All posts by Damien Garvey

Employee Termination and The Role of IT in Preserving Sensitive Data

Employee termination — whether voluntarily or involuntarily — happens everyday in all industries. Managing the termination plan is one of the great challenges for businesses. HR plays a significant role in termination. IT is not considered as concerning department; for that reason, termination procedure creates many problems. In order to keep terminations in an organised and smooth way, some of the effective practises are described here:

Basic Actions
It is necessary to plan the terminations at initial stage. HR should perform its duty in collaboration with IT as these two departments are equally important. If a wrong termination date is given to IT and they terminate the access on the given date, it will complicate matters. Consequently, the employee might not be allowed to use data or get into office as IT might have disabled the employee’s access.

In most of cases, IT departments are given particular guidelines and they follow certain procedures for terminated employees. Though the nature of tasks depend on the given guidelines, some basic tasks are performed to deny the access of terminated employees. These are as follows:
1. Restrict access to the building;
2. Inactivate the remote access;
3. Cancel networking, data and computer access;
4. Ensure that all employer’s equipment are returned;
5. Protect critical information available on all devices;

Tasks numbered 1 to 4 (above) are performed across all industries regularly. However, protecting critical information is difficult when the majority of employees use multiple devices. Salespersons keep data on various devices, such as Smartphone, tablet and laptop. Data across different devices contain confidential details concerning the company and clients, and therefore, it is obligatory for IT department to protect the information.

Preserving Data
Sensitive information, logs and records must be protected by IT in case a terminated employee lodges a complaint or files a case against the company. Sometimes disgruntled employees delete their emails, customer records or project files. To cope with such matters, data retention strategies are applied before termination date.

What does IT department do with the sensitive data of company that store on personal device of an employee? Preserving data is not simple due to proliferation of Bring Your Own Device (BYOD) and smartphones. On legal basis, the company has the authority to keep or delete such data, without damaging or disabling the devices. In this regard, remote wipe applications are really helpful that keep the information of company in safe hands.

In multinational and large companies, employees share a great number of accounts within a department. Though there are some benefits of using shared accounts, they create innumerable issues and they should be avoided.

Conclusion
Some terminated employees (perhaps most involuntarily terminated) might try to steal critical data from their former companies. In order to manage termination of employees procedure smoothly, planning is necessary at IT level and HR department. IT manager must have comprehensive knowledge of employees’ termination process and responsibilities of IT department. To accomplish this task effectively, IT manager should arrange a meeting with all stakeholders. It is favourable to get termination notification in advance; however, it is not always possible. To deal with with situation, it is good to have planning for uncertain worst case scenario situations.

UK’s ICO Data Protection Act

The UK Data Protection Act, put into action by the Information Commissioner’s Office (ICO), regulates the use of personal data that is within the reach of commercial and non-commercial companies, as well as individuals. Such data might have been acquired for various kinds of reasons and, therefore, adherence to compliance is expected. The ICO is a self regulating authority created to support information rights for protecting personal privacy.

Basic Interpretative Provisions

The Data Protection Act defines “Data” as “information which—

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,

(b) is recorded with the intention that it should be processed by means of such equipment,

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68,

(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d)”.

The Data Protection Act further defines “Personal Data” as “data which relate to a living individual who can be identified—

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”.

“Sensitive Personal Data” is further explained here:

According to The Data Protection Act, “Sensitive Personal Data” means personal data consisting of information as to—

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the M1Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

ICO has already levied penalties under the Data Protection Act for data breaches. The fine amount shows that the ICO office is very serious to reinforce the act. It continues to monitor violations and regulate the provisions of the act in the entire UK. For that reason, if are a UK based organisation that is engaged in a service that warrants collection of information or data of various sorts, you need to pay a special attention to compliance under the act; so as to avoid penalties and legal suits. It must be noted that compliance to the data protection act is not an option, but mandatory.

 

Non-Compliance is Very Expensive

For enterprises and businesses, compliance is a term that shows the company is following laws and regulations concerning business, personnel and clients. For businesses, compliance is not optional. In fact, it is obligatory for organizations and divergence to this act results in form of penalties.

 

Accounting scandals of a number of corporations made it necessary to establish an act therefore the Act Sarbanes Oxley was passed against such companies. As a result, non compliant enterprises have to face penalties such as loss of D & O insurance, imprisonment, heavy fines and lose exchange listing. It is given that investors do not have an interest to invest in non-compliant organizations. In case, CFOs or CEOs give fake certifications, they will face charges of one million dollars fine for their un-willful wrong doing. On the other hand, charges for willful doings are up to five million dollars. In addition to penalties, CEOs and CFOs can be imprisoned for up to ten to twenty years based on the evidence presented.

