Morgan Stanley – A Decommissioning Lesson, Blog by Senior Security Consultant, Ian Warren
News and information from the Advent IM team.
$60m; the price of complacency? The recent agreement by Morgan Stanley was born out of failing to adhere to some basic Data Protection principles when dealing with their customer information. Their requirement to safeguard such sensitive, personal data was sadly short of the mark.
This example shows us the importance of information security through the life to death cycle of systems, processes etc. Any system/process should be following an implementation framework where the business case is transformed into a clear plan of action to establish the requirement that will implement and operate the system in a secure, compliant way to ensure the Confidentiality, Integrity, and Availability of the system and data processed/stored.
Data Protection by Design and Default should be influencing the whole planning process to ensure we’re looking at the system requirements for data capture, processing, storage, and disposal. By doing this we ultimately pre-set the scene for the decommissioning process which should enable a simpler transition to aid the decommission planning and execution.
Whilst the ‘end game’ isn’t necessarily detailed as part of the system implementation plan, the decommissioning of any system/process should at least be sign-posted in order to initiate its own planning process in good time to ensure the system is taken out of use in a safe, secure manner. The appropriate removal/safeguarding of data is a key factor; remember checking the back of the filing cabinet for lost papers? Yes, that is still relevant today as I’ve not seen a truly paperless office, but more so with electronic data as poor management can leave uncontrolled information ‘sitting around’ on systems that could be overlooked. This factor shows us the need to ensure we know what we’ve got and where, but also to ensure our staff follows good Data Protection practices to reduce the likelihood of duplication and poor handling.
3rd Party engagement for decommissioning is an accepted norm but can be the Achilles heel if your business doesn’t ensure the 3rd Party is going to meet the levels of Data Protection compliance you would like to have throughout the process. Again, your decommissioning plan should ensure you gain those assurances.
Plan well and your decommissioning journey should be a smooth one, scrimp and you will need to have some good answers when the ICO comes calling and potentially deep pockets; Happy New Year!