Privacy for Business Practical Privacy Guides for Business
 
privacy space Privacy for Business Home Button Privacy for Business FAQ Priacy for Business Contact

The Privacy/Security Dialogue

Stephen Cobb, CISSP

(This article first appeared in Privacy Officers Advisor, the monthly newsletter of the IAPP)

Anyone who has taken responsibility for privacy within their organization knows that the relationship between privacy and security is a complex one, but don't worry, this article is not a philosophical rumination on that complexity. The purpose of this article is simply to pass along some practical observations from recent seminars in which I have been talking to privacy professionals about security, and to security professionals about privacy.

Security Intimidation

My first observation is that some privacy professionals appear to be intimidated by security professionals. This is understandable, given that, viewed from the outside, the world of information security can seem daunting. Visit your local Barnes & Noble or Borders bookstore and you will probably find several shelves of security books, suggestive of an established common body of knowledge. However, much of what you see in the information security world today is very new. Seven years ago it was a much smaller world. The first NCSA Firewall and Internet Security Conference was held in January of 1996, when companies like Checkpoint and ISS could truly be described as fledglings and certification of information security professionals had only just begun. As for books about computer security, they were not something you would see in your local book store (I know because I write one in 1992 and I used to look for it).

Of course, there were some computer security people around long before that, but mostly they looked after mainframe systems, which is what most companies relied on almost exclusively until the dawn of the PC era in the eighties and the arrival of serious local area networking in the nineties. However, it was the Internet that really breathed life into computer security, because the Internet was, and still is, inherently insecure. And because nobody owns the Internet, hardware and software companies could not gloss over security problems (as they had tended to do when selling enterprises on the idea of PCs and local area networks). Indeed, some vendors soon realized that talking about security could be a good thing, now that there was a major source of insecurity for which they could be held responsible.

In the latter part of the last decade the information security profession matured considerably. But that is no reason for privacy professionals to feel intimidated. After all, a few years from now privacy will be just as mature. Furthermore, maturity in security has brought several benefits. For a start, security people are now better at explaining things (a good example of this is, in my opinion, the recently published "Network Security for Dummies," although I should make this disclaimer: I'm married to the author, Chey Cobb). Maturity has also brought about better understanding of distinct roles within security, such as management and operations. For example, it is now clear that you don't have to be able to write firewall filter rules to know what a firewall does and when one is needed. You don't have to be able to code encryption algorithms in C++ to make purchasing decisions about encryption products (although you should know how to determine whether or not the people you ask to evaluate encryption products for you know what they are doing).

Security Questions

One way to avoid being intimidated by something is to learn more about it. Answering the question of exactly how much you need to know about security is my second observation: privacy professionals should learn enough about information security to ask the questions they need to ask, and to evaluate the answers. Consider what happens when you are creating a privacy statement for the company web site. You may want to use language like this: "To prevent unauthorized access, maintain data accuracy, and ensure the appropriate use of information, we have put in place appropriate physical, electronic, and managerial procedures to protect the information we collect online." But how do you confirm that this is actually the case?

A good first step is to ask whoever is in charge of information security: "Do we have appropriate physical, electronic, and managerial procedures to protect customer PII?" You may need to explain that PII is personally identifiable information, because this acronym is not yet part of the standard information security lexicon. Obviously, if the response is "No" then you both have some work to do before that privacy statement can go up. But what if the answer you get is "Yes"? Should you rely on this assertion? Quite frankly, the answer to that question depends on your assessment of the person or persons making the assertion. How long have they been in charge of information security for the organization? Do they strike you as competent? How seriously did they take your question? Do they have any security-specific credentials, such as CISSP?

That last question is not meant to imply that only CISSPs are entitled to assess security. However, it is important to note that in the Federal Trade Commission's settlement with Microsoft over privacy and security issues related to Microsoft Passport, the FTC specifically mentions CISSP (the settlement requires Microsoft to provide a biannual report, prepared by a qualified, objective, independent third-party professional, using procedures and standards generally accepted in the profession, certifying that Microsoft has in place an effective security program-such report to be "prepared by a Certified Information System Security Professional (CISSP) or by a person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission").

Bear in mind that, while best practices in privacy are still evolving, security best practices are well-established. This is why the government's dallying over the final draft of the HIPAA Security Rule has few practical implications. Although that rule will be a statement of how to go about providing the "reasonable safeguards" for protected health information mandated in the Privacy Rule, the standards upon which that statement will be based already exist (and in some industries, such as finance and telecommunications, are already met or exceeded by a significant percentage of companies). Also bear in mind that the FTC is aware of this, and regards as deceptive, and thus illegal and potentially actionable, statements claiming a higher degree of protection for PII than is actually provided. The FTC did not accuse Microsoft of disclosing anyone's PII, simply of making claims about the level of protection afforded PII that were then undermined by a series of vulnerabilities.

So, as the person responsible for privacy, you need to get solid assurances from the people in charge of security. Ask for copies of recent security audits, internal and external. Ask if there has been a penetration test of the web site in the last six months. If so, what were the results? If issues were identified, have they been resolved? Who did the test? Was it a reputable, independent, outside, trusted authority? (Assessments by your Internet Service Provider, Web hosting company, or network hardware vendor are not really independent, and although tests by internal security staff can be very helpful, they are not, in terms of due diligence, as valuable as an external test).

Something else you will need to ask the security folks about is the current level of security awareness in the organization. Again, you will need to evaluate the response carefully. Remember that when the FTC investigated the Eli Lilly Prozac email incident it found that the company had a lot of very good security policies and procedures. Unfortunately, the security awareness of the group that programmed the web site and related email applications was found to be lacking, contributing to the exposure of email addresses belonging to people who, it could be assumed, were taking Prozac (another personal disclaimer: as one of ePrivacy Group's privacy experts, I advised the FTC in the Lilly matter).

Continuing Dialogue

The aggressive privacy posture of federal and state regulators, coupled with the lack of wiggle room with respect to security standards, means that privacy people need to talk to security people, not only to make sure that security standards are being met, but to make security professionals aware of the new rules of the game. Historically, the focus of the security department has been defense of the information assets of the organization. For example, the traditional motivation to protect customer information was to prevent it getting into the hands of the competition. The idea that exposure of customer PII is inherently a bad thing because it violates privacy promises is a relatively new one, and some security professionals are only now realizing that there is, as my colleague David Brussin puts it "a new customer at the security table: the customer."

My final observation is that the best way to start the dialogue with the security professionals in your organization is on a positive note. Don't wait until you, or they, are facing litigation or public castigation. Consider approaching the security department with some good news, such as Peter Cullen's observations on privacy ROI at the Royal Bank of Canada (see the December issue of Privacy Officers Advisor). In my fifteen years of security work I've not seen a better argument for increased security spending. Show your peers in the information security department that privacy pays and, because you can't have privacy without security, you may become their new best friend.

About the Author

A Certified Information System Security Professional since 1996, Stephen Cobb is the author of Privacy for Business: Web Sites and Email. and Senior VP of Research and Education at ePrivacy Group. Stephen also teaches on the Master of Science in Information Assurance program at Norwhich University, Vermont. You can email him at scobb at eprivacygroup.com.

Copyright Stephen Cobb, 2003.

  
Now Available!
Privacy For Business:
Web Sites and Email
The perfect primer for managers, CPOs and CEOs
And their employees who handle PII

Privacy tip: PII = Personally Identifiable Information, which can include, but is not limited to: name, address, email address, social security number, phone number, drivers license number, and any combination of data that can be used to identify an individual.