My thesis is that there needs to be a concerted effort to develop a liaison group involving people that feel comfortable in both areas of Privacy and IT Security. These people should understand how data is used within the IT, and what expectations Privacy places on the organization.
SO let’s explore
In the vast majority of enterprises, (those that have a IT department and also are concerned by privacy, as all companies should be) there are Privacy officers that deal solely in the Privacy realm (Privacy policy, governance etc) and the IT personnel whose function it is to enhance/maintain/deploy process to Secure the network assets from the 'bad guy'
But before we delve into this much further, let’s explore some of the foundations of these two organizations.
Privacy requirements come from various requirements, regulations, laws. They are formulated/created, either by gov't or professional organizations. Examples include: the PCI DSS, SOX, GLBA, PIPEDA, EU Directive, to name but a few.
These regulations/laws, for the most part are drafted by lawyers, civil servants, professional committees. I transgress with a quick joke. What is a camel? A horse designed by a committee.
The point is that, as written, these regulations are not written for the 'common man'. They deal with the legal aspects of privacy and as such, written in 'legalize'. So to be able to interpret them, create processes to address them, and ensure compliance with the same, it requires individuals that can understand those same rules. That is, one with expertise in the legal and/or regulator profession.
Security comes from the technical world, the idea of what kind of security appliances are needed to monitor/secure the systems/network/infrastructure that are in place within the organization. The understanding of networking protocols, threats and vulnerabilities etc. needs someone who understands the technical complicated the Security realm
So far so good.
We also understand that to have Privacy, one must have Security, or otherwise the organization’s public reputation, never mind its ability to function under gov't rules and industry regulation oversight may be in jeopardy. (IE data breaches etc).
However, how many Privacy officers know anything about a 'DMZ' or DLP appliance (to name but two Technical Security phases/gobbledygook). That is the Security guy’s responsibility, right?
How many security personnel understand the ramifications of a stolen laptop with an encrypted disk, with PII from Customers in the US, or if the PII is from those customers that are located within the EU. That is the privacy department issue?
So that is the dilemma. Each department’s needs to 'use' the other’s expertise. But is there is no common language? One group doesn't know what it does not know and the other assumes that everything is addressed. This scenario is a problem waiting to happen.
So let’s take an example. But please note that the following example is only being used to highlight my point. It is an over simplification of the issues.
A new network is being developed to support an application that is being rolled out shortly. This application contains PII/PHI information. In one of the meetings the CPO makes it clear that this type of information needs to be protected/secured. The Security guys go to the back room and incant some magic spells over a rack of computers/servers (sorry I could not help myself) and POOF, out comes a Security policy/procedure etc. plan for the roll out.
The plan contains the proper role based security rules(RBAC), checks, logs etc. The Security guys go out for a drink to celebrate the culmination of designing a 'fool proof' Security envelope (as if there was such a thing).
The Privacy person figures out that the proposed process meets the needs and regulations and goes home with a smile on his/her face. The only people who are authorized to see the information will have the ability to view the PII/PHI info.
However, did anyone look at how support is going to done for this application? The Privacy professional is not a techie and does not know what the 'normal' infrastructure for support/maintenance development for an application is. And why should he/she? Right?
WRONG
The CPO has no idea that during the development and support phases of the project, that copies of the real data may be created to provide a more realistic test bed for QA/ regression testing.(see my previous blog entry for a further discussion concerning this issue).
Did anyone look at the possibility that there may be data leakage within the test/regression system? (PII info that can be emailed in the clear from a developer workstation)? Did the person responsible for Privacy understand the need for a possible Security hardware deployment within the test environment to prevent data leakage. And where should that hardware be deployed? How do third parties access the data for testing? Should they be able to see the test (or Production data)? Should this be considered with a BCP (business contingency planning) document?
The people responsible for Security understand the basic Security 'triad' (CIA. Confidentiality, Integrity and Availability) and have created a process that addresses these requirements. In this case the Security personnel, and may be the network administrator, have designed a comprehensive plan to secure the network where the new application will live on.
But what do they understand about issues like: if a disk drive goes missing, even if it is encrypted, they may still need to notify gov't authorities (EU directive)? And this must be detailed in any contingency planning.
Do they know that they need to talk to the Privacy department to look at how test data is used and abused?
The above mentioned questions are rather over simplified. And of course during the normal working day, the Security department and the Privacy department would talk to each other. BUT
The old adage is very relevant here. 'I don't know what I don't know' or in the case of the Security personnel they don’t know enough of the Privacy realm to make sure everything is addressed. And the Privacy officer does not know how the data is used, to the point that she/he would not know to look into areas that are not obvious IE Test Bed, Third party issues etc..
So what is the answer? Cross train personnel. (Easier said then done).
Have the security department take a course like the CIPP, offered by the International Association of Privacy Professionals. This will allow for the same individuals some insight into the issues pertaining to privacy.
Have the Privacy personnel take a certification course like the SECURITY+ offered by CompTIA. However this may be more problematic because there is an assumption that the person taking this course (or one that is similar) has some basic knowledge in networking and IT in general.
Failing that, Have the people in the CPO office at least try to get the basis of Security down, so the next time the two groups meet they can at least talk a common language. And this would help in reducing the chance of something being missed, and projects coming in on time.
Well said Robert. I have long been an advocate for cross training, awareness and accountability. Security should avoid taking positions on Compliance. Compliance should avoid taking positions of matters of Security, but both need to understand each others worlds as they work with end users, legal and the host of others involved. Cross training is a required first step!
ReplyDeleteThe only problem I see is the background of both groups.
ReplyDeleteNeither one of them (generalization) have a background in the other . Ever seen a lawyer understand how to set up a network securely? and an network administration read legal regulations?
SO when person has both lines of experience, he/she is worth their weigh in gold