reliable access to, and use of, information. i.e.: you can find your data when you need it.

It can be helpful to think of Information Security as Health and Safety guidance and compliance for your business data and information. Just like health and safety, some of it is common sense, some of it is advisable, and some of it is governed by legislation. You have to comply with the legislation, but the rest of it is up to you, depending on how you view the risk, the likelihood of something happening, and the resultant consequences should something happen.

Your Security Manager can give you as much, or as little, assistance as you want or need in making the journey to better protecting your business information and data processing systems. Just like health and safety, there is no one size fits all solution to becoming secure. It's not just about technology either, in fact, most of it is about management, evaluating risks, and changing working practices to be more safe. Sometimes you'll need hard hats and harnesses, but often it's about making sure the floor is clean, and you're using a ladder instead of a chair!

Contact Us

Contact us now by any of these methods!

Email us at info@yoursecuritymanager.com
Use our Tawk.to web-chat
Phone us on 01650 558227
Connect with me on LinkedIn
Message Dyfi Computer Services on Facebook
Message us on Twitter
Write to us at: Dyfi Computer Services, Ty Capel, Darowen, Machynlleth, SY20 8NS

And if you happen to be in our beautiful part of the world, maybe pop in for a coffee!

https://Add-Map.com

YourSecurityManager

Independent Information Security specialist helping your business with data protection, resilience, compliance and auditing.