Relationship to Enterprise Security
While privacy is not officially part of the CIA (confidentiality, integrity, availability) principle, it is still an important aspect of the security mindset. As defined in lecture, privacy is “the right of an individual to control the disclosure and use of their personal information”. Safeguards must exist on both systems and data itself in order to protect such private information. The enterprise is responsible for safeguarding a great deal of personal and private data, both for employees and customers. For example, a company maintains contact information for customers and partners, as well as payroll information for employees. Because this data is most likely stored in information systems, it falls under the IT security staff to protect it. In addition, privacy will continue to grow in importance as the number of contract employees and external users of organizational data increases. For example, it is imperative to protect internal user data from outsourced operators that interact with the internal systems.
This article also deals with the development of policy. This is important for enterprise security because decisions are never simple and cannot be made arbitrarily; rather, good policy evaluates the needs of all stakeholders. The development of a coherent policy which is actually able to be implemented is crucial to the success of the enterprise security team. The policy sets out the rules and desired outcomes, and is used as the basis for all action-decisions in order to preempt and react to security incidents. Stakeholders could include various executives, departments, and regulators. The policy developers must consider all stakeholders and then prioritize (government regulations may out rule the marketing department’s desire to hold information for a lengthy period of time). Because enterprise security is primarily concerned with the interactions of technical systems and humans, policy can be seen as defining the protocols and rules of interaction.
The results of the study and article are not surprising. It is increasingly difficult in large modern organizations to have harmony and similar view points throughout the enterprise. One would not expect employees in the accounting department to understand all the complexities of setting up the technological controls on the accounting software provided by the IT department. As a result, policy development can be very slow and can see very strong resistance when one or more group’s desires cannot be met. Needs assessment interviews may need to be conducted, and policies should be reviewed and updated on a regular basis.
Enterprise security, for IT, was not a top priority until very recently. Now that it has become a top objective for most organizations, best practices and standardization will continue to emerge. While best practices do not present the terminal solution for everyone, a simplified understanding will allow a greater number of IT administrators to protect their organizations. To be successful at higher levels of management in IT, it is important to understand how the IT goals will meet the business objectives of the organizations. This requires a full view of the business and must take into account external view points.
I took some time to review the original report  by HP Labs cited in the article. If I was in the position to create a policy, I would find this report very useful, and I believe the interview cases could apply to many other real world operations. The report is focused on customers and end users not the direct privacy concerns of the organization, which may be more obvious to most security and privacy administrators. I think it is very important to consider these “citizen” or “customer” concerns; while an organization may put a strong emphasis on protecting its own information, it should take care with others information as this could result in regulatory penalties, lost customer, and lost business partners. Internal trade secrets may be important, but the aggregate value of this third party information would tend to have a higher total value and may be a more desirable target than organization secrets for an attacker.
Wilson, Tim. Conflicting Interests Pose Huge Challenge To Privacy Policies . DarkReading. [Online] United Business Media LLC, November 7, 2008. [Cited: December 5, 2008.] http://www.darkreading.com/security/privacy/showArticle.jhtml?articleID=212001183.
Nickel, Cyndi, Sander, Tomas and Bramhall, Pete. The Driving Motivations of Stakeholders in the Delivery of Privacy by Enterprises. s.l. : HP Laboratories, 2008. HPL-2008-153.