CPO to CISO: Four Steps for Privacy Professionals to Get Security Savvy

Congratulations! You are part of one of the fastest growing professions and one at the forefront of where our information society is heading. Welcome to being a privacy professional.

Now what?

Well, having been selected to drive privacy and data protection throughout your organization, you clearly understand the ins and out of things like the fair information principles and requirements for notice, consent, and erasure – but, what about security? What do you need to know about things like confidentiality, integrity, and availability?  To succeed as a privacy professional, you need also to think like a security professional and, while you don’t have to become a technical expert, there are some core knowledge points you should add to your professional skills.

So, what should you know and how should you get there? Let’s break this down to four steps on the road to getting security savvy.

First step: CIA

To begin, you need to understand the underlying principles that drive management of security – confidentiality, integrity, and availability.  These three principles are the core attributes in defining security and the risks that impact it.

• Confidentiality

For a privacy professional, confidentiality is a principle easily understood and at the core of ensuring privacy.  Confidentiality addresses who can access what from where and when it may be done.  Confidentiality looks to preserve restrictions on information access and disclosure, including the means to protect personal and proprietary information. Properly implemented, an information security management system ensures that sensitive information is not disclosed to unauthorized or improper individuals, entities, or processes.

• Integrity

The integrity principle is better known to privacy professionals through the applicable of the accuracy rule, but focuses more on systemic and data-centric integrity and not just having the “correct” information. Integrity means safeguarding against improper or unauthorized modification or erasure, including conditions of nonrepudiation (preventing the disassociation of ownership or handling from an individual, organization, or process) and authenticity (attesting the accuracy and truth of the underlying information). By addressing that information has not been changed, destroyed, or lost in an unauthorized, undetected, or accidental way, individuals, organizations, and processes may have confidence regarding the information in storage, during processing, and while in transit.

• Availability

The availability principle is somewhat alien to privacy professionals, as it seems that they are usually trying to ensure almost the opposite; however, the availability principle addresses the timely and reliable access to and use of information. By ensuring information is obtainable and ready for use on demand or when required, authorized and proper individuals, organizations, or processes can supply the flow of information to support necessary operations without interruption.  While availability is important to any function—think about when you can’t access your work files—it becomes highly critical for operations, such as healthcare, financial transactions, and the like, which need the underlying information to continue and work as expected.

Second step: Risk assessment

The next knowledge point is to understand risk management from a security standpoint.  Using the above three principles, security professionals assess risk by examining it objectively.  While privacy professionals typically use subjective criteria for evaluating risks to privacy, a security professional gravitates to objective criteria to analyze risks to confidentiality, integrity, and availability. Practitioners determine the potential threats or vulnerabilities and then evaluate the impact and likelihood of each.

• Threats and Vulnerabilities

To safeguard information and concentrate on the principles, an organization needs to understand what threats and vulnerabilities face the organization and its processes.  Recognizing what circumstances have the potential to adversely impact operations identifies the threats before any organization. Similarly, comprehending a weakness in a service, system, or application, an operating procedure, or an existing security control, permits perceiving ways a threat can exploit or trigger insecurity. Together, a security professional uses these to define the attack vectors that an organization must block, much in the same way that a general creates a defense against an enemy’s assault.

• Impact and Likelihood

Once a security professional knows the attack vectors, each needs to be assessed to determine what effort and tactic best meets the underlying risk.  To evaluate that risk, first, the impact of the risk must be appreciated and, second, the likelihood that the risk will occur must be reckoned. Typically, these will each be assigned a rating as high, moderate, or low.  For example, a high impact could equate to something like a full data breach in which the organization could be hacked and information stolen.  Another case could be when the attack vector is very difficult, which makes the attack much less likely, then this would be a low likelihood.  The determination of the rating drives an overall understanding of the underlying risk, which is a combination of the impact and likelihood.

• Inherent and Residual Risks

To properly design security controls, not only must the security professional determine the risk, but also recognize risk before and after controls are applied.  The risk before any controls are applied is known as “inherent risk” and this is used to prioritize actions in managing security and focus on the “riskiest” attack vectors.  To analogize, this would be like focusing on the castle door, rather than the arrow slits, as the most impactful and likely way the castle will be attacked.  The risk after application of the controls is known as “residual risk” and looks at the risk following the implementation of security controls.  The gives a measure of how effective the controls are in dealing with the attacks that come forward.  Building the castle door with thick lumber and reinforcing with iron plates could reduce the risk from high to low by influencing the evaluation of impact, likelihood, or both.

Third step: Controls

A security professional effectuates information security through a collection of controls, including policies and procedures, training and awareness, management, and software and hardware functionality. These controls define the methods used by the organization to take actions directly related to identified threats and vulnerabilities to the confidentiality, integrity, and availability of information. The difficulty with information technology is that it is typically not designed to address specific risks. A holistic approach to driving safeguards in the use of technology comes through controls implemented, monitored, and, from time to time, enhanced by the organization. Controls form the basis of the information security management function and allow for a comprehensive view of that function. To ensure effective operation and comprehensive application, most organizations rely on commonly available standards, such as the ISO 27000 series or NIST series.

