The Struggle for Privacy and the Survival of the Secured in the IT Ecosystem 

 
Download Article Article in Digital Form

Businesses are transforming rapidly, and the technologies that evolved over the cumulative innovations of the past half-century have now begun to bring remarkable changes in the way information is managed. Although these technological innovations claim to have offered the opportunity to foster a colossal capability to capture, analyze and disseminate information, they have exemplified an associated increase in the threats to the privacy of information. Perhaps to a greater extent than ever before, current-day businesses face substantial challenges in managing the privacy of information due to the demands posed by globalization, emerging technologies and the changing regulatory landscape.

In light of the previously mentioned facts, it becomes all the more imperative for a business to find a firm foothold in ensuring the best privacy management track record in the market. This article proposes a holistic privacy archetype that provides a pragmatic approach for the business to efficiently manage and stay abreast of growing regulatory and fiduciary requirements.

The Regulatory Landscape Around Data Privacy

Privacy is essential to accomplish consumer protection. The focus on the privacy of information is gaining momentum among nations due to the burgeoning use of personal and sensitive information, the cross-functional dependency of information by businesses, and the rising number of data breaches from lack of adequate controls. According to a special report article in Forbes,1 11.2 million people were victims of identity theft or a related fraud in 2009—at an estimated cost of US $54 billion. Welcome to the world of information—where every bit of data has an associated financial quotient, which is what motivates intruders.

The regulatory landscape across the world prescribes and proscribes measures to protect the privacy of information to counteract emerging threats. Figure 1 provides a list of regulations across regions of the world (it is not necessarily all-inconclusive). However, the rules are not always alike and have been enacted in relation to a region’s cultural, sociological and innate privacy threat factors. Although these regulations have played a key role in modernizing the IT compliance system, they make compliance complex because of globalization. Globalization brings new challenges for information that is exposed to multiple regulatory requirements while crossing borders.

Figure 1

The Value Proposition of Instituting a Holistic Privacy Archetype

The diverse set of regulations and their nonhomogeneity across regions may make it difficult, if not impossible, for a business to institute an efficient information privacy compliance program.

In addition, most of these regulations are backward-looking and have been promulgated in response to historic events.2 One has to acknowledge the fact that, as market dynamics change, technology, legal and reputational risks may manifest themselves in new ways or in magnitudes not previously recognized, which would call for a transformation to the regulatory rulebooks.

The importance of maintaining a viable, dynamic and progressive IT privacy management mechanism is beyond dispute among businesses. However, traditional approaches and a piecemeal compliance mind-set cannot absorb the privacy risks indefinitely or be scalable enough to cope with evolving regulatory requirements. A proactive business model would embrace an agenda that recognizes the critical role information privacy plays in the successful realization of business objectives and would transition toward a holistic privacy management archetype.

Unleashing the Holistic Privacy Archetype

The holistic privacy archetype intends to foster a sound information privacy culture within the institution by reinforcing the enterprise governance discipline through a tiered archetype. The core tiers of the archetype are the business process layer, strategy and governance layer, and operational layer. The operational layer aggregates a three-tiered fabric in itself—the process layer, control layer and component layer. Figure 2 illustrates the privacy archetype applied to the financial business model. Each tiered layer within the archetype is calibrated to specific, assigned capabilities to ensure that the system as a whole is sufficient to support a successful enterprise privacy agenda. In addition, the model is well positioned to remain aggressive and scalable to the expanding regulatory landscape.

Figure 2

Business Process Layer
Business processes are a set of coordinated tasks and activities executed by people and technology to accomplish a business service. From a business productivity standpoint, the entity’s service portfolio and top-line commitments stem from collective innovations in the business process layer. In addition, the business processes and practices are precisely the focal point in defining the business case for information flow (data collection, data storage, data handling, data sharing and data destruction) within an organization. In other words, the business process layer defines the business case for the collection of information. As the opportunities to use personal data for business grow, enterprises should analyze the adequacy of the underlying controls for managing the evolving risk exposures and strike the right balance between delivering the service customers want and the privacy they expect.

Strategy and Governance Layer
The IT privacy strategy sets the tone and direction for the privacy program, its commitment to information privacy, and the business’s overall attitude toward data protection statutes. The layer identifies the enterprise privacy charter and governance objectives and continuously monitors its appropriateness in light of the business’s inherent risk exposure resulting from corporate strategic initiatives, reorganizations and process changes.

