Tuesday, 23 April 2019

It is very difficult to prove GDPR compliance but ISO 27001:2013 can set you apart from the rest

There is currently no certification body for the GDPR. Although you may be able to demonstrate that you have implemented the policies and procedures required by the GDPR and the DPA of 2018, the implementation of an effective Information Security Management System (ISMS) provides re-assurance to customers, clients and suppliers alike.

ISO 27001 is a framework of policies and procedures that includes all of the legal, physical and technical controls used in a company's information risk management processes. It is one of the family of standards providing world-class specifications for products, services and systems to ensure quality, safety and efficiency.

ISO is the International Organisation for Standardisation and UKAS is the sole national accreditation body for the United Kingdom.

The way we use data has changed significantly over the last 20 years, specifically in relation to the way data is acquired and dealt with.

Whilst cyber-attacks resulting in data breaches dominate the headlines the truth is that the majority of data breaches occur due to human error:
  • A dropped memory stick
  • Sending something to the wrong e-mail address
  • Adding data to the wrong Dropbox folder
  • Not taking care of paper files whilst out of the office

In addition to this, over the last few years cyber attacks have increased in complexity and frequency, exposing millions of people and businesses to security breaches, theft and fraud.

In the digital age in which we live, the associated reputational damage arising from a data breach can be fatal to any business.

Do you look after or process client data? Are you an IT or telecoms company or part of the healthcare or financial industries?

What makes you stand out from your competitors and makes your clients’ choose you?

Contact C3C today on 0330 004 0020 or info@c3c.co.uk to find out how we can help you enhance your reputation and stand out from the crowd by achieving UKAS accredited ISO certification.

Thursday, 14 March 2019

What is Right to Work

Right to Work can mean different things to different people. In the USA, some states have regulations stating people have a ‘right to work’ without being forced to join a union, humanitarian organisations subscribe to the concept that people have a human right to work, or engage in productive employment, and should not be prevented from doing so. In the UK, it is all about immigration compliance and is sometimes also labelled ‘preventing illegal working.’ This article uses the UK Home Office term of ‘right to work’ but the alternative of ‘preventing illegal working’ gives a good indication of what is required.

From January 1997, employers have been required to make checks on immigration status to check for illegal workers. Initially employers were required to be able to demonstrate a statutory defence, but following new legislation implemented in 2008, employers are now required to demonstrate they have a statutory excuse for all employees.

The statutory excuse means employers need to check the identity and immigration status of prospective staff members before employment starts. This requires checking a proscribed document from the Home Office lists of acceptable documents. The employer needs to make basic, but appropriate checks to ensure the document belongs to the person presenting it; check the document is valid proof of right to work and that it is genuine and has not been tampered with. [This is where Passport Proven can help] Most importantly the employer needs to retain a copy of the document checked and be be able to demonstrate they have followed the necessary steps. An audit trail is important, so signing and dating copies also helps.

If an employer is satisfied with the documents, then it is likely the statutory excuse is in place; but what if a candidate cannot produce the required documents; or what if there are some doubts? The Home Office advise that employment should not be offered at this stage. It may be that the candidate has to apply for and provide some new documents or that the employer needs to research into their options. Either way it would be a mistake to employ someone without the necessary paperwork being in place. This is because of the potential for a Civil Penalty, or worse.

Employers who get this wrong could be subject to an illegal working penalty of up to £20,000 per illegal worker; and if the Home Office can demonstrate that the employer “had reasonable cause to believe” that the employee is an illegal worker, the ultimate penalty can be a prison sentence.

Passport Proven is here to make this process easier for you. It takes you through the steps of checking a document and provides you with a report meeting the record requirements for the statutory excuse

In summary, the right to work in the UK can be defined as the process and record needed to ensure the statutory excuse is in place. The process requires following a few simple steps in order to create the relevant record. Doing this will protect employers from the Civil Penalty.

By Oliver Kemp of Passport Proven

Visit www.c3c.co.uk or call us on 0330 004 0020 to find out more. 

