Preventing the release of confidential information will
be a major challenge for IT directors as they strive to comply with
the EU Privacy Directive, analyst firm Gartner has
warned.
One of the main security issues facing IT directors is how to
cope with requests made under the Freedom of Information (FOI) Act,
which can affect all public sector bodies and private sector
companies contracted to them. Jay Heiser, research vice-president
at Gartner, said, "Government and organisations will have greater
responsibility to protect the identity of people."
Heiser warned that local authorities dealing with FOI requests
could inadvertently leak confidential information. If someone
received two or three pieces of unrelated information under the FOI
Act, which were then combined, this could constitute a major leak
of information, breaching the Data Privacy Directive, he said.
"There is very little guidance for local authorities. Policy and
technology need to be in place to prevent local authorities from
releasing proprietary information," said Heiser.
Privacy concerns have also been raised around the national
programme for IT in the NHS on the basis of the access to
electronic patient records of various staff. One of the stated aims
of electronic records is to provide researchers with a wealth of
anonymised information.
"The implication of collecting sensitive personal data on a
national scale is that a sophisticated attack could infer
information from data that has already been scrubbed away," said
Heiser.
As well as compliance issues, Heiser warned of the growing
threat of intellectual property theft. The case of Trojans being
used for industrial espionage in Israel was a worrying development,
he said. "Malware was purpose-built to attack a specific
organisation."
In such an instance, users cannot rely on anti-virus protection,
as the attack is not considered to be in the wild. To protect
against such attacks Heiser advocated taking a process-oriented
approach to security based on vulnerability management, intrusion
prevention, identity and access management and network access
control.
Another security weakness where intellectual property theft
could occur is via USB memory sticks. Heiser said, "A huge amount
of valuable data is leaking through the USB."
He advised users concerned about this type of data theft to
invest in a content monitoring system. "This can be used to monitor
how much sensitive information is being accessed," Heiser said.
Wireless networks pose a similar risk, with people connecting to
corporate networks from almost anywhere. "It is a huge challenge
for security staff to allow flexibility," said Heiser.
Compliance will be a key theme at the Gartner IT Security Summit
in London from 14-15 September
www.gartner.com/2_events/