Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

Why Security, Privacy and Compliance don’t mix.

I’m going to go out on a limb here and say that I think Security, Privacy and Compliance should all be owned by separate people in your organization.

Here’s why:  they can all conflict with one another at times.

Compliance is the realm of the attorney.  If the law compels it, we must do it; if the law forbids it, we must not do it.  But the counsel’s interest is in avoiding doing things that the law doesn’t compel, and figuring out how to do things that the law (theoretically) forbids.  This is not a good methodology for achieving high levels of security OR privacy.

Security is the art and science of managing risk.  Granted, one of these risks is the risk of loss due to noncompliance, but that’s only a small part of the landscape.  The ISO and the legal counsel don’t have the same view of risk; they’re complementary, but only partially overlapping.  How many times have you heard your counsel protest, “But you can’t DO/SAY that!”  (How many times have you heard the ISO say it? grin)

Privacy is the realm of protecting human interests, whether they’re humans inside your organization or outside of it.  The ISO’s view is that the more data you have, the more you know what’s going on, and therefore the better you’re managing your risk.  The attorney’s view oscillates wildly between the need to protect the organization and the need to protect the individual, depending upon which legislation he’s looking at currently.  None of these jibes well with the CEO’s need to protect the reputation of the organization by being seen as protecting privacy. 

All of these come together in unhappy ways when, for example, you have to investigate an employee.  The HR and Legal departments will base their advice on what you’re legally permitted to do and what will avoid a lawsuit (this is where the “no expectation of privacy” statement gets pushed early and often in an attempt to cover both of these areas).  The security officer will be ready and willing to produce whatever logs or forensic evidence are available.  Someone else has to worry about maintaining controls that protect an employee’s privacy (which the lawyers insist he doesn’t have a right to), for the sake of making the organization a humane place to work.

Not only that, but someone needs to be pushing for privacy and security regardless of what compliance mandates.  Legislation tends to lag significantly behind the issues as they develop; it isn’t until there is a combination surge of public sentiment and critical mass of press coverage that lawmakers start feeling as if they should do something about it.  By that time, public sentiment has turned to outrage, and as CEO you don’t want your organization to be a focus of that outrage, nor do you want to be a poster child at the legislative hearings.

And as we all know, compliance, when it is finally extruded from the legislative sausage grinder, is not even close to “best practice,” either in the security sense or the privacy sense.  It’s a minimum baseline at best. If you want to be effective both at security and privacy, you need to be out ahead of compliance.

So if you try to wrap these three functions in one person, you’re going to get a watered-down version of all of them, and only where they overlap.  If they’re assigned to separate people, yes, you’ll still have compromises to make, but at least you’ll have interesting arguments beforehand, based on a complete picture of each area’s requirements.  In these tricky times, you’re going to need all the help and information you can get.

Posted by shrdlu on Friday, October 24, 2008
(5) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon

Next entry: How NOT to break the news.

Previous entry: The downside of RBAC.

Comments

rybolov United States on 10/28  at  11:18 AM:

I usually say something like “putting on my privacy officer hat now, blah blah blah” along with a hand-and-arm gesture to signify that I have at that point changed roles and I’m now arguing another point-of-view.  These things are necessary so that people have context for what you’re saying.

And yes, I do get into disagreements with myself all the time.  Makes life oh so much interesting.  Anybody want to have a 10-way conversation between the 2 of us, each with 5 job roles, just get in touch.  =)

(JavaScript must be enabled to view this email address) United States on 10/28  at  11:57 AM:

We can post, we can post, everything’s under control ...

DanPhilpott United States on 10/28  at  12:18 PM:

Two points of your argument don’t quite wash for me. 

The first point is the supposition that because the disciplines described conflict they should be treated separately.  As a primary antecedent to the argument that compliance, security and privacy should be managed separately in an organization this supposition is fairly critical.  Many disciplines conflict but this conflict is rarely cause to separate them into different ownership blocks.  For example, while software license management is a legal requirement the function is not normally owned or managed by legal counsel.  In a similar sense IT security compliance is a legal requirement but assigning ownership with an organizational legal team isn’t good practice.

The second point depends on how you read the third paragraph.  If you mean to say that compliance filtered through a non-technical lawyer intent on the barest legalistic implementation isn’t a good methodology for achieving security or privacy then we are in agreement.  However, if you mean to say compliance is not a good methodology for achieving security or privacy then I would disagree.  Compliance isn’t meant to achieve the best security, it ensures a baseline level of security is implemented systematically.  To do this compliance uses a tool of great value to security regardless of compliance framework, the audit function.  This audit function is something rarely entertained in the busy ongoing security functions of an organization as it is necessarily disruptive and novel.  What it provides is a mechanism for looking at security state through a new set of eyes.  Seeing the security state as what is there, not what you think is there (or “It’s not what you expect, it’s what you inspect”, to paraphrase Joe Faraone).

My overall comment is that you are correct in a general sense but that ownership isn’t the best concept to use here.  Obviously compliance, security and privacy have a multitude of aspects in their implementation.  For example, some aspects of privacy belong in HR, some with the legal team, some with the IT staff, some with compliance, etc.  But who owns the privacy function?  It all belongs to the organization owner of course, but depending on the aspect of privacy it has different ‘owners’.  This holds for all three of the disciplines.  Responsibility for particular aspects of the disciplines seems the more fitting concept.

(JavaScript must be enabled to view this email address) United States on 10/28  at  03:30 PM:

shrdlu,

I definitely,leave the compliance stuff to lawyers…  and auditors.  It’s what they do best.

In order to conduct effective investigations you need to seemlessly involve all three disciplines of security—I’ve actually done this in a large organization “of which I cannot speak.”  We conducted investigations of over 400 incidents, one turned out to be industrial espionage, several pr0n misuse investigations and one real espionage case.  Several people were run out of the place, and I understand one of the guys is making gravel in Kansas.

Most important before you go down this path is a policy on monitoring and privacy.  ++Don’t even look until you have a policy.++  Which basically should say something like, “We have kewl toys to watch your every move, and we know how to use them. You don’t own squadouche but the clothes on your back, and, if you want privacy, go to the bathroom.”  Or words to that effect…

I guess in this context privacy actually takes the place of discretion—think of it as “respecting the rights of the guilty until you can prove it.”  Bottom line—false positives can ruin a career if word leaks out and the investigation fails to turn up anything. This is where the lawyer can actually help.  “Person of Interest” is for Greta and Nancy—not your security shop.

You also need an investigation policy which details the exact steps you’ll follow when someone has crossed the line… everything from forensic backups to who gets notified, how and where the evidence will stored, and how folks can access the info…

Bottom line: don’t try this at home, but if you proceed professionally, it won’t cause injury.

Vlad
a.k.a. Joe F

Myrcurial Canada on 11/17  at  08:49 AM:

There’s a reason I’ve been ranting about CRAPS having to get along with each other…

Compliance, Risk, Audit, Privacy and Security all need a place at the table and need to understand how to get along. Should some of those roles be commingled, well, you either need a finely developed sense of multiple personality disorder, or you’d better have at least “stand-in” persons with that accountability for when the fit hits the shan and you’ve got to perform as a committee.

Or something.

It is Monday morning after all.

Page 1 of 1 pages

Add a comment

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: