When performing privacy impact assessments (PIAs), the major issue seems to be a lack of focus. Key stakeholders in companies pay very little attention to posted privacy notices. In fact in Rebecca’s experience with hundreds of clients, 95% of their IT stakeholders never read the security and privacy requirements within the contracts that they had with their contracted vendors, or if they perform services for other organisations they do not read the security and privacy requirements for their clients in that client contract. This is an enormous problem.
Making the problem even worse is the fact that these IT stakeholders often do not have access to training specific to privacy.
In order to deal with this challenge organisations need to ensure that information in 8 key areas is made available to IT stakeholders.
Knowledge is power
The first of these areas is knowledge of exactly what data the organisation has. The challenge is that privacy is a very subjective term. What is considered privacy activity can vary from state and country or even industry and is also dependant on the type of data being handled. IT stakeholders within the organisation need to know what is considered to be personal information within the organisation. Too often that’s lacking, or not well defined.
The key to success might well be simple communication. When doing PIAs key stakeholders need face to face time to discuss the business and how they’re using their information. Legal, IT, HR, marketing and information security need to be aware of the data within the business and how it’s being treated in order to address specific challenges. Imagine for a moment a company seeking new hires. They collect the information and make their choice. However – where is the information about those who did not succeed with their application? Social Security and worker ID numbers, date of birth, names and addresses. If this data is unknown to reside within an HR system, it typically has no real access control. That’s information that needs to be purged. Those people are not clients, they are not employees and they are not customers. It’s a privacy disaster waiting to happen. Collecting, sharing and inventorying the data that is being held by various stakeholders in the company is absolutely essential. This is one of the ways that awareness of, and then access to, sensitive information can be controlled – uncontrolled access presents an enormous threat.
The need for due diligence
Doing the PIA also reveals both upstream and downstream threats to privacy. The employment of contractors, vendors, business associates and even volunteers, students and interns requires enormous amounts of due diligence – these are people who often have general access to data.
Interns especially can present challenges. Often interns have not had the same type of contractual requirements for confidentiality or non-disclosure agreements that they’ve signed.
Without a laser like focus you can end up with situations where a contractor (for example) is handling data and employs someone with a grievance against the company holding that data – another recipe for disaster. It is absolutely essential that the organisation knows about the folks getting access to personal information who are not under any contractual obligation to the organisation. An organisation needs to know about the different entities involved in accessing data and be cognisant of the risk that those entities pose to the maintenance of privacy. Ideally, no folks or entities should get access to personal information unless they’ve, at a minimum, signed some type of agreement to follow the organization’s security and privacy policies, and to provide appropriate safeguards to the information while it is under their control.
Data lifecycle concerns
The entire team of stakeholders needs to be aware of the full data lifecycle. The organisation needs to know where the data is collected or from where it is derived. As part of best practice a data life cycle diagram should be developed. Rebecca has utilized the Mindjet MindManager software to document personal information data flows throughout the entire lifecycle. It can provide a valuable way to show different types of attributes for information. Typically this would be populated with information gathered via a high level and comparatively simple questionnaire which can be administered automatically, such as the types of automated evaluations Rebecca created and uses within her SIMBUS services.
It is also extremely important to factor in the way that data is collected. The ubiquitous use of cloud applications such as Dropbox is still an area of concern, as are networked fax machines which are still in widespread use in small to medium sized business. Key internal and external stakeholders need to be made aware of concerns and related security risks surrounding these methods of gathering data. The question of who exactly has access to the data, not only internally bit also amongst external stakeholders is of particular concern. Doing business with government can be especially challenging due to the rigid requirements that government entities have regarding data requirements. It is not unknown for government agencies to require clear text messages and email attachments to be used to provide personal information to them.
Storage remains at the core of any PIA. Simple questions such as the level of encryption and security controls need to be examined. Cloud storage in particular is challenging. It’s neither good nor bad – it’s only as good as the controls and security that is built into a particular service.
Personal end point devices and their use needs to be carefully controlled and vetted. It’s not unusual for employees to use their own personally owned devices to store organisational data. Often times people don’t even realise when they are using their own personal device to access the network for their company or to look at their email where copies are being stored on their device as they’re doing it. If people don’t understand how a tech works then often times they get a lot more data accumulated than they realise. This is becoming even more challenging due to the quickly expanding internet of things (IoT) environment.
Backups. Know where your backups are at. In too many of the risk assessments and PIAs the results show that people didn’t even know where they kept their backups. Copies of personal information appeared in many different locations including in people’s homes, on USB drives or other types of storage. The organisation needs to be aware of this. Don’t forget about print information. There have been many breaches because of the lack of controls around printouts.
What is often also overlooked is the end of the data lifecycle. The disposal of data should also be an area of concern. How is the organisation getting rid of data? How long is the data being retained? How are you deleting it when you no longer need it anymore?
Without answers to these questions there are weaknesses during the entire data lifecycle.
Latest posts by Rebecca Herold
- eBook: Using ISACA’s Privacy Principles to Create an Effective Privacy Program - October 18, 2016
- Webinar: Using ISACA’s Privacy Principles to Create an Effective Privacy Program - September 22, 2016