It's not quite what I was getting at. You are right in what you say. However, access to a VPN carries with it risks over and above those of a memory stick. A memory stick can contain thousands of individual's details. But one would hope that it would be encrypted and therefore secure from "casual" cracking.
However the ability to access whole systems remotely comes with slightly different risks, not much different but enough.
How many times have you seen a salesman (or similar) with his laptop at a motorway services using web based/VPN access to their company's systems? I have actually stood behind people and been able to read quite confidential information (admittedly not personal information, but the principle is much the same) - trains are the other area where this happens a lot, of course. I have lost count of the number of times that my polite suggestion that they should sit with their back to a wall has been met with either dumb stares or flustered "aggression" (that might be too strong a word).
Of course a memory stick has similar issues, but often does not contain access to a dynamic system.
Of course most (if not all now) VPN type systems have at least two factor authentication, but whilst this reduces risk it does not eliminate risk. The risks between removable media and VPN access are not so far apart, but are different enough to attract separate risks categorisation.
Simon Howarth
www.informationedge.co.uk
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Paul Ticher
Sent: 20 March 2012 11:27
To: [log in to unmask]
Subject: Re: [data-protection] Working from home DP clauses in policies
Does a VPN have Data Protection implications?
In my view, as long as the VPN is set up properly it is far preferable to transporting data back and forth on a laptop or USB stick. There is far less chance of the data going astray in transit, and since the data is always held on the remote server there is no need to synchronise different versions. So a VPN helps you to tick boxes under Principles 4 and 7.
The key thing is to ensure that the authentication at the remote end is robust. In other words your setup must not permit username and password to be 'remembered' by the remote machine, and if the data is highly confidential then additional security such as fingerprint recognition or two-factor log-in using a token of some kind may be appropriate.
You also need to train the users not to print out confidential material at home and leave it on the kitchen table for all and sundry to read. But that's no different from people taking paper copies home in their briefcase and reading them in full view on the train (person sitting opposite me the other day reading documents clearly stamped 'confidential' on every page, please take note).
Paul Ticher
0116 273 8191
www.paulticher.com
22 Stoughton Drive North, Leicester LE5 5UB
----- Original Message -----
From: "Simon Howarth" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, March 19, 2012 3:09 PM
Subject: Re: Working from home DP clauses in policies
You have a point. Although I would say that risk is inherent in any access
to information, regardless of method. It's the acceptable level of risk that
is the key.
VPN's, remote access - call it what you will, will always have risks
associated with inappropriate disclosure and it is a constant source of
navel gazing as to how it is managed and what is acceptable or not. It's all
about balancing the need to be able to "get on and do it" with protection of
the information.
Whilst I could provide some older examples of homeworking and working from
home policies., I suspect there are more recent examples. However, let me
know if older examples are of interest.
I would say as well, that "homeworking" is different to "working from home"
and the two should not be confused as they attract different risk areas and
pressure points.
Simon Howarth MBCS CITP
www.informationedge.co.uk
<snip>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|