To continue with the theme I presented last time in which I discussed the differences between privacy (first pillar) and security (second pillar), I want to add a third pillar, that of the stakeholder.
It
seems obvious that he/she should also be included in any discussion along
these lines. And yet stakeholders can only add complexity to the equation. But before I begin, here are a couple of
notes. I received a number of comments concerning the previous post. Some
people commented about the fact that any discussion should include other
interested groups as well. And as you will see, that is exactly what I
will be doing here. Yet I would be
remiss unless I addressed another issue that was also brought up.
What
I 'd like to do, and only you, the reader, will be able to determine if I
am successful, is to highlight the 'human' factor in this equation. As we
move more and more to depending on, exploring, and exploiting the technology we use/rely on, we have had to develop tools to manage
and control the reliance on the same technology. We have tools to check
the code for security holes. We have tools to make sure we develop
compliance processes. We have tools to help the auditors to verify
systems, etc.
Yet
the one aspect that is forgotten in this mix is the human factor. He/she
is the coder, the report writer, the auditor who verifies the results.
etc. No system is fool proof and no human is perfect, except you
the reader. So why bring this up? I do
so because some of the comments I received include the following: 'a
security/privacy system that is put in place will address the wide divide
between humans and technology/compliance'.
In
response to this I say that tools are important, but we must realize that
the tools are not the entire solution to this quandary. We need
to understand entire eco system so we can successfully address the
issues of Security, Privacy, Regulation, and Compliance. That being both the technology we use, and the tools we use to control/enhance it.
So let's begin My objective in the previous blog was to highlight some of the inherent issues that prevail within the privacy/security domain. Here I want to explore the added complexity by adding the involvement of the stakeholder to this process. Let define some terms. A stakeholder is the 'outsider'. The person who ultimately gains from the process being discussed. For a lack of a better way of definition, the owner/holder of the data in question. This can be a VP of the product line, the director of the stores, the sales manager etc. He/she is the one who can say, without question, 'the buck stops here".
So let's begin My objective in the previous blog was to highlight some of the inherent issues that prevail within the privacy/security domain. Here I want to explore the added complexity by adding the involvement of the stakeholder to this process. Let define some terms. A stakeholder is the 'outsider'. The person who ultimately gains from the process being discussed. For a lack of a better way of definition, the owner/holder of the data in question. This can be a VP of the product line, the director of the stores, the sales manager etc. He/she is the one who can say, without question, 'the buck stops here".
Generally
speaking he just wants good end results. Most stakeholders see the added
cost of implementing a well defined privacy policy/practice in place as an
overhead that needs to be controlled.
They
want to make sure their data is safe but ask them if they think the added
cost of security systems in place is, for example, worthwhile to prevent
internal development personnel from having access to the real data, they
would balk. (Note this is a generic over simplified statement, but I use
it to make a point). To address this issue I point to a number of
organizations that rely on non disclosure agreements (NDA) the only protection to address the above
mentioned issue. This is 'cheap' to implement and easy to maintain. Yet I
hope you, the reader, understands that this solution is like having your teenager
promise they will clean up the room. A good idea but without any other
incentive probably doomed to failure.
The
problem here is that we all have different views on the same situation. We come
with different experiences, responsibilities, education. While the stakeholder
is ultimately the person responsible (For further info along these
lines read about the SOX act that was passed in the US), she/he may not
know how a truly good governance regulation compliance (GRC) process is created.
And in fact he might not even know why the company needs one in the first
place.
So
taking the analogy I used in my previous post(how security personnel and
privacy professionals look at a 'square' and see it differently), the stakeholder
is the owner of the 'square'. He holds the square but has no idea how it
is constructed but only knows how the square is used, IE. not how the WEB
application works. Only that a customer can sign in and order the
widget. So what can we to do? The answer
I suggest is fairly simple. Education.
The
privacy officer must educate the interested parties. These parties include
the stakeholders, the IT personnel Given that there is a privacy officer
already in place means that the first step has been taken. The
people who work on security need to educate everyone on what needs to done
and what it takes to get it done.
The
security personnel need to interpret the requirements and educate the
parties on how this is implemented. Why does it extend the software development
cycle. So in other words by educating the parties they can justify
the time and materials that will be needed to produce eco systems that achieve
the goals set out by all the interested parties within a manageable
framework.
So to
help the reader, I am suggesting a couple of different resources that
can be used to help.
1) A
short piece on how to explain HIPAA to the layman (Stakeholder). It
also provides some additional reading that may be of interest.
http://www.ehow.com/info_7778811_laymans-guide-hipaa-compliance.html
2) A
very interesting website that targets NON lawyers with information concerning
privacy. There are a lot of very good additional links that can
be of some help. Please note that this site deals mostly with US laws.
http://www.eprivacy.com/lectures/toc.html#toc
3)
Another good resource for educational purpose is the Electronic Privacy
Information Center website. Once again, mostly US information.
http://epic.org/privacy/
4) On
the consumer side of the debate, a list of resources can be found at
http://www.privacyrightsnow.com/affiliates.htm
5) And finally, two studies that come out yearly.
A) One is the Telus security group yearly that looks at the state of Canadian companies security. It has 5 recommendations as well as pointers on how to try to make security more prevalent in the workplace. Registration is required.
http://promo.telus.com/securitystudy/
B) The other one is the Verizon security's 2013 Data Breach Investigation Report. This report is a yearly report that encompasses expertise and information from various international organizations responsible for the reporting and investigation of data breaches. If you do not look at any other resources listed here, then this is the one to read.
http://www.verizonenterprise.com/DBIR/2013/insider/
5) And finally, two studies that come out yearly.
A) One is the Telus security group yearly that looks at the state of Canadian companies security. It has 5 recommendations as well as pointers on how to try to make security more prevalent in the workplace. Registration is required.
http://promo.telus.com/securitystudy/
B) The other one is the Verizon security's 2013 Data Breach Investigation Report. This report is a yearly report that encompasses expertise and information from various international organizations responsible for the reporting and investigation of data breaches. If you do not look at any other resources listed here, then this is the one to read.
http://www.verizonenterprise.com/DBIR/2013/insider/
Please
note the opinion of the individual authors/websites are their own, and I do not
advocate, agree or dis-agree with the opinion expressed.
And
this is just a sample of various resources that are available to help with the
issues described above. But ultimately it is up to the individual to make sure
they adhere to the best practices within their industry and Country.
Till
next time
No comments:
Post a Comment