Privacy Management, Compliance and Information Security Management

 

As a current  CCPCIPM and CIPP/E and ex CLAS consultant I have been dealing with compliance as well as technical security and information assurance for some 20 years.

As I have privacy management as well as Information Security experience I present both aspects of Information Assurance (ie Ethical Hack Testing, Risk assessment remediation  architecture with Privacy management together on this site

 

Privacy Management

Data Protection Officer and Privacy Consultancy

 I have experience and qualifications in assessing the legal requirements for personal data protection, in privacy program management and the jurisdictional requirements for cross border personal data flow.

 In simple terms this is what privacy management provides:-

1) An assurance of compliance against privacy litigation

 2) Correct  management of personal information

 3) Strategies for the management of privacy processes to reduce the reputational damage from a breach

 4) Strategies for the management of and damage limitation from a breach in the unfortunate circumstances of it actually happening ..

 I can do this in two ways

 1) be your Data Protection Officer

 2) be your Privacy Manager

 In 2017-2018 I worked with the Cabinet Office Government Digital Service (GDS) privacy manager to ensure that all my projects were GDPR compliant 

 I have studied with the International Association of Privacy Professionals and hold their Certified Information Privacy Professional/ Europe (CIPP/E) and the Certified Information Privacy Manager (CIPM) certifications verifiable from this page

 I am expert in European and British privacy law having been examined on this body of knowledge and in privacy program management on this body of knowledge

 I am also expert in Privacy Engineering, a super-set of the Information Security controls with which I have worked for some 20 years and hold the NCSC CCP, and ISC2 CISSP and  CCSP  certifications.

 

Information Assurance Management

 HMG Information Assurance : CESG/Cyber Certified Professional CCP NCSC Certification

 I have had the pleasure of having my skills and experience in Information Security of the last 20 years endorsed by the National Cyber Security Centre through an assessment of examples of my work over the last 8 years with the award of Certified Cyber Professional (CESG Certified Professional) as at 31st August 2020.

 Here is a link to a full CV summarizing 27 years in Information Security,

 These are the areas in which I work and have been certified  :-

A1 - Information Security Governance

A2 - Policy & Standards 

A3 - Information Security Strategy

A4 - Innovation & Business Improvement

A5 - Information Security Awareness and Training

A6 - Legal & Regulatory Environment

A7 - Third Party Management

B1 - Risk Assessment

B2 - Risk Management

C1 - Security Architecture

C2 - Secure Development

D1 - Information Assurance Methodologies

D2 - Security Testing

E1 - Secure Operations Management

E2 - Secure Operations & Service Delivery

E3 - Vulnerability Assessment

F1- Incident Management

F2 - Investigation

F3 - Forensics

G1- Audit & Review

H1&2 – Business Continuity Management

I1 - Research

 

 




I have had the pleasure of having my skills and experience in Information Security of the last 20 years endorsed by the National Cyber Security Centre through an assessment of examples of my work over the last 8 years with the award of Certified Cyber Professional (CESG Certified Professional) as at 31st August 2020.


Data Privacy Management Breach Management  GDPR Data Protection Officer

CCSP Certified Cloud Security Professional

Backed by the two leading not-for-profits focussed on information and cloud security, (ISC)² and the Cloud Security Alliance (CSA), the CCSP is the only vendor-neutral credential that confirms demonstrated competence and experience in securing cloud computing environments.

CLOUD SECURITY OPTIMISATION : Secure and optimize your organization’s use of cloud computing infrastructure and services with a qualified professional who has demonstrated his cloud security competence

1. Architectural Concepts & Design Requirements
2. Cloud Data Security

CLOUD SECURITY RISK MITIGATION STRATEGIES Ensure your work teams stay current on evolving cloud technologies, threats and mitigation strategies by use of a CCSP ( Certified Cloud Security Professional

3. Cloud Platform & Infrastructure Security
4. Cloud Application Security

CLOUD SECURITY BUSINESS OPERATIONS AND ORGANISATIONAL INTEGRITY : Ensure your organization is applying the proper cloud security controls not only internally but also with third parties by reinforcing risk and legal requirements through cloud contract and SLAs with cloud service providers and in the eyes of clients and other stakeholders

5. Operations

CLOUD SECURITY BEST PRACTICE : using the two leading stewards of information and cloud security knowledge – (ISC)² and CSA , your organization can be confident it reflects the most current required best practices.

6. Legal & Compliance

I1 – Research CCP Certified Skill

 DCLG Jul 2005 to October 2007 CENTRAL GOVERNMENT DEPARTMENT ( ODPM / DCLG ) Security Technical Design Authority & Accreditor

I1 – Research CCP Certified Skill

Security Assuring of optical fibre links

Result : The new network and desktop solution was accredited and residual risk accepted by the SIRO as within appetite and tolerance for the data being stored and processed on the systems.

Post Script: Describing this approach to seniors at a government agency contract security interview obtained a 4 year assignment to assist in another area where optical network security had become critical ( 2007-2010 ) see below :-

HMG Agency I1 – Research CCP Certified Skill

Situation :  I was the IA consultant and proxy accreditor for a large network enterprise ( 2007 to 2100 )

Task : I assisted the development of large scale monitoring of network devices on the networks.

Activity : The enterprise to which I was attached was in the habit of using mirror ports to understand the nature of the traffic on the network. 

A more secure method would have been to have a separate passive connection into each network but this had proved to be very expensive and not so effective as the use of the mirror port. 

The data flows were meant to remain confidential to the businesses concerned and not be made available to communication providers and other parties.

I undertook considerable research into the methods whereby this problem could be solved and the ideal solutions were prohibitively expensive. My research and discussions with various manufacturers led to only one solution.

Result : After thought and discussion on the technical possibilities for solving this problem I set out means whereby detailed confidential logging of connections could take place to understand if unauthorised connections had taken place and to arrange confidential reporting of these events.

H1 - Business Continuity Planning CCP Certified Skill

 

ECINS November 2013 to August 2014  http://www.empowering-communities.org/  www.ecins.org  

 H1 - Business Continuity Planning CCP Certified Skill

Delivery of Business Continuity Planning for ECINS

Result : Embedding BCM in the organization's culture : In the accreditation document it was agreed that this would be kept in review so that the BCP plan was kept within the tolerance of the customers as the business expanded. This delivered a compliance with ISO 22301 namely

1) Securing management support,

2) Risk assessment;

3)  Business impact analysis (BIA); and

4) delivered the business continuity plan.

GDS June 2017-July 2018 Cabinet Office Government Digital Service (GDS) Information Security Manager

H1 - Business Continuity Planning CCP Certified Skill

The derivation of the BCP for GOV.UK

Developing and implementing a BCM response exercising the response : So this was the plan for the future but I was not present for the development of the exercising of the response or in fact its implementation.

Result : Maintaining, reviewing and embedding BCM in the organization's culture :  this would have happened because of the modus operandi of the GDS culture . Any changes to the business requirement of the BCP would be captured by the annual review of risk management as carried out in all GDS projects.



G1- Audit & Review CCP Certified Skill

 Borders July 2015 to April 2016 Home Office UK Borders Application Development Information Security

G1- Audit & Review CCP Certified Skill

I was accountable to the Home Office Accreditor for the Risk Management of various projects in the program.

The use of the GDS Risk Management process as described in the CCP statement here  , when applied annually provided the audit process undertaken at GDS and would be the case for annual review of the use of this survey project.

Result :The project was maintained in a state of annual audit in order to maintain accreditation. 

GDS June 2017-July 2018 Cabinet Office Government Digital Service (GDS) Information Security Manager

G1- Audit & Review CCP Certified Skill

The DDAT (Digital and Data workforce)  survey project and its use of a SAAS analysis tool was put through the GDS Risk Management process as documented elsewhere in this document

The use of the GDS Risk Management process as described in the CCP statement here  when applied annually provided the audit process undertaken at GDS and would be the case for annual review of the use of this survey project.

Result :The DDAT survey project was to be kept under annual review 

F3 – Forensics CCP Certified Skill

 ECINS March 2012 – to April 2012 Not-for-Profit Social Enterprise CLAS Consultancy

F3 – Forensics CCP Certified Skill

ECINS was to have a forensics readiness capability alongside their GPG13 compliance

Result : A paper was submitted and this was accepted by the board. 

Office of Fair Trading : 1st October 2012 to 26th February 2013 IT Security Officer and Security Consultant

F3 – Forensics CCP Certified Skill

The department were charged with undertaking monitoring of their business network together with delivering “forensics readiness”

Result : A paper regarding GPG13 compliance monitoring (SIEM) and forensics was submitted and duly accepted by the department for deployment. 

 




I have had the pleasure of having my skills and experience in Information Security of the last 20 years endorsed by the National Cyber Security Centre through an assessment of examples of my work over the last 8 years with the award of Certified Cyber Professional (CESG Certified Professional) as at 31st August 2020.


Data Privacy Management Breach Management  GDPR Data Protection Officer

CCSP Certified Cloud Security Professional

Backed by the two leading not-for-profits focussed on information and cloud security, (ISC)² and the Cloud Security Alliance (CSA), the CCSP is the only vendor-neutral credential that confirms demonstrated competence and experience in securing cloud computing environments.

CLOUD SECURITY OPTIMISATION : Secure and optimize your organization’s use of cloud computing infrastructure and services with a qualified professional who has demonstrated his cloud security competence

1. Architectural Concepts & Design Requirements
2. Cloud Data Security

CLOUD SECURITY RISK MITIGATION STRATEGIES Ensure your work teams stay current on evolving cloud technologies, threats and mitigation strategies by use of a CCSP ( Certified Cloud Security Professional

3. Cloud Platform & Infrastructure Security
4. Cloud Application Security

CLOUD SECURITY BUSINESS OPERATIONS AND ORGANISATIONAL INTEGRITY : Ensure your organization is applying the proper cloud security controls not only internally but also with third parties by reinforcing risk and legal requirements through cloud contract and SLAs with cloud service providers and in the eyes of clients and other stakeholders

5. Operations

CLOUD SECURITY BEST PRACTICE : using the two leading stewards of information and cloud security knowledge – (ISC)² and CSA , your organization can be confident it reflects the most current required best practices.

6. Legal & Compliance