JC Cannon is considered as one of the foremost privacy authorities in the US.
What new knowledge have you acquired while researching this book?
When performing research for a book one always learns new things.
Below is the first chapter of the book.
Amy is the CIO of a large multinational high-tech firm.
When she started working there in 2000, there was no LinkedIn, Twitter or Facebook.
Her biggest worries back then were minimizing spam, running backups and improving data pipe performance.
More than ever, privacy controls have become an integral part of a comprehensive IT compliance program.
Additionally, having good internal privacy procedures can help to attract and retain good employees.
Having good external privacy procedures can also help attract and retain customers, business partners and investors.
Conversely, doing business with a company with a bad privacy reputation can be seen as a general risk.
Having a relationship with such a company could taint ones own reputation.
Bill is an IT compliance professional who works for Amy.
Carrie is a privacy compliance professional who works for Amy.
She works with Bill to help ensure the privacy compliance of systems that host employee and customer data.
Consumers should be given notice of an entitys information practices before any personal information is collected from them.
Both are essential to ensuring that data is accurate and complete.
She gets numerous calls and e-mails throughout the day describing various problems being experienced by individuals or entire departments.
Amy does not have the luxury to assume that an issue is innocuous.
Each pop in of system has its own set of requirements that must be addressed.
Failure to meet industry commitments could result in a loss of accreditation, leading to a loss in customers.
1.2.1 Client Side
The client side represents the computers typically used by company employees.
These computers normally connect to the companys server-side systems via wireless and hardwired networks.
Employees often download customer files, corporate e-mails and legal documents to their computer for processing.
Employees may even store their personal information on company computers.
For that reason, client computers should be protected from possible threats.
Protecting client computers from all of the possible threats is a daunting task for IT professionals.
There are many threats to the contents of client computers.
At the same time, employees must be able to use their computers to complete their daily tasks.
When accessing data from client computers, employees should be made aware of their privacy obligations.
Employees should be required to take privacy training before accessing personal data.
Reducing the number of applications on a computer reduces the surface area that can be vulnerable to attack.
Using that approach can help protect servers from cyber attacks, phishing exploits and Internet-based malware.
This will help ensure that employees know which privacy policies apply to the treatment of the data.
Efforts must be made to ensure that retention, usage and de-identification policies are applied to data.
For example, a database may use IDs to avoid the use of personal data.
Privacy cannot be assured unless practical security measures have been established.
Likewise, a security policy with no accountability or people to enforce it is of little value.
Each company should have a security policy in place along with compliance and security personnel to enforce it.
This policy will help employees understand what their security responsibilities are.
The compliance personnel can create a set of security controls to help enforce accountability with security policy objectives.
Security personnel will help ensure that security policies are being followed.
A company stores data from consumers, partners, vendors and employees.
Organizations also need to ensure that data is kept secure to protect their own interests.
Government entities often place privacy requirements on organizations.
Companies will want to comply with different industry groups to show their commitment to certain industries and their principles.
Encryption is one of the best means to protect data during transmission and storage.
Different types of software can be used to protect sensitive data from privacy threats.
Antivirus software can detect malicious software that may grab data from an employees computer.
Software can help to ensure that client computers accessing the connection are properly configured.
Packet filtering can help ensure that inappropriate communications packets do not make it onto the companys data pipe.
This control usually comes from an access control list.
Protecting sensitive systems from physical access is one of the most important things an organization can do.
Very few security measures can protect against a person who has physical access to a machine.
For that reason all computers should have a minimum level of physical security to prevent outsiders from getting access.
1.2.4 tool
Most company employees depend on applications to get their jobs done.
Office productivity software is probably the most commonly used throw in of system.
But even these applications can harbor viruses, key loggers, data gatherers or other types of malware.
Here are some important steps to consider to avoid privacy-invasive applications:
Privileged access.
Restrictions can be placed on who can install or configure software on a users computer.
Companies can manage utility usage in one of the following ways:
1.
