My thesis is that there needs to be a concerted effort to develop a
liaison group involving people that feel comfortable in both areas of Privacy
and IT Security. These people should understand how data is used within the IT,
and what expectations Privacy places on the organization.
SO let’s explore
In the vast majority of enterprises, (those that have a IT department and
also are concerned by privacy, as all companies should be) there are Privacy
and the IT personnel whose function it is to enhance/maintain/deploy process to
Secure the network assets from the 'bad guy'
But before we delve into this much further, let’s explore some of the foundations
of these two organizations.
Privacy requirements come from various requirements, regulations, laws. They
are formulated/created, either by gov't or professional organizations. Examples
include: the PCI DSS, SOX, GLBA, PIPEDA, EU Directive, to name but a few.
These regulations/laws, for the most part are drafted by lawyers, civil
servants, professional committees. I transgress with a quick joke. What is a
camel? A horse designed by a committee.
The point is that, as written, these regulations are not written for the 'common
man'. They deal with the legal aspects of privacy and as such, written in
'legalize'. So to be able to interpret them, create processes to address them,
and ensure compliance with the same, it requires individuals that can
understand those same rules. That is, one with expertise in the legal and/or
Security comes from the technical world, the idea of what kind of security
appliances are needed to monitor/secure the systems/network/infrastructure that
are in place within the organization. The understanding of networking
protocols, threats and vulnerabilities etc. needs someone who understands the
technical complicated the Security realm
So far so good.
We also understand that to have Privacy, one must have Security, or otherwise
the organization’s public reputation, never mind its ability to function under
gov't rules and industry regulation oversight may be in jeopardy. (IE
data breaches etc).
However, how many Privacy officers know anything about a 'DMZ' or DLP
appliance (to name but two Technical Security phases/gobbledygook).
That is the Security guy’s responsibility, right?
How many security personnel understand the ramifications of a stolen laptop
with an encrypted disk, with PII from Customers in the US, or if the PII is
from those customers that are located within the EU. That is the privacy
So that is the dilemma. Each department’s needs to 'use' the other’s
expertise. But is there is no common language? One group doesn't know what it
does not know and the other assumes that everything is addressed. This scenario
is a problem waiting to happen.
So let’s take an example. But please note that the following example is only
being used to highlight my point. It is an over simplification of the issues.
A new network is being developed to support an application that is being
rolled out shortly. This application contains PII/PHI information. In one of
the meetings the CPO makes it clear that this type of information needs to be
protected/secured. The Security guys go to the back room and incant some
magic spells over a rack of computers/servers (sorry I could not help myself)
and POOF, out comes a Security policy/procedure etc. plan for the roll out.
The plan contains the proper role based security rules(RBAC), checks, logs
etc. The Security guys go out for a drink to celebrate the culmination of
designing a 'fool proof' Security envelope (as if there was such a
The Privacy person figures out that the proposed process meets the needs and
regulations and goes home with a smile on his/her face. The only people who are
authorized to see the information will have the ability to view the PII/PHI
However, did anyone look at how support is going to done for this
application? The Privacy professional is not a techie and does not know what
the 'normal' infrastructure for support/maintenance development for an
application is. And why should he/she? Right?
The CPO has no idea that during the development and support phases of the
project, that copies of the real data may be created to provide a more
realistic test bed for QA/ regression testing.(see my previous blog entry
for a further discussion concerning this issue).
Did anyone look at the possibility that there may be data leakage within the
test/regression system? (PII info that can be emailed in the clear from a
developer workstation)? Did the person
responsible for Privacy understand the need for a possible Security hardware
deployment within the test environment to prevent data leakage. And where should
that hardware be deployed? How do third parties access the data for
testing? Should they be able to see the test (or Production data)? Should this
be considered with a BCP (business contingency planning) document?
The people responsible for Security understand the basic Security 'triad'
(CIA. Confidentiality, Integrity and Availability) and have created a process
that addresses these requirements. In this case the Security personnel, and may
be the network administrator, have designed a comprehensive plan to secure the
network where the new application will live on.
But what do they understand about issues like: if a disk drive goes missing,
even if it is encrypted, they may still need to notify gov't authorities (EU
directive)? And this must be detailed in any contingency planning.
Do they know that they need to talk to the Privacy department to look
at how test data is used and abused?
The above mentioned questions are rather over simplified. And of course during
the normal working day, the Security department and the Privacy department
would talk to each other. BUT
The old adage is very relevant here. 'I don't know what I don't know' or in
the case of the Security personnel they don’t know enough of the Privacy
realm to make sure everything is addressed. And the Privacy officer does not
know how the data is used, to the point that she/he would not know to look into
areas that are not obvious IE Test Bed, Third party issues etc..
So what is the answer? Cross train personnel. (Easier said then done).
Have the security department take a course like the CIPP, offered by the
International Association of Privacy Professionals. This will allow for the same
individuals some insight into the issues pertaining to privacy.
Have the Privacy personnel take a certification course like the SECURITY+
offered by CompTIA. However this may be more problematic because there is an
assumption that the person taking this course (or one that is similar) has some
basic knowledge in networking and IT in general.
Failing that, Have the people in the CPO office at least try to get the basis
of Security down, so the next time the two groups meet they can at least talk a
common language. And this would help in reducing the chance of something being
missed, and projects coming in on time.