Privacy governance characterizes a thoughtful balance between accountability and independence among roles to have clearly drawn lines of authority, limited powers and appropriate controls conducive to legislative, regulatory and industry-leading practices in managing information as an enterprise asset. Privacy governance involves many players— each with specific, assigned responsibilities—to ensure that the system, as a whole, is sufficient to support the privacy strategy and to ensure effectiveness of internal control. The key players include, but are not limited to, the:

  • Data custodian, who is responsible for the secured custody of data and executes control over the data definitions to ensure that the data conform to consistent definitions throughout the life cycle (collection, storage, handling, sharing and destruction). The data custodian enforces business rules on information, validates the security over information, approves access requests and maintains currency of access groups.
  • Data steward, who is responsible for ensuring that the data elements within the organization are in good health in terms of accuracy, completeness and consistency. The data steward performs data validation and monitoring of data (from data entry to data transformation and data consumption) and is, thus, accountable for the quality of data.
  • Data administrator, who is responsible for executing policies and procedures, such as data backup, data versioning, uploading and downloading data, database administration, and actual set-up of the data.

Operational Layer
The operational layer is envisaged as the engine that sets a successful privacy system in motion. Dynamic operational practices are the first and strongest line of defense in any information breach scenario. The operational layer compounds three integrated sublayers—the process, control and component layers—which operate in a complementary and mutually reinforcing manner to accomplish the enterprise’s privacy objectives. Figure 3 defines the elements of the operational layer and their integration with business processes.

Figure 3

Process Layer
The process layer sets down definite processes for an enterprise to manage privacy as a service. The layer thereby combines the leading practices of service management (such as those in COBIT, ITIL and ISO 27001) as a means to establish the service framework for information privacy. The belief here is that enterprises choose the processes that best fit their individual strategies:

  • Incident management—The incident management process offers a consistent mechanism for managing privacy incidents in adherence to regulatory and fiduciary requirements. The incident management process integrates functions such as privacy incident detection, analysis, coordination of appropriate incident response, escalation, communication and notification, event containment, causal analysis, forensic investigation, retention and archival of records, and incident closure. There is always a seamless integration established between the process and the control layers, through mutual handshakes, which is unique to the holistic privacy archetype. As an illustration, the incident management controls underpin the process elements, whereby the process layer establishes the process flows and the control layer defines the statutory obligation elements, such as response timelines and the associated notification requirements specific to the region, to respond to a data breach or privacy incident.
  • Change management—As business practices and products transform (new services, product sunset, change, etc.), they potentially trigger an associated change to the underlying flow of information. During such occasions, risks may manifest in new ways and in magnitudes not previously recognized, with the potential to create extremely negative consequences for sensitive and critical information. It would be imprudent if adequate mitigation controls and strategies are not planned and established before instituting such changes to the operational environment. As a leading practice, the business should reevaluate the risks related to both their conventional and transforming business processes through formal change management processes.
  • Resource management—Focusing on better resource management practices enhances service effectiveness and streamlines information governance.3 Assets that are not designed to perform at desired standards and resilience levels pose a significant threat to the information held by the organization. Assets that host personal and/or sensitive information should be validated against architecture baselines and capacity requirements through resource management processes.
  • Information security management—Information security management establishes definite practices for translating the information governance strategy of an organization into information protection themes and initiatives that are operationally viable. The information security posture of an enterprise demonstrates its strategy toward preventing security breaches and protecting the privacy of its users. Effective management of information security risk requires an enterprisewide approach to ascertain the risks associated with the information handled (i.e., collected, stored, used, transmitted, disposed) by the organization as a reasonable means to balance the legitimate expectations of information privacy against the security levels corresponding to it. From a value-proposition standpoint, the degree of detrimental impact that can result from a serious breach of privacy puts the cost value of information security management into perspective.
  • Project management—Project management harmonizes adapting and disseminating privacy management processes and controls to a broader array of ongoing and proposed business initiatives. The process fulfills its mandate to supervise and monitor the reliability and soundness of privacy management practices by establishing a privacy project management office. The privacy project management office regulates compliance of the business initiatives handling personal/sensitive information by monitoring whether the project parameters meet their intended privacy goals and by outlining overarching privacy controls through prompt examination of risks.
  • Vendor management—Outsourcing has transformed over the years, and now includes utility-based service provisioning, managed services, multisourcing, captive centers, conventional outsourcing, cloud computing and much more. From a privacy standpoint, projects managed by third-party vendors pose potential challenges, such as assumption of information management responsibilities outside the control of the source organization. The potential legal liability that may compromise the source organization’s dynamics and its privacy track record in terms of breaches would call for a robust privacy control mechanism for third-party vendors. The elements that are essential for enabling a lawful global outsourcing agenda (binding corporate rules, multiparty contracts, vendor monitoring and assurance, etc.) have to be ascertained while establishing the vendor relationship.