Have the companys IT department mandate the software that can be installed on each employees computer.
Use a product standards board or third-party software to approve software that can be installed on each computer.
Distribute a list of approved applications to employees that they must follow.
Give employees guidelines on the types of applications that they can install on their computers.
While this option provides the greatest flexibility, it also carries the greatest risk and should be avoided.
All employees should be periodically trained on the companys software policy.
Where appropriate, reminders should be presented to employees about special handling that might be required for data.
Requiring yearly privacy training is also a good practice.
The IT department must be an integral part of any utility management strategy.
The IT department can also ensure that all applications have the proper version, patches and upgrades.
Ensuring that an up-to-date antivirus program is installed on each computer will also help prevent malware.
Companies can choose to let employees manage their own computer systems based on corporate policy.
There are several ways to mitigate these types of internet risks:
Keep computers clear of malware.
To avoid this risk, all company computers should be running the latest anti-malware software with up-to-date signatures.
Smartphones represent a higher level of risk as they are more vulnerable to theft.
Phone passwords, auto-rig lock and remote wiping mechanisms should be enforced for smartphones connecting to online grid resources.
Validate web connection devices.
They of course should have the most recent updates and be properly configured.
This key in of threat prevention requires going beyond the mitigations listed above.
Would-be data thieves will often attempt to access to company networks to access data.
Attacks can come from individuals or from automated software that runs authentication attacks against web connection computers.
Having strongpasswordrules, authentication rules (maximum tries, account lockout, progressive response, etc.)
and IP blocking set up can mitigate these types of attacks.
Where possible, make the connection setup for computers an automated process.
Malware can infect a companys web link and travel from computer to computer, gathering data.
connection monitoring software can look for known virus signatures or use other means to find and cleanse connection infestations.
data pipe-based zero-day threat detection systems can look for signatureless advanced malware and take targeted actions.
Data thieves dont need to have legitimate access to a companys data pipe for access data flowing across it.
Using a internet sniffer, anyone can view or copy unprotected data from a companys wireless internet.
This becomes especially important when discussing VoIP technologies, where voice communications are traveling across the data internet.
Using strong encryption on wireless and wired networks at the transportation layer will help mitigate this threat.
1.2.6 Storage
Companies store sensitive data in many locations, each with its own pros and cons.
Storing data in files provides both flexibility and challenges when it comes to protecting sensitive data.
Access to files can be restricted using the security of an operating system or document management systems.
However, once the files are removed from the system, the protection goes away.
DRM-protected files must be connected to a policy server in order for them to be accessed.
Preventing the proliferation of files is another challenge.
Files can be protected during storage in company systems.
Disk-based encryption can also be used to protect files while they are stored on disk.
However, in each case the protection ceases once the files are removed from storage.
The website can be organized by category to help protect sensitive content that is at the same sensitivity level.
Files can also be stored on a website where each file can have its own individual access control.
This provides greater granularity of protection, but can require more time to maintain.
For these types of pages, access control can be managed by the website or the database itself.
Much of the sensitive data stored by a company is kept in databases.
However, using a hosting company for cloud storage can introduce additional risks.
Steps must be taken to ensure that the hosting company follows the organizations data storage policies.
For this reason a contract should be in place between the organization and the hosting company.
A company sometimes acts as a hosting company for organizations and individuals in cloud data centers.
(Cloud data center simply means servers that are accessible over the Internet.)
verify to use applications that have strong role-based access controls.
Those controls should be continually verified to ensure that the right people are in the right roles.
Backup tapes are often overlooked as a source of data leakage.
Ensure that backups are encrypted and stored in a safe place.
Backup tapes should be properly degaussed or wiped with an approved software deletion product before disposal.
IT should have documented hardware disposal procedures in place.
On average, web consumers are one of the biggest sharers of personal information on the Internet.
Very few of them read a websites privacy policy, but they have expectations for their privacy nonetheless.