 

HIPAA is an act concerning health insurance portability & accountability. HIPAA is applied to service providers dealing with health care departments. The act also equally applies to health care associates. If service providers are unable to meet the demands of HIPAA Act, they will be fined severe penalties. Health care providers are castigated when they ignore standard of HIPAA. In such cases, the Secretary has the right to charge $100-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year.

 

Another important part of HIPAA is its relation to personal health information (PHI). When sensitive information such as PHI of patients is disclosed, health care providers are penalized for their carelessness. In case this infringement is willful, up to $50,000 penalty, with a year imprisonment or both is imposed on the wrong doer. Conversely, if the violation is done with false pretences, an amount of $100,000 is imposed, with five years imprisonment or both. However, if such violation is for to get commercial benefits, a fine up to $250,000, with 10 years of imprisonment or both is imposed.

 

Punishments related to PCI-DSS and data protection act impose charges of up to $500,000 for data breaches. Non-compliant companies not only get charged fines, but also have to face long lasting penalties, such as credit card activity shut down, loss of business, staff cost during recovery process, detailed and increased audit requirements, charges of printing clients’ notification, printing costs, emailing costs, as well as loss of clients’ trust.

 

Controllers of non-compliant data are also punished by Data Protection Act. They are required to get registration and follow data protection act to become qualified for processing sensitive information of customers. If data controllers do not get registration, they can face litigation and penalties. On the other hand, data controllers and agents who misuse personal client information in other ways that are not mentioned in the act, they could be charged under the civil or criminal act sanctions.

 

In short, non compliance can be terrible and costly for companies.

Why Does Backup Technology Choose to Partner with Asigra?

Asigra is a disk based cloud backup and recovery software known for its certainty, dependability, as well as its ability to guarantee absolute security. It has been placed in Gartner’s Magic Quadrant for Disk-based Backup and Recovery in the recent reports. Among the enormous parameters that were considered for this placement was its military grade security feature. Asigra is, therefore, known as the best and most reliable backup and recovery software ever.

Asigra is unique due to its more than a quarter of a century presence in the industry of cloud backup and recovery. It has provided users with quality software since 1986, without any form of breach. Due to the fact that this software does not support open firewall ports, data stored in it cannot be hacked. The data in the data centres is stored in encrypted format, and all the files and blocked data are signed digitally.

There is a built in system admin with logical check features, and with background automated healing, which made the data stored in it to be in self-describing format. In addition, in order to protect the data against any form of compromise, the digital signatures are checked and validated regularly. Asigra is acknowledged rightly so as one of the pioneers in cloud backup encryption. Asigra is only channel driven. As such, service provides have been championing Asigra software by offering it as part of their packaged services. Asigra partners are known to be on top of their game and beat the competition.

Asigra’s encryption algorithm is FIPS certified. Encryption of data takes place from DS Client to DS System, edge to cloud, disk to archive, and is retained encrypted at the end point of the storage. There are lots of encryption protocols associated with Asigra software and customers have a choice of encryption, including: DES 56 bit with an 8-character key to AES 256 bit with 32-character key.

Additionally, Asigra software has the capability for users to retrieve their data that was encrypted with older encryption formats. There is also an option for management of the encryption key. The administrator can either self-manage or optionally allow the service provider to manage the static encryption key, which was generated at the point of subscription for the service.

Asigra security has user authentication as its central focus. For easy user definition, there are elaborate user management features. The central administrator can easily assign user IDs, rights, permissions, and passwords. The password generation and rotation features associated with Asigra software can be useful to organizations that are security conscious. For specific back up user, password can be changed randomly in order to make access to the data very secure. The entire activity of users can be logged in and tracked at the central location.

This wonderful backup and recovery software is designed for existing legal provisions and greater compliance. The automated disk based solution is known to run quietly at the background without intervention of a human being. Asigra allows the generation of aggregated data for offsite storage, on premises appliance-based backup, and the opportunity for instant recovery.

