3 lessons privacy and security teams can learn from each other

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govhealthit.com/news/3-lessons-privacy-and-security-teams-can-learn-each-other

Remember the old Reese’s Peanut Butter Cups commercial, where the guy’s
chocolate bar lands in the girl’s peanut butter, and they discovered “two
great tastes that taste great together?” Privacy and security are no
different.

In many organizations the two disciplines often operate as siloes. But
recent trends toward holistic management of privacy and security risks have
more organizations moving the functions under one umbrella in order to
improve communication and collaboration — and to learn valuable lessons
from each other’s best practices.

Lessons from data security
Over the years, the IT industry has developed a host of data protection
best practices that privacy organizations could adapt to their own
activities.

Here are just three:

1. Standardize: The IT industry lives by standards that are developed,
tested, and maintained through national and international collaboration,
and these standards evolve with the technical and threat environment. For
example, the Information Technology Standards Committee (ITSC) currently
has working groups on cards and personal identification, health
informatics, and cloud computing, in addition to a standing committee on
security and privacy.

In contrast, privacy standards are more localized in nature, bound by
geography and regulatory jurisdiction because they are in many ways a
function of laws. While standards set by U.S. government agencies are
relatively mature, our nation’s privacy posture is not. But organizations
such as the International Association of Privacy Professionals (IAPP) and
the Electronic Privacy Information Center (EPIC) have working groups
researching and documenting best practices for privacy organizations, and
advocating for privacy practices and efficacy. By supporting these
development efforts and adopting new standards, privacy professionals can
help the industry improve outcomes and control costs.

2. Measure: Business today is data-driven, thanks to the sophistication of
information systems and data analysis tools. As part of IT, data security
organizations track the amounts of data on their systems, network loads,
etc., looking for unusual activity that might indicate breaches or attacks.
Privacy organizations need to do the same. Key indicators such as a rise in
privacy-related incidents or in privacy-related customer service inquiries,
or unusual patterns of physical access to facilities could all help to
quickly identify and mitigate privacy issues.

3. Automate: Data security organizations have used automated monitoring,
logging, and analysis for decades. These practices have been applied with
great success, for example, in identifying usage patterns that indicate
credit card fraud or tracing the source of a data breach. Privacy
organizations now have software tools available to help automate and
streamline processes such as risk analysis and data breach response. By
supporting consistent and objective analysis of privacy incidents,
providing a central repository for all incident information, and
streamlining the documentation and reporting process, these tools can
improve outcomes and free the privacy staff to spend more time on
prevention.

Lessons from the privacy side
The privacy profession has evolved rapidly in the decade-plus since massive
data breaches have become commonplace, developing virtually in lockstep
with government regulation meant to protect consumers against breaches and
misuse of their personal information. As a result, the privacy profession
tends to be focused on compliance and the consumer, working successfully
with people and processes.

Here are three privacy best practices that IT security teams could apply to
better protect their organizations.

1. Be Customer-Centric: The greatest risk from data breaches is the loss of
customer trust and future business. Because they are responsible for
incident response, including reporting to those whose information has been
compromised, privacy groups are mindful of the human impact of data
breaches. They tend to look at addresses, account numbers, SSNs not as data
but as an information set that defines a person. Data security
organizations can take a lesson and focus more, not just on encryption or
keeping data behind a firewall, but also on how to de-identify data or use
the minimum data set for each application, limiting exposure of data
combinations that would leave a person vulnerable if exposed.

2. Operationalize: Data security needs to be a driver as organizations
increasingly move from ad-hoc incident management toward an operational
model. While privacy functions have been driving the trend towards an
enterprise-wide approach to incident tracking and response, the role of the
CISO has also been changing to become a privacy protection leader on the
executive team. In addition to fostering collaboration that makes data
security and privacy programs more effective, helping to operationalize
will give data security groups a platform to advocate successfully for the
tools and resources they need.

3. Communicate Proactively: A privacy program depends on policies and
processes executed by people throughout the organization, so privacy
professionals work hard at training and at building a culture of awareness
and compliance. In contrast, many data security functions are implemented
within the computing infrastructure. Security software and malware
protection are critical pieces of a security program, but a system is only
as strong as its weakest link, and often that is the person carrying a
mobile device or responding to what may be a phishing email or phone call.
Data security professionals are in the best position to know where the user
vulnerabilities lie, and they should work proactively with privacy staff to
identify and close these gaps through training and awareness programs.

And lessons to live by
In some areas, privacy and data security already agree on best practices.
Both know it’s critical to have clear policies, and to enforce them.

Both recognize the importance of top-down support for their initiatives,
and both believe in regular risk assessment and monitoring.

With so much common ground, data security and privacy organizations should
be able to combine their strengths in the battle to protect personal data.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!