Sudhakar Sathiyamurthy, CISA, CIPP, ITIL, MCSE
Businesses are transforming rapidly, and the technologies that evolved over the cumulative innovations of the past half-century have now begun to bring remarkable changes in the way information is managed. Although these technological innovations claim to have offered the opportunity to foster a colossal capability to capture, analyze and disseminate information, they have exemplified an associated increase in the threats to the privacy of information. Perhaps to a greater extent than ever before, current-day businesses face substantial challenges in managing the privacy of information due to the demands posed by globalization, emerging technologies and the changing regulatory landscape.
In light of the previously mentioned facts, it becomes all the more imperative for a business to find a firm foothold in ensuring the best privacy management track record in the market. This article proposes a holistic privacy archetype that provides a pragmatic approach for the business to efficiently manage and stay abreast of growing regulatory and fiduciary requirements.
Privacy is essential to accomplish consumer protection. The focus on the privacy of information is gaining momentum among nations due to the burgeoning use of personal and sensitive information, the cross-functional dependency of information by businesses, and the rising number of data breaches from lack of adequate controls. According to a special report article in Forbes,1 11.2 million people were victims of identity theft or a related fraud in 2009—at an estimated cost of US $54 billion. Welcome to the world of information—where every bit of data has an associated financial quotient, which is what motivates intruders.
The regulatory landscape across the world prescribes and proscribes measures to protect the privacy of information to counteract emerging threats. Figure 1 provides a list of regulations across regions of the world (it is not necessarily all-inconclusive). However, the rules are not always alike and have been enacted in relation to a region’s cultural, sociological and innate privacy threat factors. Although these regulations have played a key role in modernizing the IT compliance system, they make compliance complex because of globalization. Globalization brings new challenges for information that is exposed to multiple regulatory requirements while crossing borders.
The diverse set of regulations and their nonhomogeneity across regions may make it difficult, if not impossible, for a business to institute an efficient information privacy compliance program.
In addition, most of these regulations are backward-looking and have been promulgated in response to historic events.2 One has to acknowledge the fact that, as market dynamics change, technology, legal and reputational risks may manifest themselves in new ways or in magnitudes not previously recognized, which would call for a transformation to the regulatory rulebooks.
The importance of maintaining a viable, dynamic and progressive IT privacy management mechanism is beyond dispute among businesses. However, traditional approaches and a piecemeal compliance mind-set cannot absorb the privacy risks indefinitely or be scalable enough to cope with evolving regulatory requirements. A proactive business model would embrace an agenda that recognizes the critical role information privacy plays in the successful realization of business objectives and would transition toward a holistic privacy management archetype.
The holistic privacy archetype intends to foster a sound information privacy culture within the institution by reinforcing the enterprise governance discipline through a tiered archetype. The core tiers of the archetype are the business process layer, strategy and governance layer, and operational layer. The operational layer aggregates a three-tiered fabric in itself—the process layer, control layer and component layer. Figure 2 illustrates the privacy archetype applied to the financial business model. Each tiered layer within the archetype is calibrated to specific, assigned capabilities to ensure that the system as a whole is sufficient to support a successful enterprise privacy agenda. In addition, the model is well positioned to remain aggressive and scalable to the expanding regulatory landscape.
Business Process LayerBusiness processes are a set of coordinated tasks and activities executed by people and technology to accomplish a business service. From a business productivity standpoint, the entity’s service portfolio and top-line commitments stem from collective innovations in the business process layer. In addition, the business processes and practices are precisely the focal point in defining the business case for information flow (data collection, data storage, data handling, data sharing and data destruction) within an organization. In other words, the business process layer defines the business case for the collection of information. As the opportunities to use personal data for business grow, enterprises should analyze the adequacy of the underlying controls for managing the evolving risk exposures and strike the right balance between delivering the service customers want and the privacy they expect.
