Morgan Stanley – A Decommissioning Lesson, Blog by Senior Security Consultant, Ian Warren
News and information from the Advent IM team.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ...
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.
$60m; the price of complacency? The recent agreement by Morgan Stanley was born out of failing to adhere to some basic Data Protection principles when dealing with their customer information. Their requirement to safeguard such sensitive, personal data was sadly short of the mark.
This example shows us the importance of information security through the life to death cycle of systems, processes etc. Any system/process should be following an implementation framework where the business case is transformed into a clear plan of action to establish the requirement that will implement and operate the system in a secure, compliant way to ensure the Confidentiality, Integrity, and Availability of the system and data processed/stored.
Data Protection by Design and Default should be influencing the whole planning process to ensure we’re looking at the system requirements for data capture, processing, storage, and disposal. By doing this we ultimately pre-set the scene for the decommissioning process which should enable a simpler transition to aid the decommission planning and execution.
Whilst the ‘end game’ isn’t necessarily detailed as part of the system implementation plan, the decommissioning of any system/process should at least be sign-posted in order to initiate its own planning process in good time to ensure the system is taken out of use in a safe, secure manner. The appropriate removal/safeguarding of data is a key factor; remember checking the back of the filing cabinet for lost papers? Yes, that is still relevant today as I’ve not seen a truly paperless office, but more so with electronic data as poor management can leave uncontrolled information ‘sitting around’ on systems that could be overlooked. This factor shows us the need to ensure we know what we’ve got and where, but also to ensure our staff follows good Data Protection practices to reduce the likelihood of duplication and poor handling.
3rd Party engagement for decommissioning is an accepted norm but can be the Achilles heel if your business doesn’t ensure the 3rd Party is going to meet the levels of Data Protection compliance you would like to have throughout the process. Again, your decommissioning plan should ensure you gain those assurances.
Plan well and your decommissioning journey should be a smooth one, scrimp and you will need to have some good answers when the ICO comes calling and potentially deep pockets; Happy New Year!