adrian leung - chartered institute of housing pdfs/presentations/data manchester... · adrian leung...
TRANSCRIPT
Adrian Leung Head of Information Security Catalyst Housing
2nd December 2014
Controlled Information: Restricted
I. Security vs Privacy
Differing perspectives
Relationship between Security and Privacy
Why things go wrong
II. The Catalyst approach
Catalyst’s approach
Catalyst information security programme
Laying the foundations
Lessons learnt
Agenda
Controlled Information: Restricted
Security vs Privacy From DP practioners’ perspective
Privacy
Security
Controlled Information: Restricted
Security vs Privacy From security practioners’ perspective
Privacy
Security
Controlled Information: Restricted
Security vs Privacy From the business’ perspective
Business Shareholders
Customers
Competition
Brand
Security
Privacy
Regulation
Controlled Information: Restricted
Security vs Privacy My view of the world(s)
Controlled Information: Restricted
Security vs Privacy A love hate relationship
Security is a process…Privacy is a consequence. Security is action… Privacy is result of successful action. Security is the strategy…Privacy is outcome. Security is the sealed envelope… Privacy is the successful delivery of the message inside the envelope. You must implement Security to obtain Privacy. Privacy is the state of existence…Security is the constitution supporting the existence.
Controlled Information: Restricted
Security vs Privacy What usually goes wrong
Most common DPA breach leading to £££ penalty?
Controlled Information: Restricted
Security vs Privacy Why things go wrong
Privacy is perceived purely as legal issue, whilst Security is seen as an IT or technical issue.
Privacy and Security functions often sitting in different departments and working in silos.
Privacy and Security teams have little communications and interactions. E.g. Privacy Policy written and published but no security policies, procedures and technical solutions implemented to enforce it.
Controlled Information: Restricted
Security vs Privacy My view of the world(s)
Principle 7
Privacy Security
Controlled Information: Restricted
Controlled Information: Restricted
Catalyst Approach A brief history of time
~Dec’13: Neither a Security nor a Privacy function Jan’14: Head of Information Security in post Jan-Feb’14: Established security governance structure Mar’14: Data Protection audit Apr’14: Recruited a security analyst May’14: Formally accountable for Data Protection Jun’14: Security programme formally launched Jul’14: Engaged Wright Hassall Oct’14: Recruiting privacy analyst
Controlled Information: Restricted
Controlled Information: Restricted
Catalyst Approach Laying the foundations
Security Governance
Established Security Board & Security Working Group
Information Protection
Defined information classification scheme
Piloting a classification tool
Data Protection
Central coordination
Controlled Information: Restricted
Awareness & Cultural change Visual identifier
Controlled Information: Restricted
Awareness & Cultural change Engaging the business
Controlled Information: Restricted
Controlled Information: Restricted
Controlled Information: Restricted
Catalyst Approach Lessons learnt
People, people, people;
Listen to business – build rapport and relationships;
Seek out opportunities to raise profile of security & privacy;
Reach out to peers (e.g. Circle housing);
Form strategic partnerships.
Controlled Information: Restricted
Adrian Leung Email: [email protected] LinkedIn: uk.linkedin.com/pub/adrian-leung/1/511/a97/
Controlled Information: Restricted