by Patrick Romero
This last lesson of the CIPP study guide was on information security. The lesson describes the systems, policies and controls within a typical, corporate environment. One of the themes espoused by the speaker was that security and privacy are not mutually exclusive concepts. One quote that stood out was that â€œyou can have security without privacy â€“ but you cannot have privacy without security.â€
The speaker goes on to describe the six types of security controls that would help reduce risk exposure and protection information. I wonâ€™t bore you with the details but they were a pretty extensive list of technical and physical security measures.
Another part of the lesson that I found interesting was when the discussion turned to the security requirements that should be addressed in a contract when outsourcing data activities. As I have mentioned before, I am currently taking an intellectual property drafting class dealing with software licenses and agreements and the issue of liability and indemnity clauses often comes up. While most contracts tend to be reused by attorneys, itâ€™s always a smart policy to make sure that specific clauses are present.
The speaker goes over some of the basic elements of a contract when dealing with security, such as describing the clear roles and responsibilities for the parties. Who is responsible for storing the data? How will the information be stored? What security measures will be taken to ensure confidentiality? The speaker recommends that businesses should ask for the right to conduct audits of the outsourcing entity, preferably with an independent third party. This avoids any conflicts of interest and preserves the integrity of the audit.
The larger part of the lesson deals with authentification and authorization. Authentification is the process of confirming an identity and there are several, well-known methods to authenticate the credentials of an individual. We all know the most common way to authenticate a person or information on a computer is through passwords. Others include a smart card that the military and other government agencies issue. Many of these cards contain a small electronic device.
Another concept worth mentioning is Public Key Infrastructure. While there is more to PKI than what was discussed, PKI is a very strong non-repudiation technology that can authenticate the validity of each person involved in an e-transaction. Other methods are digital signatures and Digital.
One method of authentification that has been getting coverage in the news is biometrics. Biometrics continue to gain in popularity as a useful technique to enhance security for commercial purposes as well. Currently, there are no state or federal laws that specifically govern the use of biometric information by public or private organizations. At the SoHo Loft, a posh New York hotel, guests can use their index fingerprint to open the doors to their rooms. The hotel states that it throws away the scanned fingerprints every few days. As the law now stands, their legal obligations would appear to fall under traditional privacy laws related to the protection of medical and financial information.
Authorization is the process of determining if the user, once identified, is permitted to have access to the resource. The speaker discusses the importance of role-based access in determining who can do what to which information. The concept of role-based and need-to-know access is crucial in protecting data within an organization. Other preventative measures to limit access would be to implement identity management solutions that allow for one authoritative source, single or reduced sign-on, segregation of duties, and ease of access with controls.
Since this was the last lesson of the CIPP, I have to admit that it feels a little anticlimactic. I have been studying for the exam these last couple of weeks and I definitely have a new knowledge base of the privacy sector. I never imagined that there was so much information involved and it is definitely going to be growing in our information-based economy. I hope that I didnâ€™t bore anyone too much but at least people know what it is like to prepare for the exam to become a Privacy Professional.