• ISO 27000 Series

The International Organization for Standardization, or ISO, releases a myriad of standards on topics ranging from quality systems to animal husbandry that aim to create common and uniform specifications for organizations to follow. The ISO 27000 series, specifically ISO 27001 and ISO 27002, provide for security controls to be implemented as part of an information security management system governing information technology resources.  ISO 27001 lays out the core components and activities that drive the management of security with an appendix of security controls, organized in domains, that relates to specific functions within organizations.  The ISO 27002 standard provide guidance to organizations on the selection of information security controls relevant to confidentiality, integrity, and availability and guidance to implement commonly accepted and effective controls based on a risk analysis.

• NIST Series

The National Institute of Security and Technology (NIST) is a U.S. government agency whose primary mission in security is to provide U.S. federal agencies with appropriate security guidance to deploy effective security throughout the government’s IT infrastructure.  These controls have a focus on certain specific requirements from the e-Government Act and the Federal Information Security Management Act (also known as FISMA).  NIST produces the Special Publication series with the original control set found in Special Publication (SP) 800-53, Recommended Security Controls for Federal Organizations and Information Systems, which provides content similar to the ISO 27000 series.  Additionally, the new SP 1800 series has new guidance delivering cybersecurity practices, including SP 1800-1, Securing Electronic Health Records on Mobile Devices.

• Specialized Standards

In addition to the main security control standards noted above, there are a number of specialized control frameworks that help address specific needs, legal requirements, and industries.  For example, the Health Information Alliance (HITRUST) CSF defines controls relevant for compliance with HIPAA, the U.S. federal law that obligates healthcare payers and providers to safeguard protected health information (or PHI).  Another useful framework is Shared Assessments, which focused on evaluating the security controls environment at a third-party vendor or supplier. A third framework is the Cloud Security Association STAR framework, which permits organizations delivering services via a cloud environment to align relevant controls for cloud security.  The good news is that each of these references back to one or both of the foundational security standards so that they can be integrated into more holistic programs and allow for translation depending on new or changing requirements.

Fourth step: Security management

As noted above when discussing security controls, an effective management process for effective security must exist to operationalize the controls specific to the risks identified as impacting the confidentiality, integrity, and availability of information.  Any security management must be designed to achieve the objectives of the organization – that is, the safeguards for confidentiality, integrity, and availability must integrate with the business processes to be an inherent part of the operations and culture of an organization.  This includes ensuring awareness by the organization of the needs of security, the risks identified, and the measures used to address those risks.  Then, specific ongoing management of security ensures that new and changing risks are identified and aligned with the developed set of security controls. Additionally, encryption is specifically discussed because it must be understood that, while it provides great power in implementing security controls, it is not a single solution or silver bullet.

• Administrative

Just as with privacy, security requires “rules of the road” to ensure that the organization “knows” what it must do to ensure efficiency and effectiveness in the implementation and operation of the controls for security.  To that end, security policies and procedures define the security goals and means to effectuate the controls within the organization. As noted above, most security professionals center on a standard to organize the necessary documentation for policy using the ISO 27000 series or NIST SP 1700/SP 800-53r4. In addition to having the “rules” spelled out, training is necessary to drive awareness throughout the organization—not only of the specifics for the controls, but promoting general awareness and the overall development of a positive security culture throughout the organization.

• Operations

Obviously, controls not in operation do not provide any support, so functions and activities must surround the controls to create an information security program.  A program is the living and breathing part of managing security by aligning security activities with equipped functions.  This includes preparing and publishing policies and procedures, implementing controls, designing architecture, monitoring information environments, and responding to incidents affecting information and the controls. Crucially, operations must periodically re-perform the risk assessment process to develop updated views of existing risks and the controls necessary to effectively address them. Essentially, all the steps above require doing them over and over again.

• Encryption

Lastly, one final topic for discussion: encryption.  Too often, people, not just privacy professionals, and certainly also security professionals, see encryption as the savior to security. If data were encrypted, in other words, all risks could be addressed.  Unfortunately, there is no silver bullet for security, and encryption does not provide this because information must be unencrypted to have any value; that is, be accessed and used.  That said, encryption is a useful tools to address all three principles of security.  Obviously, encryption drives confidentiality by preventing anyone without the key from accessing or using the information, but in the same way, encryption can be used for integrity and availability.  From an integrity standpoint, encryption provides the means for a digital signature that can establish the validity of the information and even authenticate an originator, user, or process.  Encrypting information and making it available to numerous endpoints and users without having to worry that the information in transit or as stored can be intercepted or retrieved improperly ensures the availability of the information as well.

You are now a security savvy privacy professional!

So, while this article hasn’t made you a certified security professional, you now know the key points that security professionals address.  Understanding the principles of security, what security controls are, how to assess risk, and how to operationalize this whole kit and caboodle will allow you, as a privacy professional to put in place privacy protections in the context of security safeguards.   Not only that, but you will be able to interact better with the security team, to get those necessary and appropriate safeguards in place. You are now better prepared to protect privacy; welcome again to the profession.