CA Community






This Blog
Syndication

Security, Privacy, and Trust -- Mission Impossible?

Published: May 12 2008, 11:11 AM
by Mike Small

 

Scott McNealy famously said "You have zero privacy - get over it". The recent

stories regarding the loss of personal data have put a sharp perspective on the

question of privacy. Polls show that people say they will only deal with

organization that they can trust to protect their personal data. What can

organizations do to achieve this trust?

 

Privacy

What is privacy and why does it matter? In this context the concern is the

capability for people to control what information about themselves is made

available to other people. There is no universal agreement on what information is

private; different cultures hold different views on this.

 

Privacy is a balance of the rights of an individual against the good of a group.

Sometimes privacy is in the interests of the group as well as the individual;

identity theft being one example of this. It is in everyone's interest that

information that could be used to impersonate an individual should not be publicly

available.

 

In Europe privacy of personal information is principally governed by two

directives 94/96/EC on personal data, and 2002/58/EC on privacy of electronic

communications. The Organization for Economic Co-operation and Development

has also published a set of principles for data privacy. These principles form the

basis for privacy of personal information in Europe.

 

Trust

Trust is important since it forms the basis upon which personal and commercial

transactions take place. In the context of information privacy, individuals allow

their personal and private information to be held by organizations trusting that it

will be stored and processed in accordance with the principals mentioned above.

The recent personal data breaches are a breach of trust by the organizations

holding the personal information.

 

What happens when there is a breach of trust? Traditionally commerce depends

upon legal enforcement. However, because of difficulties of legal enforcement on

the internet, new models of trust are emerging. An example of this is that

adopted by eBay' where each buyer and seller has a feedback rating.

 

Individuals are increasingly making decisions based on their perception of trust.

In September 2007 a study, conducted by the independent research consultancy

YouGov, showed that concerns over Identity Theft is changing online behaviour

and reveals which types of organizations the public trust to protect their personal

details. For example, while 60% of respondents answered that they would trust

their bank to keep their personal data secure, only 25% would trust the

government.

 

 

Security

Information systems security is what organizations use to ensure privacy of

personal information. Models for secure information processing grew out of the

needs by government and military agencies to use computing systems to handle

sensitive data. These were described in the Orange Book which was replaced by

the Common Criteria (ISO/ISEC 15048) for computer security. BS7799 provided

a more comprehensive set of standards and best practices for information

security management. This was later adopted as ISO 17799 and has now been

renamed as two standards ISO 27001/2. Specific industry standards have also

emerged such as the Payment Card Industry Data Security Standard (PCI-DSS).

These standards are well known and yet a survey conducted by CA across 482

organizations in EMEA found that while 62% of these were holding regulated

information in their IT systems:

  • - Only 33% were able to identify orphan accounts (user accounts which cannot be related to a single person as owner) in their IT systems.
  • - Only 41% were able to report on the access rights to information that were possessed by the users of their IT systems
  • - Only 51% were able to monitor access to their IT servers.

 

What needs to be done?

If organizations followed the letter and the spirit of the ISO27001/2 standards

there would be fewer or no data breaches. It is time for compliance with these

standards to become mandatory where personal data is being held and for there

to be penalties for non compliance.

 

The card payment industry has taken a significant step towards improving

protection of card data through the creation of the PCI-DSS. Any organization

involved in credit card transactions needs to become fully compliant with this

standard.

 

An important advance recommended in the UK House of Lords report on Personal

Internet Security would be a data security breach notification law. This should

include workable definitions of data security breaches, covering both a threshold

for the sensitivity of the data lost, and criteria for the accessibility of that data.

Another recommendation of that report is that major companies, particularly the

software vendors, must now make the development of more secure technologies

their top design priority.

 

There should be training and formal accreditation for people who are responsible

for information security systems. In addition people in organizations who have

access to regulated data should have an appropriate level of training on privacy

requirements. You cannot drive a car without a driving license - so why should

you be able to manage access to the personal data of thousands of people

without proper training?

 

 

Share this post:  EmailEmail
ShareShare
Leave a comment

 

By: Mike Small
Mike Small is principal consultant for security management strategy at CA, where he is responsible for the technical strategy for CA's security management software product line within Europe, Middle East and Africa. Mike has worked for CA since 1994 where he developed CA’s identity and access management...
Read More..

Comments:

No Comments

Leave a Comment

* An asterisk indicates a required field

* :  

:

* :  

 Submit