The Privacy/Security Dialogue
Stephen Cobb, CISSP
(This article first appeared in Privacy Officers Advisor, the monthly
newsletter of the IAPP)
Anyone who has taken responsibility for privacy within their organization
knows that the relationship between privacy and security is a complex
one, but don't worry, this article is not a philosophical rumination
on that complexity. The purpose of this article is simply to pass
along some practical observations from recent seminars in which
I have been talking to privacy professionals about security, and
to security professionals about privacy.
My first observation is that some privacy professionals appear to
be intimidated by security professionals. This is understandable,
given that, viewed from the outside, the world of information security
can seem daunting. Visit your local Barnes & Noble or Borders
bookstore and you will probably find several shelves of security
books, suggestive of an established common body of knowledge. However,
much of what you see in the information security world today is
very new. Seven years ago it was a much smaller world. The first
NCSA Firewall and Internet Security Conference was held in January
of 1996, when companies like Checkpoint and ISS could truly be described
as fledglings and certification of information security professionals
had only just begun. As for books about computer security, they
were not something you would see in your local book store (I know
because I write one in 1992 and I used to look for it).
Of course, there were some computer security people around long
before that, but mostly they looked after mainframe systems, which
is what most companies relied on almost exclusively until the dawn
of the PC era in the eighties and the arrival of serious local area
networking in the nineties. However, it was the Internet that really
breathed life into computer security, because the Internet was,
and still is, inherently insecure. And because nobody owns the Internet,
hardware and software companies could not gloss over security problems
(as they had tended to do when selling enterprises on the idea of
PCs and local area networks). Indeed, some vendors soon realized
that talking about security could be a good thing, now that there
was a major source of insecurity for which they could be held responsible.
In the latter part of the last decade the information security
profession matured considerably. But that is no reason for privacy
professionals to feel intimidated. After all, a few years from now
privacy will be just as mature. Furthermore, maturity in security
has brought several benefits. For a start, security people are now
better at explaining things (a good example of this is, in my opinion,
the recently published "Network Security for Dummies,"
although I should make this disclaimer: I'm married to the author,
Chey Cobb). Maturity has also brought about better understanding
of distinct roles within security, such as management and operations.
For example, it is now clear that you don't have to be able to write
firewall filter rules to know what a firewall does and when one
is needed. You don't have to be able to code encryption algorithms
in C++ to make purchasing decisions about encryption products (although
you should know how to determine whether or not the people you ask
to evaluate encryption products for you know what they are doing).
One way to avoid being intimidated by something is to learn more
about it. Answering the question of exactly how much you need to
know about security is my second observation: privacy professionals
should learn enough about information security to ask the questions
they need to ask, and to evaluate the answers. Consider what happens
when you are creating a privacy statement for the company web site.
You may want to use language like this: "To prevent unauthorized
access, maintain data accuracy, and ensure the appropriate use of
information, we have put in place appropriate physical, electronic,
and managerial procedures to protect the information we collect
online." But how do you confirm that this is actually the case?
A good first step is to ask whoever is in charge of information
security: "Do we have appropriate physical, electronic, and
managerial procedures to protect customer PII?" You may need
to explain that PII is personally identifiable information, because
this acronym is not yet part of the standard information security
lexicon. Obviously, if the response is "No" then you both
have some work to do before that privacy statement can go up. But
what if the answer you get is "Yes"? Should you rely on
this assertion? Quite frankly, the answer to that question depends
on your assessment of the person or persons making the assertion.
How long have they been in charge of information security for the
organization? Do they strike you as competent? How seriously did
they take your question? Do they have any security-specific credentials,
such as CISSP?
That last question is not meant to imply that only CISSPs are entitled
to assess security. However, it is important to note that in the
Federal Trade Commission's settlement with Microsoft over privacy
and security issues related to Microsoft Passport, the FTC specifically
mentions CISSP (the settlement requires Microsoft to provide a biannual
report, prepared by a qualified, objective, independent third-party
professional, using procedures and standards generally accepted
in the profession, certifying that Microsoft has in place an effective
security program-such report to be "prepared by a Certified
Information System Security Professional (CISSP) or by a person
or organization approved by the Associate Director for Enforcement,
Bureau of Consumer Protection, Federal Trade Commission").
Bear in mind that, while best practices in privacy are still evolving,
security best practices are well-established. This is why the government's
dallying over the final draft of the HIPAA Security Rule has few
practical implications. Although that rule will be a statement of
how to go about providing the "reasonable safeguards"
for protected health information mandated in the Privacy Rule, the
standards upon which that statement will be based already exist
(and in some industries, such as finance and telecommunications,
are already met or exceeded by a significant percentage of companies).
Also bear in mind that the FTC is aware of this, and regards as
deceptive, and thus illegal and potentially actionable, statements
claiming a higher degree of protection for PII than is actually
provided. The FTC did not accuse Microsoft of disclosing anyone's
PII, simply of making claims about the level of protection afforded
PII that were then undermined by a series of vulnerabilities.
So, as the person responsible for privacy, you need to get solid
assurances from the people in charge of security. Ask for copies
of recent security audits, internal and external. Ask if there has
been a penetration test of the web site in the last six months.
If so, what were the results? If issues were identified, have they
been resolved? Who did the test? Was it a reputable, independent,
outside, trusted authority? (Assessments by your Internet Service
Provider, Web hosting company, or network hardware vendor are not
really independent, and although tests by internal security staff
can be very helpful, they are not, in terms of due diligence, as
valuable as an external test).
Something else you will need to ask the security folks about is
the current level of security awareness in the organization. Again,
you will need to evaluate the response carefully. Remember that
when the FTC investigated the Eli Lilly Prozac email incident it
found that the company had a lot of very good security policies
and procedures. Unfortunately, the security awareness of the group
that programmed the web site and related email applications was
found to be lacking, contributing to the exposure of email addresses
belonging to people who, it could be assumed, were taking Prozac
(another personal disclaimer: as one of ePrivacy Group's privacy
experts, I advised the FTC in the Lilly matter).
The aggressive privacy posture of federal and state regulators,
coupled with the lack of wiggle room with respect to security standards,
means that privacy people need to talk to security people, not only
to make sure that security standards are being met, but to make
security professionals aware of the new rules of the game. Historically,
the focus of the security department has been defense of the information
assets of the organization. For example, the traditional motivation
to protect customer information was to prevent it getting into the
hands of the competition. The idea that exposure of customer PII
is inherently a bad thing because it violates privacy promises is
a relatively new one, and some security professionals are only now
realizing that there is, as my colleague David Brussin puts it "a
new customer at the security table: the customer."
My final observation is that the best way to start the dialogue
with the security professionals in your organization is on a positive
note. Don't wait until you, or they, are facing litigation or public
castigation. Consider approaching the security department with some
good news, such as Peter Cullen's observations on privacy ROI at
the Royal Bank of Canada (see the December issue of Privacy Officers
Advisor). In my fifteen years of security work I've not seen a better
argument for increased security spending. Show your peers in the
information security department that privacy pays and, because you
can't have privacy without security, you may become their new best
About the Author
A Certified Information System Security Professional since 1996,
Stephen Cobb is the author of Privacy
for Business: Web Sites and Email. and Senior VP of Research
and Education at ePrivacy
Group. Stephen also teaches on the Master
of Science in Information Assurance program at Norwhich University,
Vermont. You can email him at scobb at eprivacygroup.com.
Copyright Stephen Cobb, 2003.