Conflicting Parties and Privacy Policies

8 Dec 2008   ::   Security   ::   #privacy #enterprise security

 

Summary

Tim Wilson’s article [1] on privacy policy development and implementation describes the conflicts that arise between business units, executives, and external parties during privacy policy development, as well as the difficulties in implementing a privacy policy once developed. The main example cited in the article was a conflict between the Chief Privacy Officer (CPO) and the marketing group. The CPO’s goal is to protect individuals, and generally wants to maintain the least amount of data necessary for any given individual. At the same time, marketing organizations want the most information per individual possible in order to best target there audience. Other parties who may be involved include customers, who do not want organizations to have too much information and law enforcement whose investigations are often dependent upon access to such personal information. The article notes that there does not seem to be any easy way to address this problem, but that awareness that many different stakeholders should provide input and receive consideration in the privacy policy is important.

The second topic of the article is that problems can arise in implementing and enforcing a given privacy policy. Even if all parties are in harmonious agreement, it may not be possible to implement the resulting policy. For example, there may not be any existing tool or configuration option in existing software to meet the needs of the policy. Another issue cited in the article is that budget limitations may prevent the implementation. Enforcement can also be hindered through resale of customer data. Customers may remove themselves from one organization’s records, yet still receive information through that organization’s third party partners, in effect invalidating their previous opt-out. This scenario may violate the security policy, but preventing it may not be possible or require expensive changes to everyday operating procedures.

Relationship to Enterprise Security

While privacy is not officially part of the CIA (confidentiality, integrity, availability) principle, it is still an important aspect of the security mindset. As defined in lecture, privacy is “the right of an individual to control the disclosure and use of their personal information”. Safeguards must exist on both systems and data itself in order to protect such private information. The enterprise is responsible for safeguarding a great deal of personal and private data, both for employees and customers. For example, a company maintains contact information for customers and partners, as well as payroll information for employees. Because this data is most likely stored in information systems, it falls under the IT security staff to protect it. In addition, privacy will continue to grow in importance as the number of contract employees and external users of organizational data increases. For example, it is imperative to protect internal user data from outsourced operators that interact with the internal systems.

This article also deals with the development of policy. This is important for enterprise security because decisions are never simple and cannot be made arbitrarily; rather, good policy evaluates the needs of all stakeholders. The development of a coherent policy which is actually able to be implemented is crucial to the success of the enterprise security team. The policy sets out the rules and desired outcomes, and is used as the basis for all action-decisions in order to preempt and react to security incidents. Stakeholders could include various executives, departments, and regulators. The policy developers must consider all stakeholders and then prioritize (government regulations may out rule the marketing department’s desire to hold information for a lengthy period of time). Because enterprise security is primarily concerned with the interactions of technical systems and humans, policy can be seen as defining the protocols and rules of interaction.

Analysis/Discussion

The results of the study and article are not surprising. It is increasingly difficult in large modern organizations to have harmony and similar view points throughout the enterprise. One would not expect employees in the accounting department to understand all the complexities of setting up the technological controls on the accounting software provided by the IT department. As a result, policy development can be very slow and can see very strong resistance when one or more group’s desires cannot be met. Needs assessment interviews may need to be conducted, and policies should be reviewed and updated on a regular basis.

Enterprise security, for IT, was not a top priority until very recently. Now that it has become a top objective for most organizations, best practices and standardization will continue to emerge. While best practices do not present the terminal solution for everyone, a simplified understanding will allow a greater number of IT administrators to protect their organizations. To be successful at higher levels of management in IT, it is important to understand how the IT goals will meet the business objectives of the organizations. This requires a full view of the business and must take into account external view points.

I took some time to review the original report [2] by HP Labs cited in the article. If I was in the position to create a policy, I would find this report very useful, and I believe the interview cases could apply to many other real world operations. The report is focused on customers and end users not the direct privacy concerns of the organization, which may be more obvious to most security and privacy administrators. I think it is very important to consider these “citizen” or “customer” concerns; while an organization may put a strong emphasis on protecting its own information, it should take care with others information as this could result in regulatory penalties, lost customer, and lost business partners. Internal trade secrets may be important, but the aggregate value of this third party information would tend to have a higher total value and may be a more desirable target than organization secrets for an attacker.

Bibliography

  1. Wilson, Tim. Conflicting Interests Pose Huge Challenge To Privacy Policies . DarkReading. [Online] United Business Media LLC, November 7, 2008. [Cited: December 5, 2008.] http://www.darkreading.com/security/privacy/showArticle.jhtml?articleID=212001183.

  2. Nickel, Cyndi, Sander, Tomas and Bramhall, Pete. The Driving Motivations of Stakeholders in the Delivery of Privacy by Enterprises. s.l. : HP Laboratories, 2008. HPL-2008-153.