When performing privacy impact assessments (PIAs), the major issue seems to be a lack of focus. Key stakeholders in companies pay very little attention to posted privacy notices. In fact in Rebecca’s experience with hundreds of clients, 95% of their IT stakeholders never read the security and privacy requirements within the contracts that they had with their contracted vendors, or if they perform services for other organisations they do not read the security and privacy requirements for their clients in that client contract. This is an enormous problem.
Making the problem even worse is the fact that these IT stakeholders often do not have access to training specific to privacy.
In order to deal with this challenge organisations need to ensure that information in 8 key areas is made available to IT stakeholders.
Knowledge is power
The first of these areas is knowledge of exactly what data the organisation has. The challenge is that privacy is a very subjective term. What is considered privacy activity can vary from state and country or even industry and is also dependant on the type of data being handled. IT stakeholders within the organisation need to know what is considered to be personal information within the organisation. Too often that’s lacking, or not well defined.
The key to success might well be simple communication. When doing PIAs key stakeholders need face to face time to discuss the business and how they’re using their information. Legal, IT, HR, marketing and information security need to be aware of the data within the business and how it’s being treated in order to address specific challenges. Imagine for a moment a company seeking new hires. They collect the information and make their choice. However – where is the information about those who did not succeed with their application? Social Security and worker ID numbers, date of birth, names and addresses. If this data is unknown to reside within an HR system, it typically has no real access control. That’s information that needs to be purged. Those people are not clients, they are not employees and they are not customers. It’s a privacy disaster waiting to happen. Collecting, sharing and inventorying the data that is being held by various stakeholders in the company is absolutely essential. This is one of the ways that awareness of, and then access to, sensitive information can be controlled – uncontrolled access presents an enormous threat.
The need for due diligence
Doing the PIA also reveals both upstream and downstream threats to privacy. The employment of contractors, vendors, business associates and even volunteers, students and interns requires enormous amounts of due diligence – these are people who often have general access to data.
Interns especially can present challenges. Often interns have not had the same type of contractual requirements for confidentiality or non-disclosure agreements that they’ve signed.
Without a laser like focus you can end up with situations where a contractor (for example) is handling data and employs someone with a grievance against the company holding that data – another recipe for disaster. It is absolutely essential that the organisation knows about the folks getting access to personal information who are not under any contractual obligation to the organisation. An organisation needs to know about the different entities involved in accessing data and be cognisant of the risk that those entities pose to the maintenance of privacy. Ideally, no folks or entities should get access to personal information unless they’ve, at a minimum, signed some type of agreement to follow the organization’s security and privacy policies, and to provide appropriate safeguards to the information while it is under their control.
Data lifecycle concerns
The entire team of stakeholders needs to be aware of the full data lifecycle. The organisation needs to know where the data is collected or from where it is derived. As part of best practice a data life cycle diagram should be developed. Rebecca has utilized the Mindjet MindManager software to document personal information data flows throughout the entire lifecycle. It can provide a valuable way to show different types of attributes for information. Typically this would be populated with information gathered via a high level and comparatively simple questionnaire which can be administered automatically, such as the types of automated evaluations Rebecca created and uses within her SIMBUS services.
It is also extremely important to factor in the way that data is collected. The ubiquitous use of cloud applications such as Dropbox is still an area of concern, as are networked fax machines which are still in widespread use in small to medium sized business. Key internal and external stakeholders need to be made aware of concerns and related security risks surrounding these methods of gathering data. The question of who exactly has access to the data, not only internally bit also amongst external stakeholders is of particular concern. Doing business with government can be especially challenging due to the rigid requirements that government entities have regarding data requirements. It is not unknown for government agencies to require clear text messages and email attachments to be used to provide personal information to them.
Storage remains at the core of any PIA. Simple questions such as the level of encryption and security controls need to be examined. Cloud storage in particular is challenging. It’s neither good nor bad – it’s only as good as the controls and security that is built into a particular service.
Personal end point devices and their use needs to be carefully controlled and vetted. It’s not unusual for employees to use their own personally owned devices to store organisational data. Often times people don’t even realise when they are using their own personal device to access the network for their company or to look at their email where copies are being stored on their device as they’re doing it. If people don’t understand how a tech works then often times they get a lot more data accumulated than they realise. This is becoming even more challenging due to the quickly expanding internet of things (IoT) environment.
