Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Best practice guide: IT Accessibility and IT Security

advertisement 
Best practice guide:
1
IT Accessibility and IT Security
About these guides
We understand that while there can be common aspects, organisations work in different ways and
what works for one, might not fit so well with another. These guides are written as an example of
what best practice might look like in your organisation, but it may be that you have to adjust what is
recommended to accommodate your particular circumstances.
Similarly the guides do not include detailed technical information as this would tie them to a specific
technology or set of circumstances. Instead the guides convey important principles and approaches
that can be applied in any industry and using any technology. Where appropriate the guides
reference other sites and resources which contain more technical detail at the time of publication/last
review.
Introduction
Many people with disabilities or impairments benefit from the use of assistive
technology in the workplace. However, the use of such technologies can
introduce additional information risks that need to be managed.
This document has been produced to help organisations manage the additional information risks and
to highlight the need to consider accessibility issues in their Departmental security policies.
Critically, organisations should note that security requirements should not represent an
insurmountable barrier to the adoption of appropriate and managed assistive technology in the
workplace.
Authors:
Sean Smith OBE, HMRC
Contributors:
Paul Smyth, Barclays, Neil Milliken, Atos, Chris Felton, DWP
Editors:
Lucy Ruck and Bela Gor
Best practice guide: IT Accessibility and IT Security | Version 0.3 | July 2015
1
Ideally, staff should wear headphones
when using audio output devices to
minimise the chance of
eavesdropping
2
Assistive Technology and IT Security
Assistive technology is an umbrella term which includes adaptive and rehabilitative technologies or
systems that are designed to increase or improve the users functional capabilities (e.g. voice to text
systems, screen magnification, speech systems etc).
The installation and use of some assistive technologies might raise additional security risks. The
following section outlines the potential risks that could arise from some of those which are currently
most widely used.
Screen enhancement or magnification systems
These systems enhance the visual display available to the user, typically by magnifying the content,
or enhancing the brightness of a window or text. This increases the possibility of sensitive information
on the screen being inappropriately overlooked by bystanders or colleagues.
Risk mitigation: Where possible, screens should be arranged in a manner which prevents sensitive
information from being overlooked by unauthorised personnel.
Audio recognition or output systems
This category includes products which use a microphone to translate audio input into text and
commands, or record it, as well as those which amplify audio output. Such systems could enable
unauthorised personnel to overhear sensitive information, and may retain logs of security related
entries such as authentication and access control credentials.
Risk mitigation: The following controls should be considered:
 Employ uni-directional microphones to help minimise any extraneous sounds being picked up
by the devices.
 Ideally, staff should wear headphones when using audio output devices to minimise the
chance of eavesdropping.
 Train staff using the device to use a keyboard input for any sensitive information to minimise
the risk of it being overheard.
CCTV Systems
These systems typically use a camera or scanner to capture an image of a static document, before
processing the images to magnify or extract text on a user’s computer. Unauthorised users with
access to these systems could compromise the camera to provide them with access to sensitive
information in the local working environment.
Best practice guide: IT Accessibility and IT Security | Version 0.3 | July 2015
2
3
Dictaphones should not be taken
out of the office unless needed
Risk mitigation
 Where possible, physical access to the OCR system should be managed.
 A record of scanned documents should be maintained and regularly checked.
 The repair or exchange of OCR equipment should be managed securely.
 Any additional functionality which the CCTV device offers, such as wireless connectivity,
should be disabled. If the device provides any additional ports, such as USB or Firewire, the
Security Operating Procedures should disallow their use.
Dictaphones
These systems typically make audio recordings of speech for later playback. There are two issues
here. One is that loss of such a device can mean that any material on it could be accessed by
unauthorised users and, moreover, copied onto a PC for subsequent distribution. The second issue
is that many allow material to be copied to them from a PC and hence might be considered to be
large pen drives
Risk mitigation
 Where possible, physical access to the Dictaphone should be managed. For example when
not in use, it should remain in a locked cupboard or drawer.




They should not be taken out of the office unless needed.
Consideration should be given to blocking the facility to copy files to them.
Any material recorded should be deleted from the device at the earliest opportunity.
Devices with removable storage e.g. SD cards should be avoided.
Remote access & flexible home working
Members of staff may use a security token to dial in remotely via a VPN connection and there are a
range of alternative devices and methods available for those with a visual impairment or learning
difficulty such as a larger security token, a soft token on their PC or an equivalent mobile app.
Risk mitigation
 Ensure larger / talking security tokens are kept safe and used in quiet environments.
 When entering passwords with larger, magnified or talking PC functionality, be mindful of your
surroundings.
Best practice guide: IT Accessibility and IT Security | Version 0.3 | July 2015
3
Departmental security policies should
take into account the requirements of
their disabled users.
4
Risk Management
In keeping with the deployment of any new technology, the use of assistive technology should be
supported by:
 A formal risk assessment and the implementation of proportionate security controls which
balance the needs of the individual with the security requirements of the organisation.
 Security Operating procedures which are tailored for the individual and explicitly state the
parameters within which the technologies can be used and the processes for reporting any
security related concerns.
 Training which is systematically provided on new equipment as part of the delivery process.
Training should also be provided when significant updates or fixes are rolled out.
 The provision of timely and informed technical support. Maintaining the configuration of some
assistive technologies can be complex, especially in a dynamic office environment. Moreover,
the interaction between some assistive systems and bespoke ‘in house’ applications can
sometimes lead to unforeseen availability issues that can cause significant problems for users.
 Assistive technology packages which should be included in the organisation’s patching policy
and appropriately prioritised. Updates and fixes should be applied in a timely manner to
ensure that systems maintain their optimal functionality at all times.
 Departmental security policies which take into account the requirements of their disabled
users. They should be able to demonstrate that reasonable efforts have been made to ensure
that they do not discriminate against, or disadvantage, disabled users.
Best practice guide: IT Accessibility and IT Security | Version 0.3 | July 2015
4
5
Appendix A - Additional Sources of Information
Departments and agencies might wish to refer to the websites of the following organisations for
general information about meeting legal requirements:
 ACAS http://www.acas.org.uk/index.aspx?articleid=3017
 The Business Disability Forum (BDF) http://businessdisabilityforum.org.uk/
 The Equality & Human Rights Commission (EHRC)
http://www.equalityhumanrights.com/publication/what-equality-law-means-your-business
www.technologytaskforce.org
Technology Taskforce is committed to ensuring that all its products and services are as accessible as
possible to everyone, including disabled people. If you wish to discuss anything with regard to
accessibility of this document please contact us, via email: technology@businessdisabilityforum.org.uk
or phone: (0)20-7403-3020
Registered charity no: 1018463.
Registered Office: Nutmeg House, 60 Gainsford Street, London SE1 2NY.
Registered in England under Company No. 2603700
Best practice guide: IT Accessibility and IT Security | Version 0.3 | July 2015
5
Related documents
specific topic of interest: assistive technology/accessibility
specific topic of interest: assistive technology/accessibility
Assignment #7 - Distance and Online Education
Assignment #7 - Distance and Online Education
Implications of Assistive Technology
Implications of Assistive Technology
Kent ISD Assistive Technology
Kent ISD Assistive Technology
Assistive Technology Screening
Assistive Technology Screening
Assistive Technology
Assistive Technology
Download
advertisement