Thursday, 17 January 2019

C3C Team Qualify as Lead Auditors for ISO 9001 & ISO 27001

Chapter Three Consulting are delighted to announce that the team have qualified as Lead Auditors for both ISO 9001 and ISO 27001 and C3C are now able to help clients prepare for ISO 9001 and ISO 27001 certification.

ISO 9001:2015 sets out the criteria for a Quality Management System (QMS) which is a collection of business processes focused on consistently meeting customer requirements and enhancing their satisfaction.

Implementing a QMS can help a business to:
  •          Achieve greater consistency in the activities involved in providing products or services
  •          Reduce expensive mistakes
  •          Increase efficiency by improving use of time and resources
  •          Improve customer satisfaction
  •          Market the business more effectively
  •          Exploit new market sectors and territories
  •          Manage growth more effectively by making it easier to integrate new employees
  •          Constantly improve products, processes and systems

ISO 27001:2013 provides the requirements for an Information Security Management System (ISMS).

The ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

An ISMS typically addresses employee behaviour and processes as well as data and technology and can be implemented in a comprehensive way that becomes part of the company's culture.

 The key benefits of an ISMS:
  •          Helps protect all forms of information
  •          Increases resilience to cyber attacks
  •          Offers organisation-wide protection from technology-based risks
  •          Helps respond to evolving security threats
  •          Reduces costs associated with information security
  •          Protects the confidentiality, integrity and availability of data
  •          Improves company culture

Contact Chapter Three Consulting by calling 0330 004 0020 or email at info@c3c.co.uk

Wednesday, 21 November 2018

New GDPR guidance published by the ICO about passwords and encryption under the GDPR

Passwords in online services

At a glance

Although the GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.

Passwords are a commonly-used means of protecting access to systems that process personal data. Therefore, any password setup that you implement must be appropriate to the particular circumstances of this processing.

You should consider whether there are any better alternatives to using passwords.

Any password system you deploy must protect against theft of stored passwords and ‘brute-force’ or guessing attacks.

There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication.


At a glance

The GDPR requires you to implement appropriate technical and organisational measures to ensure you process personal data securely.

Article 32 of the GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities.

Encryption is a widely-available measure with relatively low costs of implementation. There is a large variety of solutions available.

You should have an encryption policy in place that governs how and when you implement encryption, and you should also train your staff in the use and importance of encryption.

When storing or transmitting personal data, you should use encryption and ensure that your encryption solution meets current standards.

You should be aware of the residual risks of encryption, and have steps in place to address these.

Visit the ICO at https://ico.org.uk

Contact Chapter Three Consulting by calling 0330 004 0020 or email us at info@c3c.co.uk

Monday, 9 April 2018

GDPR Awareness e-Learning Course

GDPR specialists, Chapter Three Consulting are delighted to announce the launch of the GDPR Awareness e-Learning Course on the Eliademy training platform.
Learning objectives
The EU General Data Protection Regulation (GDPR) aims to give control of personal data back to individuals by addressing modern concerns about data protection in the digital age.
The way we use data has changed significantly over the last 20 years, specifically in relation to how personal data is acquired and dealt with.
Whilst cyber-attacks resulting in data breaches dominate the headlines the truth is that most data breaches occur due to human error:
  •         A dropped memory stick
  •         Sending something to the wrong e-mail address
  •         Adding data to the wrong Dropbox folder
  •         Not following a policy on encrypting data
  •         Not taking care of paper files while out of the office

In the digital age in which we live, the associated reputational damage arising from a data breach can be fatal to any business.
Target audience
The course provides a practical application of the GDPR. On completion students will understand the purpose of the GDPR and the best practice processes and procedures that are required to be followed when handling personal data.
The GDPR requires companies to record and monitor employee training and this is a vital aspect of evidencing that a company is complying with the GDPR. The learning platform is ideal for employees and individuals alike.
Course structure
Everyone needs to understand the care they need to take when handling personal data whether it be in the workplace or in their personal lives.
The course contains 8 Units covering:
  •         An overview of the GDPR and the rights of the individual
  •         The do’s and don’ts for information and Cyber security
  •        Best practice procedures for data access, handling and records management
  •         The risks of mobile working
  •         Employee responsibilities under the GDPR
  •         Incident management and disaster recovery

There are 8 Assessments, one for each Unit and students are emailed a certificate upon successful completion.
All this for only €49! or use this coupon for a 10% discount GDPR10%
Contact Chapter Three on 0330 004 0020 or info@c3c.co.uk for group pricing.

Friday, 19 January 2018

Chapter Three Consulting Become ISO 27001 Accredited

Chapter Three Consulting are delighted to announce that they have achieved ISO 27001 accreditation awarded by the British Assessment Bureau.

ISO 27001 is the internationally recognised Information Security Management Standard (ISMS) that proves an organisation’s commitment to the security of their customers. With ISO 27001 in place, Chapter Three Consulting are able to minimise risks to potential data security breaches and reduce errors and costs, while demonstrating credibility and trust.

An ISMS is a set of policies, procedures, processes and systems that manage information risks, such as cyber-attacks, hacks, data leaks or theft. Businesses have been encouraged to identify risks of all shapes and sizes for many years now, and once identified they must be managed, and risk mitigation must be considered.

Cyber-attacks are increasing in volume and strength daily, and the financial and reputational damage caused by an ineffectual information security system can be fatal. Implementing an ISO 27001-certified ISMS helps to protect an organisation against such threats and demonstrates that the necessary steps have been taken to protect the business.

An IBM Survey, allocates 49% of breaches to malicious activity, 23% to system glitches and the remaining 28% to human error.

The Standard is designed to ensure the selection of adequate and proportionate security controls that help to protect information in line with increasingly rigid regulatory requirements such as the General Data Protection Regulation (GDPR), the NIS Directive and other cyber security laws.

The benefits of certification to ISO 27001 include:
  •         Proving to clients an organisation keeps their information secure
  •         Achieve operational excellence
  •         Minimise risk of potential data security breaches
  •         Protects reputation
  •         Reduces errors and costs
  •         Increases business profitability
  •         Engages employees

The Standard also helps businesses become more productive by setting out clear information risk responsibilities and ensuring continual improvement.

Chapter Three Consulting are a business support consultancy who focus on bringing specialist knowledge and expertise to companies who wish to fulfil their compliance obligations.

Providing specialist compliance knowledge and GDPR expertise to SMEs they are able to assist with auditing, managing and maintaining compliance.

Visit the website www.c3c.co.uk or call 0330 004 0020 for more information


Tuesday, 21 November 2017

Is your business ready for the introduction of the new General Data Protection Regulation known as the GDPR in May 2018?

A recent IT Security survey found that 61% of UK companies don’t realise that the new Regulation applies to them.

A further study has shown that 21% of senior management have little or no awareness about the effect that the GDPR will have on their organisation. While 31% of the companies questioned had experienced an incident in the last 12 months due to staff negligence or bad practice.

It is essential that companies are made aware of the changes and new obligations in the legislation by May 2018 and time is running out.

The Regulation contains new rights for people to access the information companies hold about them, obligations for better data management and a new regime of fines. Incidents with serious consequences can have fines of up to €20 million or 4% of a firm's global turnover whichever is greater.

Companies covered by the GDPR will be more accountable for the handling of people's personal information. This will include having data protection policies, data protection impact assessments and data mapping showing how the data is processed.

Companies will need to obtain consent and demonstrate why people's information is being collected and processed, providing descriptions of the information that is held, how long it is being kept for and descriptions of the technical security measures in place.

As well putting new obligations on the companies and organisations collecting personal data, the GDPR also gives individuals more power to access the information that is held about them free of charge.

To help prepare for the GDPR the ICO has created a 12-step guide which includes steps such as making key people aware of the Regulation, determining what information is held, reviewing current privacy notices, identifying the lawful basis for processing the data and what should happen in the event of a data breach.

Chapter Three Consulting are a business support consultancy who provide specialist compliance knowledge and GDPR expertise. As an ISO accredited organisation their consultants are able to assist in auditing, supporting the implementation of any changes required and maintaining ongoing compliance.

For further information contact us on 0330 004 0020 or email info@c3c.co.uk