Information Security

WOA has implemented an Information Security Policy (ISP) and this article will explain why we have expedited this policy and how it might affect you.

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). See Figure 1.

Information Technology Security Techniques Information Security Management Systems Requirements (ISO/IEC 27001:2022)

The following is an extract from ISO/IEC 27001:2022.

This International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization. The establishment and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security requirements, the organizational processes used and the size and structure of the organization. All of these influencing factors are expected to change over time.

The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.
Fig 1: Extract From ISO/IEC 27001:2022

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. For the WOA, this means we must have regard to the importance of securing an appropriate level of protection for personal data. This is the personal data you provide to us and to which the Association is bound by law to keep safe.

In 2017/18, Alan Rand our former Flag Officer and Commodore spent a great deal of his time to understand the principles of GDPR and to align what eventually became the WOA GDPR Policy with other sailing associations, the Royal Yachting Association being the main one. In 2021, the UK Government updated its policy and the changes we are making will ensure we continue to build on Alan’s foundations to remain compliant.

Earlier this year (2023), Bob Walker (Rear-Commodore) carried out a detailed review of our data protection methods in which he applied a risk analysis in his detailed technical report. Four critical risks were identified and as the risk owner I have accepted the recommendations in the report and to begin immediate mitigation of these risks.

To develop and deliver the ISP, we had to establish a hierarchy with roles and responsibility. As Commodore, the responsibility for Information Security resides with me. To assist me, I have appointed Bob Walker to take on the role and responsibility as Senior Information Risk Owner (SIRO) and whose primary role is to deliver and manage the ISP. Rose Casey in her role as the Admin Office will take on the day-to-day tasks of the Senior Information Asset Owner (SIAO) and will be the main point of contact with Area Groups to help and manage any queries as they arise. See Figure 2 below.

From this point forward, I am requesting that each Area Group (AG) shall appoint an existing committee member to take on the role of Information Asset Owner (IAO). The IAO’s primary task is to ensure that all personal data processed by their respective AG is handled in accordance with the ISP. Bob Walker will provide one-to-one briefings as may be required.

Within WOA, Information Security is now included in the Committee Meeting agenda, and I ask that each AG should do the same.

Two of the Critical Risks have been mitigated by establishing a secured shared ‘Drive’. Each AG now has their own dedicated and private area in the ‘Drive. ’ This is to help remove the temptation to hold and process members personal data on Personal Electronic Devices (PEDs) such as Personal Computers, Tablets, and mobile phones. This also provides resilience against the accidental loss or malicious denial of service by having the shared access to the data in the ‘Drive.’

Finally, and certainly the most contentious issue which affects us all is the Yearbook. This poses the greatest risk and therefore from 2024 onwards, personal data will not be printed in the Yearbook. Telephone numbers and email addresses will certainly be removed. In the short term, all personal data can be searched for by any member using their username and password to access the Member Services area of the WOA website. In the longer term, WOA is looking into the feasibility of a secure mobile application from which members can record their voyages, be tracked in real time and provide group or individual messaging.

It is therefore imperative that when you receive your 2024 Yearbook, that you dispose of any previous editions responsibly by either shredding or burning.

For further details, please click on the following links to access the White Paper and Information Security Policy.

By Bob Walker, Rear-Commodore, posted 18th December 2023