search.noResults

search.searching

dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
LONE WORKER PROTECTION


currently has over 114 policies and procedures within its ISO 27001 certified ISMS, covering all aspects of service delivery.


As the sheer volume of data and the role it plays within an organisation evolves, so must its ISMS. Supplier audits, impact assessments of changes to any aspect of service delivery, system acceptance testing, data retention and disposal, staff access rights to internal systems and access rights deletion are just some of the areas that must be continually reviewed and updated.


PRACTICE MAKES PERFECT Although BS 8484, the provision of lone worker


services code of practice, explicitly states that security service providers must have data protection policies in place, it only requires the provider’s third-party suppliers to be accredited to ISO 27001 if the third party is storing and/or processing customer data. Therefore it is still vital for customers to ask the right questions about how a prospective partner deals with and processes data, where it is stored, who has access to it and what it is ultimately used for.


For example, when it comes to storing audio from lone worker alarms, what is the policy on genuine versus false alarms – and are false alarms deleted quickly? It is recommended that all false alarm audio should be deleted within 24 hours of the incident. And how secure are online customer portals and the networks and IT infrastructure they sit within? Have they been subjected to stringent third-party penetration testing?


Lastly, what measures are in place to stop accidental data breaches through simple human error? Practical examples of good processes include disabling auto complete email functionality, as it reduces the risk of the wrong email address accidently being used. Similarly, avoid sending electronic or hard copy forms with personal data, and password protect any documents. Ensure that no documents with any personal information are held locally on staff desktops and laptops. Staff should also be given extensive information security awareness training regarding this and other related subjects on an on-going basis, as the threats posed are constantly changing.


CENTRE OF ATTENTION It’s also vital to establish exactly where any information


is being held. Service providers often use third- party co-location data centres and although ISO 27001 certified facilities should have all GDPR data processing security requirements covered, there is still a need to carry out due diligence and ask questions about uptime and any previous security breaches because they could be a potential point of failure and information security weakness.


The answers to these questions and much else besides should become apparent through the completion of a Data Protection Impact Assessment (DPIA), which is designed to identify and minimise the specific data protection risks of a project. As part of a DPIA, a service provider should describe the nature, scope, context and purposes of the processing; assess necessity, proportionality and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks. The Information Commissioner’s Office (ICO) website provides some useful guidance on carrying out a DPIA.


POINTS OF ORDER In order to ascertain a potential lone worker service


provider’s ability to keep data secure, those carrying out a DPIA are advised to drill down to the finer details about its processes and procedures.


twitter.com/TomorrowsHS


Once a DPIA has been completed, the client must then decide whether the service provider has appropriate mechanisms in place that will reduce information security risks to an acceptable level, appropriately protect information, ensure that employees comply with applicable legislative and regulatory requirements, and can provide documentary evidence in the form of records to show that the processes are being followed correctly – preferably via an ISO 27001 certified ISMS. Furthermore, it must be able to prove that governance of its ISMS is managed by key directors and/or senior managers who bear ultimate responsibility.


DANGER ZONE Data breaches make the news headlines on an almost


daily basis and those carrying out such attacks are increasingly sophisticated in how they carry out their nefarious activities. Data protection is now the subject of intense scrutiny and the loss of personal information and other intellectual property can lead to operational downtime, reputational damage and financial penalties – any of which could put an organisation’s very existence in jeopardy. So when selecting a provider of lone worker protection and ARC services, ask the right questions and preferably choose a ISO 27001 certified partner that has stringent procedures in place to ensure that your information does not get into the wrong hands.


www.relianceprotect.co.uk 21


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52