ENISA’s new report proposing a “Security Framework for Governmental Clouds” may be more widely useful than its title and explicit scope suggest. Chapter 3 of the report suggests something pretty close to a project plan that any organisation could use to assess which applications and data are appropriate to move to a cloud service, what […]
Category: Articles
Thoughts on regulatory and ethical issues relating to the use of technology in education and research
Yesterday’s excellent University of Cambridge conference on Internet Regulation After Google Spain suggested that data protection law will continue to affect a growing range of our activities, but that interpreting its requirements in novel circumstances will continue to be challenging. It was suggested that if the current (1995) European Directive was for the age of […]
Categories
Apples and Oranges
In discussions of the “Right to be Forgotten” it is often observed that Google manages each month to deal with tens of millions of delisting requests for breach of copyright, as opposed to tens of thousands for inaccurate personal data. Often the implication seems to be that those numbers should be more similar. However it […]
Categories
Thinking about Cyberinsurance
A couple of discussions at Networkshop this week have raised the question of cyber-insurance, and whether this might be useful to universities and colleges. To think about that I split the question into three: What sort of risks does insurance cover, and are they things that are high on your risk register? If an incident […]
Categories
Why Google Spain worries me
Next month I’ll be going to an academic conference on Google Spain and the “Right to be Forgotten” (actually, “right to be delinked”) so I thought I’d better organise my thoughts on why, as a provider and user of communications and information services, the decision worries me. And I am much more worried by the […]
Categories
Counter-Terrorism and Security Act 2015
The Counter-Terrorism and Security Act 2015, which received Royal Assent last week, has some network-related provisions among its various powers relating to terrorism. Section 21 adds further “relevant internet data” to the list of information that public telecommunications operators may be required to retain about the use of their networks and systems. Although in Parliament […]
Tilmann Haak’s presentation at this week’s TF-CSIRT/FIRST meeting was on incorporating security requirements into software development processes using agile methods, but his key points seem relevant to any style of software or system development: Make sure security features are treated as first-class user requirement, of equal status with the functional requirements provided by others. We’ve […]
Categories
Guidelines for Using Student Data
During a recent conversation about learning analytics it occurred to me that it might be helpful to analyse how universities use student data in terms of the different justifications provided by UK and European Data Protection Law. Although the ‘big data’ techniques used in learning analytics are sometimes said to be challenging for both law […]
Categories
Cybercrime law: many variations!
“Is scanning lawful?” sounds as if it ought to be a straightforward question with a simple answer. However investigating it turns out to be a good illustration of how tricky it is to apply real-world analogies to the Internet, and the very different results that different countries’ legislators (and courts) can come up with when […]
Categories
The Benefits of Near Misses
Recently we had one of our regular reviews of security incidents that have affected the company in the past few months. All three – one social engineering attack, one technical one, and one equipment loss – were minor, in that only limited information or systems were put at risk; all were detected and fixed, to […]