 |
 |
 |
|
07.02.08 Breaking Privacy Policy Rules  By
Dan Morrill The disconnect between information security and the rest of the company marches on smartly in a report by Forbes.com. While the security group might think that the policies and procedures they have developed to secure and keep customer information safe, or puts limitations on what information can be handed to third parties, the reality is that the market department might not even be paying attention to those rules at all. More specifically, 80% of marketers said their organizations share e-mail addresses with third parties, compared with 47% of security and privacy officers. Other examples: 65% of marketers said they would distribute a customer's cellphone number, while only 47% of privacy execs said their companies allowed the data to be shared. Forty-five percent of marketers believe their companies shared credit card data, compared with 32% of privacy officers, and 29% of marketers believe their firms distribute social security numbers, compared with 7% of privacy professionals. Source: Forbes.com The question from the policy side of information security, policy that is usually driven by legal requirements as its basis for existing is what to do when a department or group within the company exposes the company to some very serious risk. While it is generally a good idea to start asking questions, the problem when you start asking questions is that people will start to cover their butt if they think they are in serious trouble, or tell you what they think you want to hear rather than what really happened. Policy and the controls around that policy exist to either meet a legal requirement, like HIPAA, SOX, or other legislation. Policies are generally not developed because "it seemed like a good idea at the time". It is expensive to create and develop controls around the policies that a company creates. But if a department within the company has started to, or is, disregarding policy, there is also going to be an issue within the controls and monitoring side of the set. If as Forbes states, the marketing department is giving away cell phone numbers to 3rd party clients, what are the controls around that data so that marketing cannot get their hands on it, or transmit it outside of the corporate boundaries. The other issue is that for every control or hurdle you put in front of someone who thinks they are doing their job, the more creative users get about going around those controls. The answer is not more controls, the answer is the risk reward scenario for the person, or in some cases the whole department.
Companies are not loath to cut down on employees in bad economic circumstances, the "pink slip Friday" process is used on a regular basis. The problem is when catching an employee or department that is violating policy, the response of the organization to that is the issue. What is the HR department, or the manager of the department, or the senior executive staff doing about the issue? If the sharing of data that should not be shared is happening, what is the procedural response to that? What is the punishment for employees or departments that engage in this kind of risky behavior? While there are a lot of responses to this, odds are highly likely that the employee(s) will be talked to, but nothing formal will ever happen. They will still get their bonuses; they will still get their 5.0 evals at the end of the year. The problem is that they circumnavigated controls on the protection of data, they exposed data that should not be exposed to 3rd parties, and they put the entire company at risk, risk that might not be properly accounted for, by their actions. The other thing this kind of problem shows is that the monitoring controls might not be as effective as they could be. This will lead to more work on the part of policy and information security to beef up the monitoring controls just to get an idea of the magnitude of the problem. While this is good, there is an additional cost factor here that will not be reflected in the budget, meaning odds are highly likely that the controls will not be altered, because of money concerns. That is until there is a data breach at either the company, or the 3rd party company, and then at that point, the risk has been realized, and the penalties, fines, fees, and legal costs will be many more dollars than the cost of addressing the problem both in terms of controls, and user education. Comments About the Author: Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community. |
|
| ||||
-- EnterpriseSecurityNews is an iEntry, Inc. publication -- iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509 2008 iEntry, Inc. All Rights Reserved Privacy Policy Legal archives | advertising info | news headlines | free newsletters | comments/feedback | submit article |
