Tuesday, April 16, 2013
Privacy and Security sometimes don't talk the same language.
In this blog, which may seem as a little rambling of sorts, I will try to first explain where I see the disjointedness between Security (where the IT people see it) and Privacy (where the Audit Privacy officers see it). I will then try to guide the reader to various resources on the web to offer help.
This will allow the reader, no matter which side of the fence they sit on, to at least understand the other side and understand what they are talking about. Some of these resources quoted below will be targeted for the IT techies, and the others for the Privacy gurus. By putting them in one central location I hope to bring together, in some small part, the two groups so they can better understand each other.
So let's begin.
Privacy. According to the Webster online Dictionary: 'freedom from unauthorized intrusion <one's right to privacy> '
Security. According to the Webster online Dictionary: 'measures taken to guard against espionage or sabotage, crime, attack, or escape '
An explanation. Security is the process that is put in place to protect the Privacy of the information, whether it is Personnel Identifiable Information (PII), company's intellectual property etc.
We have a problem. The 'WE' in the previous sentence belongs to the IT personnel as well as the Privacy Officers of an organization. Many times the Computer guys speaks in 'techy talk' (subroutines, C#, apache configuration etc) and the Compliance personnel talk in legalese (jurisprudence, PIPEDA, Opt in, Office of the Privacy Commissioner etc). So, it is no wonder that many organizations seem to have a disconnect between the two.
To address the need for privacy and security in our day to day computer lives, some measures were/are developed by people who may look at a issue but see it in two different ways.
As an analogy, let's take a look at a square drawn on a piece of paper. The IT people see it as four lines connected at the corners, and the Privacy people see it as four corners connect by some lines. (I hope you get my meaning in this analogy I just presented). Both are right, but both don't see the entire picture either. And thus, this illustrates the issues that many organizations face.
Yes this disconnect is evolving. There are now certification/training sessions for people who are responsible for privacy policies and are not technical (for more info go to https://www.privacyassociation.org/) but try to bridge the gap (CIPP/IT) And there is various integrated development environment (IDE) to try to ensure that the code written can be tested for security (IE PENetration testing etc.) But as much as these two groups are trying to work and understand each other there can be some areas where they are miles apart.
If you have followed this series from the beginning, you would have remembered at least one very common example where there is a security/privacy hole big enough to drive a tractor trailer through. (see my previous blogs for more information) And I would bet my two weeks of pay(jar of peanuts) that most Compliance/office of privacy departments have yet to investigate the arena. This is a clear example where the lack of understanding of one department operations by another can lead to some very ominous problems.
Privacy Officials, for the most part do not understand the nuisances of coding, testing , developing applications etc. for the current market place. They do know the laws of the land, and do create compliance rules that all have to abide by.
IT professionals, again for the most part, do not understand the rules that governs Privacy. What is a Opt in or Opt out option? Why must Credit card numbers be treated under some externally developed standards? What are those standards? (Well, maybe they do, but this is used only as a simplistic example). IT professionals know how to create a automated process to sell, bill, retrieve the widgets that the company makes, Yet the problem is that IT people (the techies) more often then not are not involved, nor understand the Privacy Realm.
Education on both sides is the only real answer. So in the following I will try to give some resources to the reader with some comments that may help understand the other side.
Please note I do not have any financial relationships with the organizations listed below. Nor do I recommend or agree with the statements contained within, though I have found these sites to contain valuable information. Whether you are a techie or privacy person I strongly suggest you take a look at all these resources to better understand the world we have to work in, so to speak.
The first resource that you may or may not be aware is the Privacy Rights Clearing House. (https://www.privacyrights.org/). A very useful web site, where among other items, is a list of all publicly disclosed data breaches since 2005. In fact according to the web site, as of when I started writing this blog, 607,472,154 DATA RECORDS WERE BREACHED. The number of breaches were 3,678 DATA BREACHES made public since 2005.
The type of breaches that you will find there include 'dumpster diving', laptop/hard drive being misplaced, and SQL injection to name but three. Chances are that you or someone you know was a victim of at least one, if not more, of a data breach. In fact if you do the math, the number of records is about twice the entire population of the US. And this site is very light on breaches outside of the US.
The next resource is Ponemon Institute (http://www.ponemon.org/). This site has a wealth of research on the who and how of privacy. Its stated purpose is 'to enable organizations in both the private and public sectors to have a clearer understanding of the trends in practices, perceptions and potential threats that will affect the collection, management and safeguarding of personal and confidential information about individuals and organizations.'
The next site I would like to point the readers to is the Verizon Security Blog. (
OF ATTACKS ARE AVOIDABLE BY SIMPLE OR INTERMEDIATE
The latest report on this web site is a review of 2012, but the updated 2013 report is expected out very shortly.
Next is an organization called International Association of Privacy Professionals (https://www.privacyassociation.org).
I happen to have two certifications from them. They have two items I would recommend the reader to investigate. One is a blog they call Privacy Perspective, an interesting blog where various people talk about issues of the day. The other item is their 'DASHBOARD' (They have one for US, Canada, Europe and ANZ). They gleam information from various sources and present them in a concise 'executive' brief type.
The above resources are just a tip of the iceberg. The problem with Privacy professionals and IT gurus understanding each other and thus being able to frame the issues/requirements/concerns, etc taking into account each other's prospective is not something that can be done within a simple blog. But I hope that it will open some people's minds on what the issues are and some resources that will bridge the gap. Or at least have each side gain a better understanding of the other.
Next blog will continue along these same lines.
However the next blog will be in two weeks time.
Till then, if you have any comments or feel like you want to touch base, drop me a line at email@example.com