Backups. Know where your backups are at. In too many of the risk assessments and PIAs the results show that people didn’t even know where they kept their backups. Copies of personal information appeared in many different locations including in people’s homes, on USB drives or other types of storage. The organisation needs to be aware of this. Don’t forget about print information. There have been many breaches because of the lack of controls around printouts.
What is often also overlooked is the end of the data lifecycle. The disposal of data should also be an area of concern. How is the organisation getting rid of data? How long is the data being retained? How are you deleting it when you no longer need it anymore?
Without answers to these questions there are weaknesses during the entire data lifecycle.
Law and regulation
It appears that an overwhelming number of IT stakeholders have not reviewed the organisation’s own posted privacy notice, even though the notice establishes a legally-binding requirement. There seems to be a focus on the external regulatory and legal requirements – however, internal requirements often take a back seat. Senior management should not take it for granted that IT stakeholders understand all the controls that can be used to support privacy or security – often they lack such understanding because they have not received training in the field of access control and other important information security topics. Often the attitude is along the lines of ‘encryption is in place – problem solved.’ Encryption is a good thing – if you’re using it appropriately and in the right circumstances, but you have to go far beyond that and use access controls, use proper authentication, user logging and so on, and certainly training in identifying risk and the avenues open to mitigating that risk.
The risk of complacency
Too often the attitude is that ‘the network is secured, the application is secured, the data is identified and secured – so then the organisation is done with security and privacy. The organisation has a certificate from an auditor that came in and reviewed the system, so the job is finished. However, the business environment is fluid. Mergers, acquisitions and divestitures all change that environment, as do systems, applications and network changes, and operational and business process changes, so constant evaluation and refinement needs to be part of the organisational mind-set.
Challenges – Statistics
As mentioned, personal devices continue to be a challenge and often a weak point in the data security and privacy cycle. UK research released in October 2016 indicated that 70% of the workers within the UK use their own personally owned devices but yet only 39% of the organisations had a policy about how those personally owned devices could be used. Here is one that was really interesting. Of the organizations where workers personally owned devices, and where requirements for securing such devices were implemented, they found that only 14% the workers were actually using the security tools and the security apps that were provided to them to use on the personal devices. That is an enormous vulnerability.
The IOT is now providing even more challenges. A great example is wearables. These are becoming more and more popular. These devices are often gathering information without the user even being aware. Often that device could be collecting data within your work environment. These devices could be connecting to your network and sharing data, or collecting data from your network if you don’t have appropriate security controls in place. A lot of that could be personal information which is certainly is a privacy issue.
A February 2016 study found that there were 123 million wearables sold in 2015, and they anticipate or project that there will be 411 million sold in 2020. Think of all those millions of wearables collecting data and attaching to networks in your organisation. All of that data perhaps being sucked from your network that includes person information.
Today there are 80 smart devices that are connecting for the first time to the internet every single second. By 2020 this number is projected to be 250 smart devices connecting to the internet for the first time every second. That should raise a red flag for all IT professionals involved in privacy and security.
As mentioned previously, the cloud remains a challenge. Microsoft has found that of the employees that have access to the cloud services that they use to support their work activities, 91% of those employees used their personal accounts on a cloud service for work related activity – and they used those services from their own personally owned devices. Often these devices are used by multiple people and these devices automatically authenticate the user. A clear risk.
98% of IT employees have never read their organization’s official posted privacy notice, and often did not even know one existed. 85% of IT employees do not know what their contractual security and privacy requirements are in terms of their contracts with other businesses. 95% of IT employees have not received privacy training. If these issues were dealt with effectively, with management support, those percentages would each go down to less than 10%. Add in the very important question of accountability where CEOs, presidents or executive VP’s are required to actually sign a document indicating that they understand the implication of the need for security and privacy controls within their business, and their personal responsibility for ensuring such, and the journey towards a much more secure environment is much easier.
Latest posts by Rebecca Herold
- eBook: Using ISACA’s Privacy Principles to Create an Effective Privacy Program - December 28, 2016
- Webinar: Using ISACA’s Privacy Principles to Create an Effective Privacy Program - September 22, 2016