Most consumers expect a website to see and retain their browsing habits or the information they give the website.
Several U.S. regulators monitor privacy issues for consumers.
are monitored by the European Data Protection Supervisor.
Regulators work to ensure that companies follow privacy regulations and fine them when they dont.
For example, the company Path was fined $800,000 for collecting personal information without permission.
There are many industry groups that work to protect consumer privacy via self-regulation.
Much of this research requires the use of personal information from lots of people.
Technological means have been developed to help protect sensitive data used for research while preserving its utility.
Accordingly, employees should know where to find the appropriate privacy training based on their role in the company.
They should also understand the companys expectations of them in regard to protecting the personal data of others.
Collectively, they represent privacy, compliance, legal, business,security and PR teams.
Hello, everyone, says Amy.
I hope you all enjoyedyour long weekend off.
I assure you privacy incidents did not take a break thisweekend.
Im going to forgo our normal monthly update and get right to the issueat hand.
Organizations are often entrusted with personal information from customers and other entities.
This data can come from different parts of the company and be brought in using multiple means.
For this reason, management must see privacy as a strategic imperative that is expressed across the organization.
The following types of mistakes can happen whenmanaging personal data:
Insufficient policies.
New companies are often slow to implement these types of practices.
Assessments need to be performed against the policies on a regular basis to ensure compliance.
The level of training given should reflect each employees level of data management.
Multiple training formats are available.
Companies often have multiple departments that maintain relationships with the same customers.
Problems arise when cross-team sharing of data happens.
Likewise, employees are rarely trained on privacy practices from other teams.
Having periodic internal or external audits can help a company maintain adequate privacy controls and avoid complacency.
The same commitments that were made to users persist after the data leaves the company.
It is also not necessary to give up one to have the other.
To help ensure privacy, it is important to employ security mechanisms.
Proper auditing can help provide after-the-fact detection of breaches, but that is not without its challenges.
For these reasons one cannot rely on security or privacy alone to protect data.
They offer the best protection when used together.
New advances in encryption have provided a means to protect sensitive data while maintaining its utility.
Privacy and security have a shared goal of protecting personally identifiable information (PII).
In that manner they are very much alike.
However, they have different approaches for achieving the same goal.
Privacy governs how PII should be used, shared and retained.
Security restricts access to the sensitive data and protects it from being viewed during collection, storage and transmission.
In that way they have a symbiotic relationship.
While privacy and security are not the same, our commitment to each should be.
For the most part IT governance is managed by the IT department.
Proper IT governance is the foundation for great data governance.
IT governance can be achieved through business alignment, consistency and common frameworks such as COBIT 5.
Data governance focuses on the proper management of data within a company.
Data governance is a shared responsibility for all teams across a company.
IT governance is an important element in reaching data governance, but it is not all that is needed.
One way to view the differences in the two models is by using a plumbing metaphor.
IT governance is about governing the way the pipes are built, maintained and protected.
Data governance is about governing how water flows through the pipes.
The privacy policies were notupdated to cover the usage of the Widget data.
Its always been within policyto share our data with advertisers.
asked Amy.As long as we can update the consent mechanism we should be okay.
Considering the alternative, I dont seewhere we have a choice.
IT professionals are responsible for laying the technical foundation for an effective privacy program.
1.8 Conclusion
Amy held the coffee cup to her lips without taking a drink.
This time they didnt dodge thebullet, but at least the wound wouldnt be fatal.
Suddenly, Amywas pulled away from her thoughts by a phone call.
Amy, Bill here.
He said it got lost in his inbox.No problem.
Send it my way and copy the council.
IT departments are continually under pressure to ensure that systems under their control stay in compliance.
The everevolvinglandscape of cyber attacks, privacy regulations and self-regulatory requirements makes privacy compliance challenging.
Employees outside of the IT department have a part to play in compliance as well.
Maintaining the privacy of personal data is an important element of reaching compliance that goes far beyond IT governance.
hey, comment on how to improve this article.
