The experiences of handling (and losing) personal information have a lot to tell us about better security in any organisation.
How often have you heard somebody argue that there has to be a trade off between security and privacy?
The argument usually runs something along the lines that in order to keep you secure, you have to give up some aspect of your privacy. For example, you must exhibit a lot of evidence of identity before completing a transaction or joining a group or organisation.
But the tide is turning. On 29 May, the US President released the 60-day Cyberspace Policy Review. Item 10 in the Near Term Action Plan put forward by the review calls for the nation to:
"Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation."
Read the US President's remarks at the time of the release and count how many times he remarks on the importance of getting privacy AND security right.
Why is this relevant to the themes of National E-Security Awareness Week?
For example, consider the security guidance supplied by the following NPPs:
NPP1, The Collection Principle: "An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities." From a security perspective, the less personal information you collect, the less there is to keep secure and the less to lose. And the less attractive your data sets are to those who want to steal it. An additional bonus: this should also reduce your data handling costs.
NPP2, The Use and Disclosure Principle: "An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless" certain limited exceptions apply. This is totally in line with the 'need to know' adage in any security framework.
NPP3, The Data Quality Principle: "An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date." One of the most significant weaknesses in any organisation's security framework isits ability to ensure not only that new staff and contractors are properly provisioned with resources when they commence, but are also DE-provisioned when they leave.
NPP4, The Data Security Principle: "An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure." and "An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed..." Enough said!
And so you can work your way through the NPPs in this way.
That's where we are right now. But if you want to make more use of cloud computing than you are already with Search, Data Storage, Email etc, then read "It's 6 O'Clock -- Do You Know Where Your Cloud's Data Center Is?" that was carried in Information Week on 2 June 2009.
But sadly, there will be data losses even in the best run organisation. What to do then? Again, you could do a lot worse than start your response based on the hard learned lessons of recent years from the losses of personal information.
The 2009 Data Breach Investigations Report, a study conducted by the Verizon Business RISK Team will give you some surprising insights as to where your security weaknesses might really be. The Office of the Privacy Commissioner of Australia has also published a "Guide to handling personal information security breaches". At IIS, we have published a Privacy Breach Check List. The check list provides immediate help in the first 24 hours of a major data loss and suggests what to do as matters unfold over the first week and what to think about in the longer term.
Security AND Privacy: they are both elements of E-Security Week.