Control Layer
The control layer safeguards the long-term best interest of the privacy program by establishing controls to address any control weaknesses and promote compliance with laws and industry-leading practices, governance portfolios, and risk management strategies. The key elements of the control layer include:

  • Risk management—Management of IT risks begins with conducting a privacy impact assessment to spot potential concentrations of exposures by stratifying the enterprise service portfolio into segments that have common risk characteristics. The critical success element to accomplish a rigorous privacy risk management practice is to reexamine the internal and external environment exposure covenants with respect to the level and nature of information handled by the business.
  • Compliance—Equally important to the control over the identification and management of the risks is a robust internal control framework that enables organizations to maintain compliance with all applicable laws and regulations.
  • Audit and assurance—A sound privacy practice becomes meaningless if not followed rigorously. The audit and assurance function is responsible for reviewing the effectiveness of the privacy program and thereby ensuring that the process and control components of the privacy archetype remain unbroken.

Component Layer
The component layer explores innovative and effective ways to put technology to the best use in supporting privacy and data management functions, and puts in place an infrastructure that can identify, monitor and effectively control the compliance risks. Needless to say, the infrastructure should be commensurate with the nature of the organization’s risk profile.

The layer focuses on offering more efficient and effective approaches to streamline data management practices by identifying cost-effective, easy-to-use solutions that are sufficiently robust to aggregate and analyze data across the life cycle:

  • Encryption solution offers protection of sensitive information from loss and unintentional or deliberate compromise through a process in which data are converted to an unreadable format. The solution enforces security controls over data in motion and/or data at rest based on the enterprise’s business dynamics and operational complexity.
  • Data leakage prevention solution applies data leakage protection parameters over the data at rest and in transit in tune with the corporate privacy strategy by identifying the critical points of sensitive information flow within the business.
  • Data lineage solution builds the complete data lineage by deducing the chain of source-to-target relationships, thereby establishing data tracking and management associations on the data source (from where it comes to where it flows and how it is transformed as it travels through the enterprise).
  • Database activity monitoring solution prevents unauthorized activities by potential hackers, privileged insiders and end users by using policy-based controls and anomaly detection techniques.

Example of the Archetype

Figure 4 illustrates the incident breach notification process using the privacy archetype. The value, as discussed throughout this article, is that the archetype provides a reliable, robust, organized and scalable mechanism for managing an enterprisewide privacy program. As the risk factors associated with information accrue and regulatory rule sets deepen, the archetype can endure additions and changes to the respective layers without notably distorting the system as a whole.

Figure 4

Conclusion

The market forces aggregate demand and add perspectives for exploring avenues that offset information privacy risks. Exposure of sensitive and personal information and the ever-growing threats to the security of information reveal that privacy of information is of serious concern across all business lines.

These data privacy concerns have renewed the resolve of enterprises across regions and have initiated a broad consensus among market participants to establish a robust privacy management program. However, businesses must recognize that traditional piecemeal approaches in pursuit of this resolve, however well intentioned, may end up redundant, less productive and less able to deliver on the long-term privacy management promise. Reinforcing the need for robust privacy objectives, the proposed privacy archetype focuses on the holistic privacy management paradigm and fosters continual improvement by being flexible to future advances that leading practices and regulations create.

References

  • American Institute of Certified Public Accountants (AICPA), Generally Accepted Privacy Principles (GAPP), USA, 2010
  • European Union, European Parliament and Council Directive 95/46/EC of 24 October 1995 on “the protection of individuals with regard to the processing of personal data and on the free movement of such data,” http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=en&type_doc=Directive&an_doc=1995&nu_doc=46
  • International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), ISO/IEC 27002:2005, Information technology—Security techniques—Code of practice for information security management, Switzerland, 2005
  • IT Governance Institute, COBIT® 4.1, USA, 2007
  • National Institute of Standards and Technology (NIST), Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems, USA, 2002
  • NIST, SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), USA, 2010
  • Office of Government Commerce (OGC), ITIL Version 3, UK, 2007
  • Organization for Economic Co-operation and Development (OECD), OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, France, 1980

Endnotes

1 Greenberg, Andy; “ID Theft: Don’t Take It Personally,” Forbes, 10 February 2010, www.forbes.com/2010/02/09/banks-consumers-fraud-technology-security-id-theft.html
2 Greenspan, Alan; “Bank Regulation,” Remarks by Chairman Alan Greenspan before the Independent Community Bankers of America National Convention, 11 March 2005, www.federalreserve.gov/boarddocs/speeches/2005/20050311
3 Office of Government Commerce (OGC), “Service Transition,” ITIL Version 3, UK, 2007

Sudhakar Sathiyamurthy, CISA, CIPP, ITIL, MCSE
works for the Enterprise Risk Services group of a Big Four advisory division. Sathiyamurthy’s areas of expertise include strategic consulting on IT governance, IT service management, IT process transformation, IT consolidation, IT risk management, and IT security and privacy services. Sathiyamurthy can be contacted at [email protected].


Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.