Strategy and Governance LayerThe IT privacy strategy sets the tone and direction for the privacy program, its commitment to information privacy, and the business’s overall attitude toward data protection statutes. The layer identifies the enterprise privacy charter and governance objectives and continuously monitors its appropriateness in light of the business’s inherent risk exposure resulting from corporate strategic initiatives, reorganizations and process changes.
Privacy governance characterizes a thoughtful balance between accountability and independence among roles to have clearly drawn lines of authority, limited powers and appropriate controls conducive to legislative, regulatory and industry-leading practices in managing information as an enterprise asset. Privacy governance involves many players— each with specific, assigned responsibilities—to ensure that the system, as a whole, is sufficient to support the privacy strategy and to ensure effectiveness of internal control. The key players include, but are not limited to, the:
Operational LayerThe operational layer is envisaged as the engine that sets a successful privacy system in motion. Dynamic operational practices are the first and strongest line of defense in any information breach scenario. The operational layer compounds three integrated sublayers—the process, control and component layers—which operate in a complementary and mutually reinforcing manner to accomplish the enterprise’s privacy objectives. Figure 3 defines the elements of the operational layer and their integration with business processes.
Process LayerThe process layer sets down definite processes for an enterprise to manage privacy as a service. The layer thereby combines the leading practices of service management (such as those in COBIT, ITIL and ISO 27001) as a means to establish the service framework for information privacy. The belief here is that enterprises choose the processes that best fit their individual strategies:
Control LayerThe control layer safeguards the long-term best interest of the privacy program by establishing controls to address any control weaknesses and promote compliance with laws and industry-leading practices, governance portfolios, and risk management strategies. The key elements of the control layer include:
Component LayerThe component layer explores innovative and effective ways to put technology to the best use in supporting privacy and data management functions, and puts in place an infrastructure that can identify, monitor and effectively control the compliance risks. Needless to say, the infrastructure should be commensurate with the nature of the organization’s risk profile.
The layer focuses on offering more efficient and effective approaches to streamline data management practices by identifying cost-effective, easy-to-use solutions that are sufficiently robust to aggregate and analyze data across the life cycle:
Figure 4 illustrates the incident breach notification process using the privacy archetype. The value, as discussed throughout this article, is that the archetype provides a reliable, robust, organized and scalable mechanism for managing an enterprisewide privacy program. As the risk factors associated with information accrue and regulatory rule sets deepen, the archetype can endure additions and changes to the respective layers without notably distorting the system as a whole.
The market forces aggregate demand and add perspectives for exploring avenues that offset information privacy risks. Exposure of sensitive and personal information and the ever-growing threats to the security of information reveal that privacy of information is of serious concern across all business lines.
These data privacy concerns have renewed the resolve of enterprises across regions and have initiated a broad consensus among market participants to establish a robust privacy management program. However, businesses must recognize that traditional piecemeal approaches in pursuit of this resolve, however well intentioned, may end up redundant, less productive and less able to deliver on the long-term privacy management promise. Reinforcing the need for robust privacy objectives, the proposed privacy archetype focuses on the holistic privacy management paradigm and fosters continual improvement by being flexible to future advances that leading practices and regulations create.
1 Greenberg, Andy; “ID Theft: Don’t Take It Personally,” Forbes, 10 February 2010, www.forbes.com/2010/02/09/banks-consumers-fraud-technology-security-id-theft.html2 Greenspan, Alan; “Bank Regulation,” Remarks by Chairman Alan Greenspan before the Independent Community Bankers of America National Convention, 11 March 2005, www.federalreserve.gov/boarddocs/speeches/2005/200503113 Office of Government Commerce (OGC), “Service Transition,” ITIL Version 3, UK, 2007
Sudhakar Sathiyamurthy, CISA, CIPP, ITIL, MCSEworks for the Enterprise Risk Services group of a Big Four advisory division. Sathiyamurthy’s areas of expertise include strategic consulting on IT governance, IT service management, IT process transformation, IT consolidation, IT risk management, and IT security and privacy services. Sathiyamurthy can be contacted at email@example.com.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.