Data Protection: Guidance on security

Introduction

Data protection law references Article 32 and mandates that data controllers and processors should implement technical and organisational measures, to ensure a level of security appropriate to the risk. That risk should take into account the risks that are presented by data processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

These security measures should demonstrate compliance with an applicable code of conduct created in compliance with Article 40. Data controllers should ensure that anyone acting under the authority of the data controller will use the data for any other purpose except those mandated by the data controller.

IRIS Accountancy Suite (IAS) data is stored in an SQL database and whilst IAS uses SQL accounts to grant access to the SQL database, we do not create accounts per user.

Microsoft recommend using Windows authentication wherever possible. Windows authentication uses a series of encrypted messages to authenticate users in SQL Server. When SQL Server logins are used, SQL Server login names and passwords are passed across the network, which makes them less secure. IAS requires the use of mixed mode authentication, which will be configured upon initial installation.  

Applying software updates is an important part of keeping your IT systems secure. Installing patches and updates to ensure the secure configuration of systems when they are available is one of the simplest ways of staying cyber secure. Data controllers should consider reviewing the Cyber Essentials Scheme, a UK Government backed scheme that sets a baseline of cyber security.

Controls include:

• Patch management

• Secure configuration

• Boundary of firewalls and internet gateways

• Access controls and administrative privilege management

• Malware protection

For further information please see https://www.cyberessentials.ncsc.gov.uk/

By default, IAS software files are installed to C:\IRIS\ although this directory can be changed during the installation. The files and applications in this folder should not be modified unless instructed by IRIS.

IRIS also recommend that your system meets or exceeds the minimum software requirements to run IAS. Please review the system requirements page.

Computers on your network should require all staff to login to them in order to gain authorised access to the systems and applications the practice use. This also provides the first layer of security; the IAS application provides a second layer of security by setting up logins for authorised access to IAS. See Accessibility section for further information.

Accessibility

Access to the Practice Suite and any sensitive client data may be restricted in several ways:

1. User login required to access IAS – only authorised logins are able to access IAS. For more information see online help IRIS General: Staff Maintenance.
   

2. Group permissions are used to set permissions on the level of access the user has, for example, full access, restricted access, read only and no access. For more information see online help IRIS General: Staff Group Permissions and IRIS General: Permissions.

3. Staff privileges can be placed on the areas of the system each user has access to, for example, common privileges as well as privileges which are specific to each of the modules. For more information see online help IRIS General: Staff Privileges.

4. Confidential client feature allows the user to set a password on a client and thereby restricting staff access to the client to only those with the password. This feature can assist in restricting access to a client to ensure there is a block on processing activities within IAS if necessary. See KnowledgeBase article IAS-1794: How to password protect a client.

Audit

The Data Protection Act changes have a particular focus on accountability and transparency. It is no longer sufficient to comply with the law, businesses must be able to demonstrate that they have done so with appropriate records and evidence.  

There are several reasons that having a comprehensive audit trail is important. Within the Data Protection Act it states that data controllers will need to “be able to demonstrate compliance with the [principles relating to processing of personal data]”.

Clearly, without having a record of how the data has been handled, it will be almost impossible to demonstrate compliance. In addition, the new regulations stipulate that, if there is a data breach, it must be disclosed to the relevant authorities within 72 hours.

Without having a complete and up-to-date recorded audit trail of who has accessed what information, when it was accessed, how it was handled and so on, there is a risk of missing that deadline.

IAS has restricted audit trail functionality and therefore any auditing must currently be achieved by hand as data processors and controllers need to be able to show how and when the data was processed and be able to prove it.

IAS offers a new audit trail feature for client creation. When clients  are created in IAS, details are logged for:

• Staff user who created the client

• Time stamp (date and time)

The Audit Trail for client creation screen can be accessed from System Maintenance | Practice | Audit Trail. The data can also be exported into CSV format if required.  

There are many third-party auditing tools for SQL Server, however there are several levels of auditing that are also included in the different versions/editions of SQL Server:

• Profile Trace – available in all versions of SQL since SQL 2005 Standard Edition. SQL Server traces allow data controllers to capture information about all access to the database; this feature may be used as part of an auditing solution. It is more useful, however, for capturing instance security events (such as Logons and failed Logons) than for monitoring changes to individual data items.
  
  For further information please see: https://docs.microsoft.com/en-us/sql/tools/sql-server-profiler/sql-server-profiler
  
• Extended Events – introduced in SQL 2008, Extended Events were intended as an alternative lightweight replacement for Profile Tracer.
  
  For further information please see: https://docs.microsoft.com/en-us/sql/relational-databases/extended-events/extended-events
  
• C2 Audit – supported in all versions and editions of SQL Server up to 2017.
  
  For further information please see: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/c2-audit-mode-server-configuration-option
  
• SQL Server Audit – available in SQL Server 2008 Enterprise edition, server level auditing came to Standard Edition in 2012 and all features are available in all editions from 2016 SP1. Auditing is implemented using Extended Events.
  
  For further information please see: https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-database-engine

 Please consult your IT/System Administrator to discuss your security requirements.