Privacy and Security.. Which comes first? presented at saintcon 2016

by Jerry Smith,

Summary : This presentation will deal with the issue of privacy and information security and how both share the technology space. Let's start first with definitions for both privacy and security.
Although Privacy and Information Security are often used as synonyms, they share more of a symbiotic type of relationship. Just as a security system protects the privacy and integrity of a site, an Information security policy can be put in place to assist and add to the overall privacy posture. Privacy is crucial to a business when it is trusted with the personal and highly private information of its consumers, the business must enact an effective information security policy to protect this data and maintain that trust.
Privacy is suitably defined as the appropriate use of data. When companies and vendors use data or information that is provided or entrusted to them, the data should be used according to the agreed purposes. Health and Human Services (HHS), Office of Civil Rights (OCR), The Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), enforces penalties against companies that have neglected to ensure the privacy of a customer's data. In some cases, companies have lost, sold, disclosed, rented, or had stolen, data or information that was entrusted to them or other parties associated or affiliated with them.
Information Security?
Information security is commonly referred to as the confidentiality, availability, and integrity of data. In other words, it is all of the practices and processes that are in place to ensure data isn't being used or accessed by unauthorized individuals or parties. Information security ensures that the data is accurate and reliable and is available when those with authorized access need it. An Information security plan includes facets such as collecting only the required information, keeping it safe, and destroying any information that is no longer needed. These steps will help any business meet the legal obligations of possessing sensitive data.
Think of privacy as being controlled with a hearts and minds process. You implement controls for privacy by policy and controlling how your staff interacts with the data. You monitor how staff interacts with the data and whether they access data in the proper manner or exceed the authority that they have been provided. The biggest challenge in establishing regulatory required control is role base access or RBAC. While it may appear straight forward, it is much more difficult to achieve in the real world because of the large number of roles and the blending of roles in an operational environment. Technological controls don‰Ûªt always lend themselves as the best fit in this type of situation.
However, technological controls do fit better in the information security environment and do provide the controls that are needed to provide protection to your technology environment. This is typically achieved with firewalls, VPN concentrators, a variety of rules on routers, various taps, as well as other devices that control how traffic moves through the network and is shaped to control access and deny access where needed.
The mistake is to think that technological controls can provide the same measure of control that is needed to meet regulatory rules for compliance to privacy rules. The key in this is to remember that we are controlling how people act. Technology only goes so far in controlling how a person interacts within an application. Typically technology can deliver you to the door or deny you entry to the door, the tough part is controlling what you do once you are through the door.