Congratulations! You are part of one of the fastest growing professions and one at the forefront of where our information society is heading. Welcome to being a privacy professional.
Well, having been selected to drive privacy and data protection throughout your organization, you clearly understand the ins and out of things like the fair information principles and requirements for notice, consent, and erasure – but, what about security? What do you need to know about things like confidentiality, integrity, and availability? To succeed as a privacy professional, you need also to think like a security professional and, while you don’t have to become a technical expert, there are some core knowledge points you should add to your professional skills.
So, what should you know and how should you get there? Let’s break this down to four steps on the road to getting security savvy.
First step: CIA
To begin, you need to understand the underlying principles that drive management of security – confidentiality, integrity, and availability. These three principles are the core attributes in defining security and the risks that impact it.
For a privacy professional, confidentiality is a principle easily understood and at the core of ensuring privacy. Confidentiality addresses who can access what from where and when it may be done. Confidentiality looks to preserve restrictions on information access and disclosure, including the means to protect personal and proprietary information. Properly implemented, an information security management system ensures that sensitive information is not disclosed to unauthorized or improper individuals, entities, or processes.
The integrity principle is better known to privacy professionals through the applicable of the accuracy rule, but focuses more on systemic and data-centric integrity and not just having the “correct” information. Integrity means safeguarding against improper or unauthorized modification or erasure, including conditions of nonrepudiation (preventing the disassociation of ownership or handling from an individual, organization, or process) and authenticity (attesting the accuracy and truth of the underlying information). By addressing that information has not been changed, destroyed, or lost in an unauthorized, undetected, or accidental way, individuals, organizations, and processes may have confidence regarding the information in storage, during processing, and while in transit.
The availability principle is somewhat alien to privacy professionals, as it seems that they are usually trying to ensure almost the opposite; however, the availability principle addresses the timely and reliable access to and use of information. By ensuring information is obtainable and ready for use on demand or when required, authorized and proper individuals, organizations, or processes can supply the flow of information to support necessary operations without interruption. While availability is important to any function—think about when you can’t access your work files—it becomes highly critical for operations, such as healthcare, financial transactions, and the like, which need the underlying information to continue and work as expected.
Second step: Risk assessment
The next knowledge point is to understand risk management from a security standpoint. Using the above three principles, security professionals assess risk by examining it objectively. While privacy professionals typically use subjective criteria for evaluating risks to privacy, a security professional gravitates to objective criteria to analyze risks to confidentiality, integrity, and availability. Practitioners determine the potential threats or vulnerabilities and then evaluate the impact and likelihood of each.
- Threats and Vulnerabilities
To safeguard information and concentrate on the principles, an organization needs to understand what threats and vulnerabilities face the organization and its processes. Recognizing what circumstances have the potential to adversely impact operations identifies the threats before any organization. Similarly, comprehending a weakness in a service, system, or application, an operating procedure, or an existing security control, permits perceiving ways a threat can exploit or trigger insecurity. Together, a security professional uses these to define the attack vectors that an organization must block, much in the same way that a general creates a defense against an enemy’s assault.
- Impact and Likelihood
Once a security professional knows the attack vectors, each needs to be assessed to determine what effort and tactic best meets the underlying risk. To evaluate that risk, first, the impact of the risk must be appreciated and, second, the likelihood that the risk will occur must be reckoned. Typically, these will each be assigned a rating as high, moderate, or low. For example, a high impact could equate to something like a full data breach in which the organization could be hacked and information stolen. Another case could be when the attack vector is very difficult, which makes the attack much less likely, then this would be a low likelihood. The determination of the rating drives an overall understanding of the underlying risk, which is a combination of the impact and likelihood.