Backup Technology is proud to be Asigra’s partner since 2005 and a 3D Hybrid partner since 2010. For more information, please visit Asigra’s website: www.asigra.com

Training the Trainers in Preparing for Disaster Situations

Honestly, it is not easy to plan for recovery of system against disaster. Those planning for disaster recovery need to imagine every unforeseen event that may possibly happen. Also, planners need to train the trainers to teach others on the resourceful and successful way of handling catastrophic circumstances, including in drills, as in simulated disasters. This is to equip them with required knowledge that will make them qualified to handle the situation when an actual disaster occurs in the enterprise.

Indeed, for easy control and effective preparation against disaster, trainers must be selected carefully. In addition, the criteria for selection of trainers should include their knowledge of disaster management system. So, selecting team that are open to learning and love to try new things is very important. Selection of proactive individuals that are able to adjust their plans to suit the prevalent unexpected situation is also very important. Flexibility in action is also needed for the trainers, as that will be important to make new plans that will flexibly fit conditions and situations that are not expected during live implementations that may not originate from the main plan.

Certainly, selection of trainers should be strictly from with in the leaders of the organization. This is to make sure they have the ability to control and enforce discipline in their team members. Trainers also need to assign authority to other team members and make sure that the delegated people have the freedom to respond within the framework during an emergency. All these are to ensure adequate preparation against any form of disaster that may occur in the organization.

Therefore, involvement is important in training of trainers. You must only select the people that have been involved in the planning process, and have perhaps actively contributed to identifying the possible potential risks and disastrous conditions. The trainers must have good knowledge of the effect, as well as the consequences of disasters, and must be prepared to put into practice all required and possible preventive actions to avert further effects that may be triggered as a result of fear or lack of knowledge. Further, trainers are to be those that handle more difficult and larger part of the problem and at the same time assign activities and tasks to others, who are integral part of the management team for disaster.

Disaster training on its own should be conducted repetitively in a simulated situations so as to harmonize the plans and teach the trainers on how to identify gaps in their pans, resolving problems as well as harmonizing issues that may come up following implementation. The trainers should be allowed to bring out problems which were not originally taken into consideration at the planning-phase. Apparently, the trainers should accept the plan and be ready to truly and to the best of their capacity apply the plan when disaster strikes.

The truth of the matter is that training the trainers can not be done without adequate preparation. It is not only a long drawn process, but also an iterated process. When there is change in business environment, there is always emergence of new disasters, requiring the trainers to be trained with full energy and dynamism. One of the main parts of your disaster recovery needs to be training your trainers, as it is your protection against any form of disasters that your organization may be faced with.

The Power of Activity Logs in Cloud Backup Services

Since your online data backup is hosted at a third party company, there are chances that you will have oodles of questions for your online backup provider. Do you know that your data can easily be compromised before it can actually reach the vaults of your online back provider? How are you sure that your data is adequately and securely stored in their vault once transmitted? What exactly make you think that your data will continue to be safe in the Internet-based datacentre? These and more are what you need to think before hiring an online backup service provider.

Majority online backup providers normally send manual or automated alerts to their customers at different stages of their data backup recovery or storage processes so as to pro-actively manage the anxiety of their customers. The main purpose of customer alert, which most online backup providers normally send to customers, is to inform them that something was not done properly the way it should have been done, so that they can either contact the service provider immediately or attend to the problem at their own end. The providers typically configure the alert when the customer first subscribes for the service. So, the client’s machine is installed on the network by the software agent and that helps to check the status of the service repeatedly and generates alert for the benefit of the provider and the customer.

One popular type of customer alert is simply known as logs. The logs are known to document the steps on the executed process. Also, all activities on the system are known to be supported by logs. There are backup logs, which inform the customer whether the backup process was smoothly done or there is/are error(s) that prevented it from being completed. If there is failed backups, the administrator will be able to notice it the moment (s)he logs into the system, as it will pop up in the form of a message or a report.

Furthermore, the user logs track and control the activities of the users and check against unauthorised attempts to access the system with the use of authenticated identity of the user. Also, passwords are recorded on the user logs, and required alerts can be generated. There may be other logs that are used to track behaviour on the network.

Custom alerts are being used to keep track of the system’s functionalities for most cloud backup service providers. Indeed, the alerts are designed to point out problems that need solutions so as to avoid problems in the system. So, the backup providers may just resolve the issues at their end without the need to contact the customer. Alternately, the service provider could notify the customer through email to handle the issue at their end. If the problem requires advanced knowledge to solve it, then the service provider may send specialised technical experts to guide the customer to resolve the issue.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal