Compliance: How Cancer Research meets its legal obligations

Brian Shorten is risk and security manager for Cancer Research, the UK charity that stores the personal and credit card details of thousands of supporters and fundraisers.

He recently gave a lecture at the RANT Forum, a monthly informal networking event for information security managers, on how UK charities need to implement the same security measures and compliance processes as those employed in commercial companies in the private sector.

Which rules and regulations does Cancer Research have to comply with?
Shorten: We have to maintain a high standard to protect the integrity and confidentiality of our data. Because we handle credit card numbers, we have to comply with PCI DSS and also good clinical practice set out by the NHS on drug trials.

In terms of data retention rules, we are bound by the same data protection laws as the banks around financial data, like keeping certain types of information for certain periods. The Data Protection Act (DPA) says you cannot keep it longer than you need it. We try to keep it as short as possible because we don’t want to fill up disk space and storing it costs money.

So how long do you store information?
In consultation with the business involved we have some financial records for seven years, though when it comes to email we tend to have a retention period of three years, which is generally the default.

We have started backing up that data to the storage area network (SAN), so we do not use tape any more. We only stopped using tape about six months ago, though, so some information on that media is still relevant, which we will have to retain over the period before we wipe them.

Do you handle data security compliance in house or trust third-party providers to do it for you?
We do everything in house, though on occasion we use external auditors for specific projects: the only external service we use is email. Auditing in the past has been more ad-hoc, but we have recently carried out a network revamp – moving into a new building and building a new datacentre – and we are going to start off a new process of penetration-testing.

We have a pretty large IT department, as big as most commercial for-profit companies, but we work with lots of smaller charities, which might not have the in-house resources or expertise.

What is your biggest fear around compliance?
The thing that used to worry me most is somebody losing a laptop with important data on it, and that story turning up in the Sun newspaper. Our reputation is very important to us and a lot of people [who donate to Cancer Research] might not like that. But that does not worry me so much now because we encrypt everything. The web site going down would also be a problem, but most companies can live with that – data leakage is the bigger threat.

Does encrypting hard disks have a negative impact on system performance?
None that I have noticed. We don’t use many laptops any more – we only give them to those who really need them. The first thing we do is put a password on them that encrypts the disk in a matter of seconds. The user doesn’t notice anything from there on.

How much of the security compliance effort is about user education rather than technology?
Some. We have formal policies on user education, and terms and conditions for new users to sign when they join our network. User awareness is key, and we’re also looking at computer-based training (CBT) tutorials to help raise that – it is really easy to stand behind somebody and say that has to be a secure password but we need something more.

What additional data security threats do mobile devices pose and how do you handle them?
The trouble is that smartphones are getting smarter and getting more functionality, so we are constantly playing catch-up. We ensure we have a mobile network that can be used by our employees to access the internet through the firewall when they are in the building, but if they are outside they only have web access to email.