Jan 092009
 

The April 2009 Cutter IT Journal — with Guest Editor Cutter
Senior Consultant Rebecca Herold, recently named one of the “Best
Privacy Advisers” and “Best Privacy Consultancies” of 2008 by
Computerworld — invites insightful debate on and analyses of
approaches organizations are taking to ensure that information
security, privacy and compliance areas collaborate, and how to
address the associated convergence issues. What are the
information security, privacy and compliance issues that impact
organizations most significantly? What are the best practices for
addressing the associated compliance requirements? What are the
best ways to manage convergence? How can gaps be avoided? How can
conflicts be resolved?

Cutter IT Journal Call for Papers

The Convergence of Information Security, Privacy and Compliance

The need for convergence is nothing new.

There has been much talk recently regarding a convergence of
information security and privacy. However, this convergence has
actually existed ever since privacy became a concern. After all,
privacy requires the implementation of information security
controls and appropriate safeguards.

I experienced this relationship firsthand during the early 1990’s
before the passage of GLBA or HIPAA. At that time, although bills
addressing privacy had been considered in the US and around the
world, OECD Privacy principles were the basis for most of the
privacy requirements. While establishing the security requirements
for one of the very first online banks, I recognized the need for
a privacy policy based not simply upon legislation, but also on
the need to obtain and maintain customer trust. This policy, based
predominately upon the OECD Privacy principles, brought the need
for security controls clearly into focus.

Over time, I’ve identified over twenty business areas where
information security and privacy responsibilities and activities
converge; this number continues to grow as technology, laws and
businesses evolve. Understanding and complying with the multiple
requirements of the at least 46 U.S. privacy breach notice laws is
a recent example of how privacy and information security need to
work together for effective enterprise-wide management. And there
are growing numbers of new U.S. state-level laws, U.S. federal
laws, and international laws.

Additionally, the growing numbers of incidents, accompanied by
growing numbers of fines, penalties and civil actions, emphasize
the need for convergence. At the core of compliance for these
hundreds of laws and regulations is:

  1. understanding the information that is considered as personally
    identifiable information (PII) within the organization
  2. knowing where this PII is collected, stored, and leaves the
    organization
  3. establishing effective safeguards to protect this PII
    throughout the entire information lifecycle.

Privacy is not a strictly legal issue, and information security is
certainly not a strictly technical issue; they intersect in many
ways. And there are compliance responsibilities for both, often
overlapping, but also often handled separately within
organizations. This results in either compliance gaps, or
conflicting compliance activities.

Just a few of the issues where information security and privacy
governance converge include, but are not limited to:

  • Clear text PII on mobile computers
  • Clear text PII on mobile storage devices, such as hard drives,
    backup media, and USB drives
  • Disposal of PII on paper as well as digital media
  • Employee errors in handling PII
  • Entrusting PII to business partners, such as vendors, managed
    service providers, and other outsourced service companies
  • Improper retention and inventory practices for PII

How can companies effectively work to ensure information security,
privacy and compliance areas collaborate to make initiatives most
successful?

The April 2009 Cutter IT Journal — with Guest Editor Cutter
Senior Consultant Rebecca Herold, recently named one of the “Best
Privacy Advisers” and “Best Privacy Consultancies” of 2008 by
Computerworld — invites insightful debate on and analyses of
approaches organizations are taking to ensure that information
security, privacy and compliance areas collaborate, and how to
address the associated convergence issues. What are the
information security, privacy and compliance issues that impact
organizations most significantly? What are the best practices for
addressing the associated compliance requirements? What are the
best ways to manage convergence? How can gaps be avoided? How can
conflicts be resolved?

TOPICS OF INTEREST MAY INCLUDE (but are certainly not limited to)
a combination of the following:

  • How can organizations best meet compliance with the growing
    number of information security and privacy laws, regulations and
    standards?
  • What experiences are organizations having with business
    frameworks such as ISO 27001, the OECD privacy principles, the
    AICPA/CICA GAPP, ITIL, COBIT, and COSO, to name a few?
  • How can information security incident and privacy breach
    response plans be created and implemented?
  • What risk management activities are needed to ensure better
    information security, privacy (in the form of privacy impact
    assessments) and compliance requirements?
  • Is there an increased need for the adoption of information
    security, privacy and compliance scorecards for executive
    communications?
  • What type of policy is needed for information security and
    privacy — both internally as well as on websites?
  • What are the trends towards implementing permissions (opt-in and
    opt-out) databases?
  • What types of certifications are available for information
    security and privacy?
  • What types of vendor and other business partner information
    security and privacy assessments are being performed?
  • What role does information security and privacy play in a
    corporation’s acquisition of cyber risk insurance?
  • Is there a greater need for data inventories to improve
    information security, privacy and compliance?

Additional topics of interest include how organizations are
addressing the information security, privacy and compliance issues
as related to:

  1. Mobile computing
  2. Encryption implementation
  3. Employee monitoring
  4. Outsourcing
  5. Data retention compliance
  6. Authentication and identity management initiatives
  7. Expanded e-discovery requirements
  8. Disposal problems and challenges
  9. Business dependency on CRM and data mining

TO SUBMIT AN ARTICLE IDEA

Please respond to Rebecca Herold at
rebeccaherold[at]rebeccaherold[dot]com with a copy to
itjournal[at]cutter[dot]com, no later than 23 January and include
an extended abstract and a short article outline showing major
discussion points.

ARTICLE DEADLINE

Articles are due on 6 March 2009.

EDITORIAL GUIDELINES

Most Cutter IT Journal articles are approximately 2,500-3,500
words long, plus whatever graphics are appropriate. If you have
any other questions, please do not hesitate to contact CITJ’s
Group Publisher, Christine Generali at cgenerali[at]cutter[dot]com
or the Guest Editor, Rebecca Herold at
rebeccaherold[at]rebeccaherold[dot]com. Editorial guidelines are
available online.

AUDIENCE

Typical readers of Cutter IT Journal range from CIOs and vice
presidents of software organizations to IT managers, directors,
project leaders, and very senior technical staff. Most work in
fairly large organizations: Fortune 500 IT shops, large computer
vendors (IBM, HP, etc.), and government agencies. 48% of our
readership is outside of the US (15% from Canada, 14% Europe, 5%
Australia/NZ, 14% elsewhere). Please avoid introductory-level,
tutorial coverage of a topic. Assume you’re writing for someone
who has been in the industry for 10 to 20 years, is very busy, and
very impatient. Assume he or she will be asking, “What’s the
point? What do I do with this information?” Apply the “So what?”
test to everything you write.

PROMOTIONAL OPPORTUNITIES

We are pleased to offer Journal authors a year’s complimentary
subscription and 10 copies of the issue in which they are
published. In addition, we occasionally pull excerpts, along with
the author’s bio, to include in our weekly Cutter Edge e-mail
bulletin, which reaches another 8,000 readers. We’d also be
pleased to quote you, or passages from your article, in Cutter
press releases. If you plan to be speaking at industry
conferences, we can arrange to make copies of your article or the
entire issue available for attendees of those speaking engagements
— furthering your own promotional efforts.

ABOUT CUTTER IT JOURNAL

No other journal brings together so many cutting-edge thinkers,
and lets them speak so bluntly and frankly. We strive to maintain
the Journal’s reputation as the “Harvard Business Review of IT.”
Our goal is to present well-grounded opinion (based on real,
accountable experiences), research, and animated debate about each
topic the Journal explores.

FEEL FREE TO FORWARD THIS CALL FOR PAPERS TO ANYONE WHO MIGHT HAVE
AN APPROPRIATE SUBMISSION.

avatar

Christine Generali

Christine Generali is a Group Publisher for Cutter Consortium - responsible for the editorial direction and content management of Cutter's flagship publication, Cutter IT Journal.

Discussion

  One Response to “The Convergence of Information Security, Privacy and Compliance”

  1. Hi, Great blog!

    Extending the scope of your post a little – as a nurse (and occasional patient!) confidentiality (which increasingly relies on the security of ICT systems) is of course vital to my profession and professionalism in theory and practice.

    I’ve been wondering though whether the way that Jo-public views their clinical record is undergoing a change that will increasingly make it a currency for exchange within a *wider* community given the rise of electronic and personal health records, Health 2.0, 3.0…. That is a community not just restricted to health and social care professionals, but services and other agencies keen to ‘add value’.

    Health has always been commodified, but perhaps this for the ‘professions’ is the ultimate trip?

    Any thoughts – or directions to references…?

    Many thanks

    Peter Jones
    http://www.p-jones.demon.co.uk/
    Hodges’ Health Career – Care Domains – Model
    http://hodges-model.blogspot.com/
    h2cm: help 2C more – help 2 listen – help 2 care

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)