This Blog
Syndication
Recent Posts
Tags
Calendar
Archives
Identity and Access Management (IAM)
Monday, May 12, 2008 - Posts
-
Security, Privacy, and Trust -- Mission Impossible?
Scott McNealy famously said "You have zero privacy - get over it". The recent
stories regarding the loss of personal data have put a sharp perspective on the
question of privacy. Polls show that people say they will only deal with
organization that they can trust to protect their personal data. What can
organizations do to achieve this trust?
Privacy
What is privacy and why does it matter? In this context the concern is the
capability for people to control what information about themselves is made
available to other people. There is no universal agreement on what information is
private; different cultures hold different views on this.
Privacy is a balance of the rights of an individual against the good of a group.
Sometimes privacy is in the interests of the group as well as the individual;
identity theft being one example of this. It is in everyone's interest that
information that could be used to impersonate an individual should not be publicly
available.
In Europe privacy of personal information is principally governed by two
directives 94/96/EC on personal data, and 2002/58/EC on privacy of electronic
communications. The Organization for Economic Co-operation and Development
has also published a set of principles for data privacy. These principles form the
basis for privacy of personal information in Europe.
Trust
Trust is important since it forms the basis upon which personal and commercial
transactions take place. In the context of information privacy, individuals allow
their personal and private information to be held by organizations trusting that it
will be stored and processed in accordance with the principals mentioned above.
The recent personal data breaches are a breach of trust by the organizations
holding the personal information.
What happens when there is a breach of trust? Traditionally commerce depends
upon legal enforcement. However, because of difficulties of legal enforcement on
the internet, new models of trust are emerging. An example of this is that
adopted by eBay' where each buyer and seller has a feedback rating.
Individuals are increasingly making decisions based on their perception of trust.
In September 2007 a study, conducted by the independent research consultancy
YouGov, showed that concerns over Identity Theft is changing online behaviour
and reveals which types of organizations the public trust to protect their personal
details. For example, while 60% of respondents answered that they would trust
their bank to keep their personal data secure, only 25% would trust the
government.
Security
Information systems security is what organizations use to ensure privacy of
personal information. Models for secure information processing grew out of the
needs by government and military agencies to use computing systems to handle
sensitive data. These were described in the Orange Book which was replaced by
the Common Criteria (ISO/ISEC 15048) for computer security. BS7799 provided
a more comprehensive set of standards and best practices for information
security management. This was later adopted as ISO 17799 and has now been
renamed as two standards ISO 27001/2. Specific industry standards have also
emerged such as the Payment Card Industry Data Security Standard (PCI-DSS).
These standards are well known and yet a survey conducted by CA across 482
organizations in EMEA found that while 62% of these were holding regulated
information in their IT systems:
- - Only 33% were able to identify orphan accounts (user accounts which cannot be related to a single person as owner) in their IT systems.
- - Only 41% were able to report on the access rights to information that were possessed by the users of their IT systems
- - Only 51% were able to monitor access to their IT servers.
What needs to be done?
If organizations followed the letter and the spirit of the ISO27001/2 standards
there would be fewer or no data breaches. It is time for compliance with these
standards to become mandatory where personal data is being held and for there
to be penalties for non compliance.
The card payment industry has taken a significant step towards improving
protection of card data through the creation of the PCI-DSS. Any organization
involved in credit card transactions needs to become fully compliant with this
standard.
An important advance recommended in the UK House of Lords report on Personal
Internet Security would be a data security breach notification law. This should
include workable definitions of data security breaches, covering both a threshold
for the sensitivity of the data lost, and criteria for the accessibility of that data.
Another recommendation of that report is that major companies, particularly the
software vendors, must now make the development of more secure technologies
their top design priority.
There should be training and formal accreditation for people who are responsible
for information security systems. In addition people in organizations who have
access to regulated data should have an appropriate level of training on privacy
requirements. You cannot drive a car without a driving license - so why should
you be able to manage access to the personal data of thousands of people
without proper training?
Print
Email
Rate+-+CA&dcsref=-&WT.cg_nid=120298&WT.cai_l1=120399&WT.cai_l2=120298&WT.cai_l3=&WT.cai_cntry=us){kind=small}