View from the Hill

BS 10012:2009 Data protection. Specification for a personal information management system has been published by the British Standards Institution.

The UK Data Protection Act (1998) applies to any UK organization that holds the personal information of living individuals and compliance is mandatory.  BS 10012 is designed to help an organization demonstrate compliance with the Act.

Since 2005 we’ve provided free hosting, technical support and content management for the Road Safety Nigeria site as part of Hillside Software’s ‘Social Responsibility’ programme.

Hillside Software’s main telephone and fax numbers are now +44 (0) 141 530 9553 and +44 (0) 141 530 9554, respectively.

Our Virtual Learning Environment (VLE) has been upgraded successfuly to run on version 1.9.3 of the Moodle collaborative learning platform.  This has been done to address known defects and vulnerabilities.  Course participants should notice no changes to the VLE interface or how they access and use training course materials.

On 14 November 2008, the International Organization for Standardization (ISO) published ISO 9001:2008, the latest edition of the International Standard for quality management systems (QMS).  The new version is the fourth edition of the standard that was first published in 1987.

ISO 9001:2008 contains no new requirements compared to the previous 2000 edition, which it replaces.  It merely provides clarifications to the existing requirements of ISO 9001:2000 and introduces minor changes intended to improve consistency with the environmental management system standard, ISO 14001:2004.

Following a recent survey of available USB flash-memory storage devices (colloquially known as ‘USB sticks’ or ‘USB memory sticks’) we’ve decided to adopt the SafeStick device from BlockMaster AB as our preferred portable backup device.  This is issued to laptop users who may be out of the office for extended periods in remote locations where it may not be possible, or may be highly impractical, to make a VPN connection to the company’s network to backup files.  The main features of the SafeStick that make it attractive are:

• All information on the device is forced to be encrypted and protected by a passphrase.  It is not possible for the user to establish an unprotected or unencrypted partition.
• Encryption is managed by an AES-256 hardware ‘module’ embedded within the device itself and this ‘module’ has been independently tested.
• The passphrase for accessing the device is forced to be ’strong’.
• The device can effectively cause its contents to ’self-destruct’ if it is subjected to a ‘brute force’ attack.
• No software needs to be pre-loaded or installed onto the host computer.

The use of SafeStick, together with deploying the PGP Whole Disk Encryption product to our laptop hard drives, means that we can be confident that data on our portable media will remain confidential if the devices are lost or stolen.

Currently the SafeStick is significantly more expensive than traditional USB ‘memory sticks’.  However, we feel that the peace of mind that it brings to corporate users is worth it.

Within the UK, the main distributor is Softek, and the device is also available from retailers including eXpansys.

Richard Murray, Technical Director

Many organizations have policies about not allowing, or restricting, photography within their premises, especially if they deal with defence, financial or personal data.  Today, many cellphones incorporate a camera but how often are visitors asked at reception to have these cameras placed in temporary safe-keeping until they leave the premises?  I can’t recall a single instance in the last fifteen years when I’ve seen anyone being asked whether they had a camera or had their attention drawn to a no-photography policy.  (To avoid any potential problems, the standard cellphone issued to Hillside Software employees is the Nokia E61 which doesn’t have a built-in camera.)

Richard Murray, Technical Director

A new guide entitled ‘Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services’ has been published by the International Organization for Standardization.

ISO/IEC 24762:2008 provides guidelines on the provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management, applicable to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services.

ISO/IEC 24762:2008 specifies:

• Requirements for implementing, operating, monitoring and maintaining ICT DR services and facilities;
• Capabilities that outsourced ICT DR service providers should possess and the practices they should follow, to provide basic secure operating environments and facilitate organizations’ recovery efforts;
• Guidance for selection of a recovery site;
• Guidance for ICT DR service providers to continuously improve their ICT DR services.

Richard Murray, our Technical Director, is the co-author of the ‘IT Governance’ paper being presented by Donnie Mapanao, Head of IT in Addax Petroleum’s Geneva headquarters.

As part of our commitment to environmental management, we monitor our energy use within the office.  Here are the latest graphs which show that we’ve been successful in reducing our gas use by over 20%.  However, we are getting slightly worse in terms of our electricity consumption.  To try to improve, we’ve put a number of ‘Switch It OFF!’ stickers from the Carbon Trust on items of equipment that we’ve noticed sometimes get left on overnight.  We’ve also invested in a remote controller that allows a number of electrical items to be disconnected from the mains supply in one go.  This simplifies end-of-day activities.