Adrian Leung Head of Information Security Catalyst Housing

2nd December 2014

Controlled Information: Restricted

I. Security vs Privacy

Differing perspectives

Relationship between Security and Privacy

Why things go wrong

II. The Catalyst approach

Catalyst’s approach

Catalyst information security programme

Laying the foundations

Lessons learnt

Agenda

Controlled Information: Restricted

Security vs Privacy From DP practioners’ perspective

Privacy

Security

Controlled Information: Restricted

Security vs Privacy From security practioners’ perspective

Privacy

Security

Controlled Information: Restricted

Security vs Privacy From the business’ perspective

Business Shareholders

Customers

Competition

Brand

Security

Privacy

Regulation

Controlled Information: Restricted

Security vs Privacy My view of the world(s)

Controlled Information: Restricted

Security vs Privacy A love hate relationship

Security is a process…Privacy is a consequence. Security is action… Privacy is result of successful action. Security is the strategy…Privacy is outcome. Security is the sealed envelope… Privacy is the successful delivery of the message inside the envelope. You must implement Security to obtain Privacy. Privacy is the state of existence…Security is the constitution supporting the existence.

Controlled Information: Restricted

Security vs Privacy What usually goes wrong

Most common DPA breach leading to £££ penalty?

Controlled Information: Restricted

Security vs Privacy Why things go wrong

Privacy is perceived purely as legal issue, whilst Security is seen as an IT or technical issue.

Privacy and Security functions often sitting in different departments and working in silos.

Privacy and Security teams have little communications and interactions. E.g. Privacy Policy written and published but no security policies, procedures and technical solutions implemented to enforce it.

Controlled Information: Restricted

Security vs Privacy My view of the world(s)

Principle 7

Privacy Security

Controlled Information: Restricted

Controlled Information: Restricted

Catalyst Approach A brief history of time

~Dec’13: Neither a Security nor a Privacy function Jan’14: Head of Information Security in post Jan-Feb’14: Established security governance structure Mar’14: Data Protection audit Apr’14: Recruited a security analyst May’14: Formally accountable for Data Protection Jun’14: Security programme formally launched Jul’14: Engaged Wright Hassall Oct’14: Recruiting privacy analyst

Controlled Information: Restricted

Controlled Information: Restricted

Catalyst Approach Laying the foundations

Security Governance

Established Security Board & Security Working Group

Information Protection

Defined information classification scheme

Piloting a classification tool

Data Protection

Central coordination

Controlled Information: Restricted

Awareness & Cultural change Visual identifier

Controlled Information: Restricted

Awareness & Cultural change Engaging the business

Controlled Information: Restricted

Controlled Information: Restricted

Controlled Information: Restricted

Catalyst Approach Lessons learnt

People, people, people;

Listen to business – build rapport and relationships;

Seek out opportunities to raise profile of security & privacy;

Reach out to peers (e.g. Circle housing);

Form strategic partnerships.

Controlled Information: Restricted

Adrian Leung Email: Adrian.Leung@chg.org.uk LinkedIn: uk.linkedin.com/pub/adrian-leung/1/511/a97/

Controlled Information: Restricted