Daily Archives: 12/09/2014

GPEN survey finds 85% of mobile apps fail to provide basic privacy information

A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s data is being used.

The survey by the Global Privacy Enforcement Network (GPEN) examined the privacy information provided by 1,211 mobile apps. As a member of GPEN, the UK’s Information Commissioner’s Office examined 50 of the top apps released by UK developers.

The key findings of the research are as follows:

*85% of the apps surveyed failed to clearly explain how they were collecting, using and disclosing personal information
*More than half (59%) of the apps left users struggling to find basic privacy information
*Almost one-in-three apps appeared to request an excessive number of permissions to access additional personal information
*43% of the apps failed to tailor privacy communications to the small screen, either by providing information in a too small print or by hiding the information in lengthy privacy policies that required scrolling or clicking through multiple pages

A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s information is being used

A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s information is being used

Examples of good practice

The research did find examples of good practice, with some apps providing a basic explanation of how personal information is being used, including links to more detailed information if the individual wants to know more.

The regulators were also impressed by the use of just-in-time notifications on certain apps that informed users of the potential collection (or use) of personal data as it was about to happen. These approaches make it easier for people to understand how their information is being used and when.

ICO group manager for technology, Simon Rice, commented: “Apps are becoming central to our lives, so it’s important we understand how they work and what they are doing with our information. These results show that many app developers are still failing to provide this information in a way that is clear and understandable to the average consumer.”

Rice added: “The ICO and the other GPEN members will be writing to those developers where there is clear room for improvement. We will also be publishing guidance to explain the steps people can take to help protect their information when using mobile apps.”

The ICO has published its Privacy in Mobile Apps guidance to help app developers in the UK handle people’s information correctly and meet their requirements under the Data Protection Act 1998. The guidance includes advice on informing people how their information will be used.

Research carried out last year to support the guidance’s launch showed that 49% of app users have decided not to download an app due to privacy concerns.

View the full results of the GPEN survey

Advertisements

Leave a comment

Filed under Risk UK News

Security Industry Authority announces detail of 2014 Stakeholder Conference

The Security Industry Authority (SIA) will be holding its annual Stakeholder Conference on Thursday 16 October at the Cavendish Conference Centre, Duchess Mews in London.

The agenda will include a keynote address from the regulator’s chair Elizabeth France CBE as well as presentations covering how to improve your business model, buying private security: a client’s view, private security: a French perspective and tackling cyber crime (the latter delivered by the National Crime Agency).

There will also be presentations about the security challenges at the Commonwealth Games and SIA updates on regulation and the Approved Contractor Scheme. The SIA’s CEO Bill Butler will close the conference.

Bill Butler: CEO at the SIA

Bill Butler: CEO at the SIA

The delegate fee is £99 which includes VAT, registration, lunch and refreshments. This fee has been set at a cost recovery basis only.

Places are limited and will be allocated on a first come, first served basis. No bookings will be taken after 9 October. Please note that the fee cannot be refunded once your booking has been confirmed.

There is a 10% discount available for all valid SIA licence holders.

The SIA will be offering ten free places to followers on Facebook and Twitter.

Up to and during the event the SIA be using the Twitter hashtag #SIAConf14

To book your place visit: https://www.regonline.co.uk/Register/Checkin.aspx?EventID=1610889

Leave a comment

Filed under Risk UK News

‘Fire risk management systems should be formalised’ urges FIA’s Fire Risk Assessment Council

In the wake of prominent multi-fatality fires, organisations have spent considerable sums of money on fire safety but not necessarily achieved an improved level of fire safety assurance. Having spent a number of years undertaking fire risk assessments on the same portfolio of buildings, Ben Bradford states that it’s noticeable some organisations are beginning to wonder if the current practice is sustainable.

It has been almost nine years since the Regulatory Reform (Fire Safety) Order 2005 prompted many organisations to undertake fire risk assessments within the premises under their control. Several have spent significant financial resources on consultant fire risk assessors (a person who carries out and documents the significant findings of a fire risk assessment) only to discover that, although the advice they received may have been offered with the best of intentions, it was not wholly appropriate. Indeed, it may also have differed from the advice of a ‘competent’ fire risk assessor.

At the same time, the fire industry has itself spent a considerable amount of time in the last few years deciding how to define a ‘suitable and sufficient’ fire risk assessment and also how to tackle the ‘cowboy’ market. It would appear that, at long last, there’s now at least a ‘defined’ competency criterion for fire risk assessors and guidance for those charged with delivering fire risk assessment programmes on how to seek the services of a competent fire risk assessor.

Following a recent enforcement review around the Regulatory Reform (Fire Safety) Order 2005, which was undertaken by the Department of Business Innovation and Skills, the Chief Fire Officers Association (CFOA) is now committed to promoting the use – and acceptance – of recognised professional certification and accreditation for commercial fire risk assessors.

Fire risk management is evolving both as a discipline and a practice

Fire risk management is evolving both as a discipline and a practice

Fire risk assessments are the very cornerstone of the Regulatory Reform (Fire Safety) Order, yet the value of such an assessment – even when conducted by a competent fire risk assessor – is largely dependent on the organisation’s ability to manage the outcomes.

A fire risk assessment is a means to an end but not the end in itself. When reviewing the high profile prosecutions that have hit the headlines over the past few years, one quickly realises that failure to undertake a ‘suitable and sufficient’ fire risk assessment (under Article 9) is not the only compliance obligation imposed by the Regulatory Reform (Fire Safety) Order 2005. There are numerous other duties by which the responsible person is bound.

Cost of fire at an all-time high

Enter the concept of ‘fire risk management’. With very few fire fatalities arising in commercial premises, fire risk management is not just about life safety or the risk of injury or death in the event of fire occurrence. Rather, it encapsulates life safety, property protection, mission continuity and sustainability in the face of fire.

In today’s global and interconnected marketplace, issues such as Corporate Social Responsibility and reputational risk are extremely prominent. News headlines travel fast via both traditional and new media forms. The cost of fire is at an all-time high and, in these tough economic times, organisations need to be frugal with finite financial resources. In essence, they require to build resilience and ensure that fire risk assessment programmes deliver the intended outcomes.

Many organisations have a policy in place setting out an overarching statement of intent (signed by the CEO) and firmly establishing the ‘What’ and ‘Why’. Less common, yet essential, is the Fire Risk Management Strategy – a document which defines an organisation’s fire risk management system and method of implementing the overarching policy, and which firmly establishes the details of ‘How’, ‘When’ and ‘Who’.

These two pieces of documentation form the backbone of an organisation’s fire risk management system (a set of interrelated or interacting elements within an organisation designed to establish policies, objectives and processes to achieve those objectives and manage fire risk) and are generally underpinned by operational procedures.

The practice of fire risk management within our built environment is a much broader discipline than many give it credit for. It’s often delegated to the Health and Safety manager or the security manager within an organisation and, while I’m not suggesting that all companies should have a dedicated fire specialist responsible for fire risk management, they must acknowledge that fire safety is not just a sub-discipline of Health and Safety.

With very few fire fatalities arising in commercial premises, fire risk management is not just about life safety or the risk of injury or death in the event of fire occurrence. It encapsulates life safety, property protection, mission continuity and sustainability in the face of fire

With very few fire fatalities arising in commercial premises, fire risk management is not just about life safety or the risk of injury or death in the event of fire occurrence. It encapsulates life safety, property protection, mission continuity and sustainability in the face of fire

Fire risk management is a discipline in its own right with its own set of competencies. It does not always sit neatly in the Health and Safety Department due to the need for interaction with property, estates or facilities management functions. The old adage about ‘Jack of all trades’ most certainly applies. Too many fire safety manager roles are advertised with the essential qualifications stated as a NEBOSH Diploma, which merely emphasises the confusion often found in organisations regarding the scope of the Health and Safety manager’s role.

When undertaking fire risk management system audits, my experience is that those organisations recognising fire risk management as a discipline in its own right – regardless of which department the function sits – are in a far better position to maintain governance over organisational fire risk than those that do not.

Competency criteria to be considered

The Fire Sector Federation has recognised that, having established the Competency Council and published the competency criteria for fire risk assessors, the next logical step is to consider the competency criteria for those actively engaged in fire risk management.

Following an initial meeting of key stakeholders, organised jointly between the Fire Sector Federation and the Fire Industry Association, there’s now a proposal afoot to reform the Competency Council and really tackle this issue.

Some organisations have formalised their fire safety policy, strategy and procedures and are now in the process of gaining fire risk management system certification via a third party certification body. Those organisations that already hold certification of their Health and Safety management system to OHSAS 18001 or business continuity management system to ISO 22301 are well placed to integrate their management systems and streamline the internal or external audit process.

Fire risk management system certification via a UKAS-accredited third party certification body will provide a means to reduce the burden on enforcing authorities and significantly support the Primary Authority (or Fire Authority) partnership schemes.

Fire risk management is evolving (both as a discipline and a practice) as an integrated or holistic approach to understanding and managing the risks posed by the threat of fire which enables an organisation to optimise its underlying processes and achieve more efficient results.

Those responsible for fire safety in organisations would do well to consider formalising their fire risk management system, and not focus solely on the process of documenting fire risk assessments.

Ben Bradford BSc MSc MBA CEng FCIBSE FRICS FIFireE is a member of the FIA’s Fire Risk Assessment Council and the founder/managing director of BB7

Leave a comment

Filed under Risk UK News

David Blunkett MP to deliver opening Keynote Speech at inaugural (ISC)² Security Congress EMEA

(ISC)² – the largest not-for-profit membership body of certified information and software security professionals – has published the education programme and speaker line-up for its inaugural Security Congress EMEA, which takes place on 9-10 December at the Bloomsbury Hotel in London.

Organised in partnership with the MIS Training Institute, the conference programme offers a broad professional development opportunity, combining a comprehensive plenary programme with focused track sessions delivered by a cross-section of the security community throughout the region.

Kicking off the programme with insights into why the UK Government elevated cyber security to a Tier 1 threat is the Right Honourable David Blunkett MP, who served as Home Secretary between 2001 and 2004.

“I’m very pleased to see and also support this obvious commitment from the (ISC)² community aimed at increasing our capacity to ensure security for us all in the digitally-enabled, digitally-dependent economy,” explained Blunkett. “It has never been more crucial for the EMEA region’s international information security professionals to join forces and align their efforts as we all face the increasingly complex and adversarial challenges developing in the cyber world.”

The ISC2 Security Congress EMEA 2014 takes place in London during early December

The ISC2 Security Congress EMEA 2014 takes place in London during early December

Other confirmed keynote speakers include Dr Simon Singh (the best-selling author, journalist, radio broadcaster, TV producer and director), Dr Stefan Lüders (head of computer security at the European Organisation for Nuclear Research), Jaya Baloo (CISO for KPN in the Netherlands) and Michael Colao, head of security at AXA in the UK.

Conference sessions cover current events (including the privacy issues hampering the UK’s NHS data sharing scheme) and real world Case Studies from Euroclear, the Ministry of Justice in Saudi Arabia, UBS and the Dutch National Cyber Security Centre.

Delegates are able to organise their agenda around 30 sessions, including a comprehensive plenary programme and break-out sessions across six tracks: Governance, Risk and Compliance, Mobile Security, Human Factors, Security Architecture and Data Security.

“The quality and depth of the responses received following our Call for Speakers was overwhelming, allowing us to build a strong programme that addresses professional development needs at all levels,” explained John Colley, managing director for the EMEA region at (ISC)². “This event offers members of the professional community an opportunity to learn from their peers and debate the latest proposals around some of the key cyber security issues that are challenging companies, Governments and society on a daily basis.”

In addition to the conference sessions, Security Congress EMEA delegates have the opportunity to include two pre-conference workshops (to be held on 8 December) within their conference agenda. These workshops are based on the (ISC)² CBK training seminars for the Certified Cyber Forensics Professional (CCFPSM) and Certified Software Security Lifecycle Professional (CSSLP) credentials.

David Blunkett MP

David Blunkett MP

“It’s our vision to inspire a safe and secure cyber world,” commented Wim Remes, chairman of the (ISC)² Board of Directors. “We execute on this vision by offering value to society through credentials, resources and leadership. These concepts are reflected in Security Congress EMEA 2014 through a valuable education programme. I’m delighted to see the calibre of speakers that have chosen to present their thoughts at our event.”

All sessions and workshops qualify for Continuing Professional Education (CPE) credit. Registration is now open. (ISC)² members, chapter members and supporting organisations are eligible for special discounted pricing.

For more information or to register for the (ISC)² Security Congress EMEA visit: http://www.EMEAcongress.isc2.org

Further information about (ISC)²

Formed in 1989 and thus celebrating its 25th Anniversary in 2014, (ISC)² is the largest not-for-profit membership body of certified information and software security professionals worldwide. The organisation currently plays host to over 100,000 members in more than 135 countries.

Globally recognised as ‘The Gold Standard’, (ISC)² issues the Certified Information Systems Security Professional (CISSP) and related concentrations, as well as the Certified Secure Software Lifecycle Professional (CSSLP), the Certified Cyber Forensics Professional (CCFPSM), Certified Authorisation Professional (CAP), HealthCare Information Security and Privacy Practitioner (HCISPPSM) and Systems Security Certified Practitioner (SSCP) credentials to qualifying candidates.

(ISC)²’s certifications are among the first IT credentials to meet the stringent requirements of ISO/IEC Standard 17024, a global benchmark designed for assessing and certifying personnel.

(ISC)² also offers education programmes and services based on its CBK, a compendium of information and software security topics.

Additional detail is available at: http://www.isc2.org

Leave a comment

Filed under Risk UK News

Apple NFC could be “lightning rod” for change in access control sector

In the latest Research Note issued by IHS, Blake Kozak – the company’s senior analyst in the sphere of security and building technologies – discusses how the new NFC and Apply Pay features of the iPhone 6 could be the “lightning rod” to finally spark changes in the way that mobile credentials are used for access control.

For more than four years now, one of the most talked about trends has been Near Field Communication (NFC). NFC was supposed to change the face of the access control world by eliminating the need for cards, subsequently reducing the administrative burden on organisations of all sizes while at the same time increasing security.

However, this scenario has not yet come to pass, with suppliers to date offering little more than pilot projects and limited real world installations.

Of course, NFC isn’t a new concept. In 2006, Nokia released the first NFC phone. Four years later, Samsung issued the first Android NFC phone before announcing its inaugural Secu-NFC technology a year later. According to Samsung, the Secu-NFC chip combines an NFC controller and a secure element storing personal information and security keys with advanced encryption technologies.

Then, last year, Samsung and Visa announced a major partnership for mobile payments.

Today, the list of NFC-enabled phones is extensive. Examples include Alcatel, Asus, BlackBerry, Nexus, HTC, Kyocera and LG (among many others).

The iPhone 6 and the iPhone 6 Plus

The iPhone 6 and the iPhone 6 Plus

Barriers to NFC’s implementation in access control

Historically, most NFC installations were instigated by partnerships between handset manufacturers and financial institutions, in turn producing closed systems with limited opportunity for developers to expand the concept to uses beyond mobile payment.

IHS believes this has been one of the main barriers to the implementation of NFC in the access control sector.

On Tuesday of this week, Apple announced that NFC would be a feature of the new iPhone 6. While Apple Pay is primarily a mechanism for secure mobile payments, there appears to be plenty of opportunity for other applications since iOS 8 will also have an Apple Pay application programming interface (API) available for developers.

Already, many retailers and restaurants have implemented Apple Pay within their own applications, allowing patrons to skip lines and pay/order directly from a mobile device. According to Apple, the mobile payment transaction occurs by assigning a unique device account number which is encrypted and securely stored in the secure element (a dedicated chip inside the iPhone). When a purchase is made, the device account number alongside a transaction-specific dynamic security code is used to process the payment. On that basis, the actual credit or debit card numbers are never shared with merchants or transmitted with payment.

The true benefit of this announcement for the access control sector is the potential use of the open API for developers. Although Samsung Galaxy has an embedded SE and countless other devices offer subscriber identification module (SIM)-based SE, there has been limited traction for access control.

There are many forms of secure element, including the universal integrated circuit card (UICC), NFC SIM, embedded SE, external (sticker or sleeve) and microSD. The most used formats are UICC and embedded, with the new iPhone 6 featuring an embedded SE.

According to the 2014 IHS report on NFC, 18.2% of cellular handsets shipped in 2013 were NFC-enabled (up from about 8% in 2012). IHS forecasts the number of phones that are NFC-enabled to reach about 1.17 billion by 2018.

The report also estimates that, in 2013, around 70% of NFC secure element implementations within cellular handsets were embedded while 27% resided on the SIM card.

What does this mean for the access control sector?

Apple’s announcement addresses one of the barriers the access control sector has faced with regards to NFC (ie loading an identifier onto the secure element). With the API mentioned by Apple, it’s possible that access control manufacturers – among others in the supply chain – could load and command an identifier directly onto the secure element. Currently, most providers of NFC-based access control are using encryption methods located in the sandbox (host operating system) of the handset only rather than the SE.

By using host card emulation (HCE), providers are able to offer NFC outside of the SE. Although this isn’t deemed a Best Practice method, the only other means to provide mobile access control through NFC would be to partner with all the cellular carriers and providers which can be an incredibly arduous process. By partnering, the access supplier is allowed access to the SE, which is typically either embedded or in the SIM card.

One example of such a partnership is HID and Oberthur Technologies. In 2013, HID announced a partnership with Oberthur Technologies to carry Seos digital keys on NFC SIM cards.

As mentioned above, the Apple announcement could make it easier for access control suppliers to provide mobile credentials with the true security afforded by the secure element.

Beyond the buzz, the market opportunity for access control remains unclear. Only time will tell if Apple providing mobile payment will ‘jump start’ NFC usage for access control. Some access control manufacturers speculate that the use of the secure element may not always be necessary and that the encryption provided for access control data on the handset is sufficient for most end users.

Impact on the access control sector

How quickly could this announcement impact access control? Today, data suggests that less than 3% of retailers (or 220,000 out of about nine million) will be using the mobile payments at the start. One of the main reasons for low adoption is the lack of infrastructure in stores.

However, every credit card in the US, for example, will be required to have EMV Chip and PIN technology by October 2015. As a result, merchants could decide to move forward with NFC capabilities since they will need to upgrade their system in any case.

Interestingly enough, Apple is initially only launching in the US which has the lowest penetration rate of mobile payments compared with all other regions. There is a tremendous upside though. Access control end users already have the infrastructure in place to support NFC (eg the smart card reader, 13.56 MHz). While some pieces of the system (such as incompatible hardware and software) may need upgrading, the system is mostly ready.

The iPhone 6 is larger than the iPhone 5S

The iPhone 6 is larger than the iPhone 5S

Unlike the retail space, which has to replace millions of terminals and retrain employees, access control is already primed for the transition.

Overall, Apple could instigate change for the access control sector. However, adoption will remain low due to the other barriers which have not been addressed, such as mobile phone issuance to colleagues and identifying which department in an organisation will manage the mobile credentials. In most cases, the phone would be managed by IT and the security credential would be managed by the Security Department.

New policies and procedures will have to be created and many end users will still be issued with badges for identification purposes.

Bluetooth: a viable alternative to NFC

Bluetooth is becoming a viable alternative to NFC. Security suppliers have been working for the past several years to partner with NFC and implement it beyond pilot projects but to little avail.

As a result, many are turning to Bluetooth, which is deemed by many to be a more robust option for security purposes such as access control since, for instance, the read range can be modified.

Additionally, Bluetooth has a longer history with smart phones than NFC. Bluetooth was introduced in 2000 and NFC in 2006.

While the Apple announcement sets the ball rolling for NFC in the physical security space by providing more outlets for app developers to create a unique user experience, other barriers still need to be overcome before a state of critical mass is attained.

Leave a comment

Filed under Risk UK News

SSAIB CEO Geoff Tate wins prestigious Peter Greenwood Award

Geoff Tate – CEO at the Security Systems and Alarms Inspection Board (SSAIB) – is the recipient of this year’s Peter Greenwood Award.

Sponsored by the Fire and Security Association (FSA), the Peter Greenwood Award is designed to recognise professionals in the security systems sector who have made an outstanding contribution. The accolade was set up in memory of Peter Greenwood, former head of the Electrical Contractors’ Association’s (ECA) Security Group, after he passed away back in 1995.

Tate won the 2014 award for his work with the SSAIB over the last 15 years. After taking over the CEO’s role from founder David Hinge, Tate built the SSAIB into a body with more than 1,500 registered firms. He also expanded its remit within the sectors of security guarding and electronic security systems, fire protection, environmental management and occupational Health and Safety management systems, in addition to telecare monitoring equipment for social alarms.

Geoff Tate (right) is presented with the 2014 Peter Greenwood Award by Pat Allen

Geoff Tate (right) is presented with the 2014 Peter Greenwood Award by Pat Allen

Speaking about this tremendous accolade, Geoff Tate said: “I’m delighted to have won this award, and that my peers feel so strongly that my work merits winning it. The past 15 years have been significant for the SSAIB as we’ve tried to strike a balance between expanding our offerings and services without losing sight of the qualities that set us apart from other certification bodies. Despite our increase in size and scope, I’m pleased that we have been able to preserve this vital aspect of our identity and culture.”

Pat Allen, the FSA’s chairman, commented: “Geoff is a very worthy winner of this award, having grown the SSAIB from a relatively small organisation into one which is recognised as the primary certification company for firms in the security services sector. I congratulate him on his win, and hope the industry will continue to benefit from his extensive knowledge and experience when he moves into the role of chairman of the SSAIB later this year.”

Leave a comment

Filed under Risk UK News