The Convergence of Information Security, Privacy and Compliance

by Christine Generali, Group Publisher

The April 2009 Cutter IT Journal -- with Guest Editor Cutter Senior Consultant Rebecca Herold, recently named one of the "Best Privacy Advisers" and "Best Privacy Consultancies" of 2008 by Computerworld -- invites insightful debate on and analyses of approaches organizations are taking to ensure that information security, privacy and compliance areas collaborate, and how to address the associated convergence issues. What are the information security, privacy and compliance issues that impact organizations most significantly? What are the best practices for addressing the associated compliance requirements? What are the best ways to manage convergence? How can gaps be avoided? How can conflicts be resolved?

Cutter IT Journal Call for Papers

• Rebecca Herold, Guest Editor
• Abstract Submission Date: 23 January 2009
• Articles Due: 6 March 2009
• Guidelines for Contributors

The Convergence of Information Security, Privacy and Compliance

The need for convergence is nothing new. There has been much talk recently regarding a convergence of information security and privacy. However, this convergence has actually existed ever since privacy became a concern. After all, privacy requires the implementation of information security controls and appropriate safeguards. I experienced this relationship firsthand during the early 1990's before the passage of GLBA or HIPAA. At that time, although bills addressing privacy had been considered in the US and around the world, OECD Privacy principles were the basis for most of the privacy requirements. While establishing the security requirements for one of the very first online banks, I recognized the need for a privacy policy based not simply upon legislation, but also on the need to obtain and maintain customer trust. This policy, based predominately upon the OECD Privacy principles, brought the need for security controls clearly into focus. Over time, I've identified over twenty business areas where information security and privacy responsibilities and activities converge; this number continues to grow as technology, laws and businesses evolve. Understanding and complying with the multiple requirements of the at least 46 U.S. privacy breach notice laws is a recent example of how privacy and information security need to work together for effective enterprise-wide management. And there are growing numbers of new U.S. state-level laws, U.S. federal laws, and international laws. Additionally, the growing numbers of incidents, accompanied by growing numbers of fines, penalties and civil actions, emphasize the need for convergence. At the core of compliance for these hundreds of laws and regulations is:

1. understanding the information that is considered as personally identifiable information (PII) within the organization
2. knowing where this PII is collected, stored, and leaves the organization
3. establishing effective safeguards to protect this PII throughout the entire information lifecycle.

Privacy is not a strictly legal issue, and information security is certainly not a strictly technical issue; they intersect in many ways. And there are compliance responsibilities for both, often overlapping, but also often handled separately within organizations. This results in either compliance gaps, or conflicting compliance activities. Just a few of the issues where information security and privacy governance converge include, but are not limited to:

• Clear text PII on mobile computers
• Clear text PII on mobile storage devices, such as hard drives, backup media, and USB drives
• Disposal of PII on paper as well as digital media
• Employee errors in handling PII
• Entrusting PII to business partners, such as vendors, managed service providers, and other outsourced service companies
• Improper retention and inventory practices for PII

How can companies effectively work to ensure information security, privacy and compliance areas collaborate to make initiatives most successful? The April 2009 Cutter IT Journal -- with Guest Editor Cutter Senior Consultant Rebecca Herold, recently named one of the "Best Privacy Advisers" and "Best Privacy Consultancies" of 2008 by Computerworld -- invites insightful debate on and analyses of approaches organizations are taking to ensure that information security, privacy and compliance areas collaborate, and how to address the associated convergence issues. What are the information security, privacy and compliance issues that impact organizations most significantly? What are the best practices for addressing the associated compliance requirements? What are the best ways to manage convergence? How can gaps be avoided? How can conflicts be resolved? TOPICS OF INTEREST MAY INCLUDE (but are certainly not limited to) a combination of the following:

• How can organizations best meet compliance with the growing number of information security and privacy laws, regulations and standards?
• What experiences are organizations having with business frameworks such as ISO 27001, the OECD privacy principles, the AICPA/CICA GAPP, ITIL, COBIT, and COSO, to name a few?
• How can information security incident and privacy breach response plans be created and implemented?
• What risk management activities are needed to ensure better information security, privacy (in the form of privacy impact assessments) and compliance requirements?
• Is there an increased need for the adoption of information security, privacy and compliance scorecards for executive communications?
• What type of policy is needed for information security and privacy -- both internally as well as on websites?
• What are the trends towards implementing permissions (opt-in and opt-out) databases?
• What types of certifications are available for information security and privacy?
• What types of vendor and other business partner information security and privacy assessments are being performed?
• What role does information security and privacy play in a corporation's acquisition of cyber risk insurance?
• Is there a greater need for data inventories to improve information security, privacy and compliance?

Additional topics of interest include how organizations are addressing the information security, privacy and compliance issues as related to:

1. Mobile computing
2. Encryption implementation
3. Employee monitoring
4. Outsourcing
5. Data retention compliance
6. Authentication and identity management initiatives
7. Expanded e-discovery requirements
8. Disposal problems and challenges
9. Business dependency on CRM and data mining

TO SUBMIT AN ARTICLE IDEA

Please respond to Rebecca Herold at rebeccaherold[at]rebeccaherold[dot]com with a copy to itjournal[at]cutter[dot]com, no later than 23 January and include an extended abstract and a short article outline showing major discussion points.

ARTICLE DEADLINE

Articles are due on 6 March 2009.

EDITORIAL GUIDELINES

Most Cutter IT Journal articles are approximately 2,500-3,500 words long, plus whatever graphics are appropriate. If you have any other questions, please do not hesitate to contact CITJ's Group Publisher, Christine Generali at cgenerali[at]cutter[dot]com or the Guest Editor, Rebecca Herold at rebeccaherold[at]rebeccaherold[dot]com. Editorial guidelines are available online.

AUDIENCE

Typical readers of Cutter IT Journal range from CIOs and vice presidents of software organizations to IT managers, directors, project leaders, and very senior technical staff. Most work in fairly large organizations: Fortune 500 IT shops, large computer vendors (IBM, HP, etc.), and government agencies. 48% of our readership is outside of the US (15% from Canada, 14% Europe, 5% Australia/NZ, 14% elsewhere). Please avoid introductory-level, tutorial coverage of a topic. Assume you're writing for someone who has been in the industry for 10 to 20 years, is very busy, and very impatient. Assume he or she will be asking, "What's the point? What do I do with this information?" Apply the "So what?" test to everything you write.

PROMOTIONAL OPPORTUNITIES

We are pleased to offer Journal authors a year's complimentary subscription and 10 copies of the issue in which they are published. In addition, we occasionally pull excerpts, along with the author's bio, to include in our weekly Cutter Edge e-mail bulletin, which reaches another 8,000 readers. We'd also be pleased to quote you, or passages from your article, in Cutter press releases. If you plan to be speaking at industry conferences, we can arrange to make copies of your article or the entire issue available for attendees of those speaking engagements -- furthering your own promotional efforts.

ABOUT CUTTER IT JOURNAL

No other journal brings together so many cutting-edge thinkers, and lets them speak so bluntly and frankly. We strive to maintain the Journal's reputation as the "Harvard Business Review of IT." Our goal is to present well-grounded opinion (based on real, accountable experiences), research, and animated debate about each topic the Journal explores. FEEL FREE TO FORWARD THIS CALL FOR PAPERS TO ANYONE WHO MIGHT HAVE AN APPROPRIATE SUBMISSION.