|NSA Prism, GCHQ and other agencies are not in a position to access any application data. All data is housed in multiple physically secure tier-4 data centres that house the UK broadband backbone. Private dedicated servers with fully encrypted databases store the data and prevent access by unauthorized users. All comunication to and from the servers is via HTTPS encrypted communication links to prevent data being copied while it is being provided to authorized users.|
|While many corporations will be content with a reasonable level of privacy, we consider that our entire business is totally dependent on never ever having any kind of security or privacy breach. Without any compromise, we choose to ensure that no hacker, criminal or state-sponsored cyber spy will be able to access any application data. This may be expensive, but as our entire reputation and survival of our business is dependent of having no vulnerabilities - this is a cost we choose to pay.|
|While security standards like ISO 27000 exist, no privacy standards exist, so best practice is published as a policy and guidelines. Privacy begins with trust and verification, being open and transparent, and doing the right thing. People and not monitored, but data and functions are monitored - people are not stolen but data could be stolen.|
1. People are educated to only access private and confidential business data in the CRM application service. Business data shall NEVER be stored on any local desktop, laptop, tablet, phone or portable (USB) media for any reason. When business data arrives in the office, it must be scanned, uploaded and the physical copy destroyed by scredding - the same day.
2. People are protected from a criminal attack against their families in exchange for stealing a business data, by ensuring that criminals can see that people are not able to steal business data to order. When a person is attacked, they are educated to give up thier pass phrase and any other information they may have - nobody is expected to be a hero in the face of a rethless criminal gang. Application services are in place to protect people and to protect business data in the event that a pass phrase is stolen and misused.
3. Data is protected from both external and insider attacks, with insider attacks being classified as the most serious. Half the security budget is used to stop criminal attacks and the other half is used to stop insider theft and/or accidential deletion.
|A UK court order could demand that we are obliged to give up our encryption keys to law enforcement agency but until that time, all data is safe, secure and private.|
|While some application service providers may be content with a single layer of encryption, we choose to deploy multiple layers of interleaved encryption as this has proved to be hard and very expensive to try to decrypt. Each layer of encryption creates a partial result that cannot be read or understood as begin a valid solution - its just a string of data with no structure. Industry professionals consider that three different layers of interleaved encryption may be beyond the capability of current computing power to decrypt.|
The degree of encryption used is the highest permitted by UK and European law. This may exceed certain USA export limitations and restrictions where certain data must be capable of being decrypted by Government agencies without a court order.
|While some companies try to block USB devices and DVD writers, these methods provide false security as they can easily be circumvented. The certain wasy to keep business data private is to make sure that it is always encrypted and stored in many remote data centres. Business data must never be permitted to be downloaded to a local computing device where it can be stolen, when the act of download is a clear violation of Data Protection regulations as the data is no longer encrypted.|| |
|* All application data is fully encrypted in all databases in all data centres all the time.|
* All application service communications are encrypted for every web page all the time.
|People should expect that everything they say and do may be recorded and may be used against them - sorry this is just a fact of modern life. People should expect that privacy in the workplace does not exist because it is a place of work where many different cultures come together for the benefit of the business. Business data cannot be protected with a camera - business data is protected by encryption.|
Cameras provide good physical security - cameras make people less likely to suffer a physical attack. People are encouraged to wear cameras to be able to prove what they did and when they did it - this is not a privacy issue.
|Application data will be copied by many (Government) agencies when (1) data is downloaded to a local computer and when (2) data is communicated by email.|
Duty of Care:
|Employers have a duty of care to protect staff (and their families) from being threatened by criminals to steal business data. Staff must be able to prove to criminals using on-line public documents that they are not able to steal business data to order. When staff are threatened by a criminal, they are educated to give up their pass phrase and any other information they may have - other systems will minimise the damage that a criminal can do.|
When a person leaves, it must be assumed that a vast amount of intellectual property will go with them by way of remembered procedures, methods of working and confidential data. It is not reasonable to wipe clean memory, so other procedures must be put in place to cope with the transfer of intellectual property - contracts preventing the person from earning a living would not be legal.