GMCC Media Room
Privacy and Information Security — Best Practices - Part 3 of 3
April 01, 2010
Privacy and Information Security — Best Practices
The following article is part three of a three-part series (Part 1, Part 2, Part 3) on privacy and information security written by members of the GMCC Small Business Advisory Council (SBAC).
This article series is also featured in the GMCC Business Beat (Part 1, Part 2, Part 3)
Most privacy and information security laws and regulations embody fundamental best practices. By focusing on implementing these practices, instead of following strict compliance with each separate law, small organizations can often meet a reasonable and appropriate standard of compliance that will satisfy the requirements of several different privacy and information security laws.
Any privacy and information security program must be approved by the highest executive levels in the organization including any board of directors. A top-level management member must be responsible for overseeing the program. In the smallest businesses, it is common for the owner/operator to take on these responsibilities.
There are three types of security that must be addressed. Administrative security, which is commonly lacking in small organizations, involves the four-step process discussed below. Physical security addresses the security of tangible information assets, for example, securing the building, computer hardware and paper records. Technical or cyber security is specific to computerized information systems and the Internet.
The four steps to achieve compliance through best practices include:
1. Risk Assessment. Determine the identity theft, fraud, privacy and information security risks for your organization. Document how each risk is addressed or why it may not be appropriate or feasible to address a particular risk. For example, if the cost to address an improbable risk was high as determined by a good faith assessment, such circumstances may be justification for not addressing the risk.
2. Documentation. Basic top-level documentation includes a privacy and information security policy and a breach response plan. Procedures should be developed for specific handling, storage and retention of sensitive information. Records include employee privacy and security agreements and other training records. If your business shares sensitive employees or other consumer information with service providers, third part privacy and information security agreements are also required.
Some laws may have specific policy requirements. For example, the Red Flags Rule requires an identity theft prevention program.
All laws require policies and procedures that are “reasonable and appropriate” for the size of the organization, the risks it faces and the quantity and types of sensitive information that it handles. In other words, a small business is not expected to implement the same type of program necessary to safeguard privacy and information in a multinational corporation or the Federal Government.
3. Education and Training. This step is perhaps the most important and valuable step because, if done conscientiously with management and employee support and participation, the employees will become active stakeholders and actively facilitate the other three steps. Aware and educated employees will work together to improve privacy and information security in the workplace and they will also become sensitive eyes and ears in detecting fraud and abuse.
4. Review. This step is the audit step of the program. Auditing the effectiveness of the program should be done on an ongoing basis. A thorough review of best practices covering the first three steps should be done at least annually.
When an organization fulfills these four steps to best practices, a legal defense known as safe harbor can reduce or eliminate liability in the event of privacy or information breach if reasonable and appropriate steps were taken in good faith to comply with prevailing regulations and guidelines prior to a breach or other violation.
Conclusion & Resources
Various professionals including privacy and information security consultants, law firms, management consulting firms and insurance and risk management firms may specialize in services to help your organization comply with applicable privacy and information security laws. A do-it-yourself approach is also practical for smaller organizations. The first do-it-yourself guide to privacy best practices has been published by a GMCC Chamber Member to assist small organizations with privacy and information security compliance [1].
When evaluating compliance service providers it is important to ask questions. Is the service provider selling related or non-related compliance products and services? Is their main business focused on making your organization fully compliant, or is compliance just a front for selling ancillary or unrelated products or services? None of the laws require a business to purchase products or services for compliance.
What is being proposed? Which of four steps to best practices are included in their services? Any one of the four steps alone, for example, compliance documentation or employee education alone does not achieve compliance. Is a reasonable and appropriate solution being proposed or is the consultant proposing a complex solution oriented to large organizations that employ a team of compliance and legal professionals. Large company solutions are neither affordable nor manageable by small organizations.
Professional degrees and iconic corporate names do not automatically qualify individuals or firms to offer credible advice or services related to privacy and information security compliance. Similarly, privacy and information certifications do not make experts either; however, such designations can be credibility indicators.
The International Association of Privacy Professionals (IAPP) offers the Certified Information Privacy Professional (CIPP) credential and specialized certifications for privacy professionals who specialize in administrative security such as best practices. The International Information Systems Security Certification Consortium (ISC) 2 credentials the Certified Information Systems Security Professional (CISSP) as one of its highest credentials for those that specialize in cyber security.
Resources
1. Privacy MakeOver: The Essential Guide to Best Practices. How to Protect Assets and Foster Consumer Loyalty. Joseph Campana, Bell House Press, Madison, WI (2008). (http://www.PrivacyMakeOver.com)
2. “Protecting Personal Information. A Guide for Business” and “Fighting Fraud with the Red Flags Rule. A How to Guide for Business.” Federal Trade Commission, Washington, DC. (http://www.FTC.gov)
3. National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) has many publications and policies on information security. (http://csrc.nist.gov)
4. Electronic Privacy Information Center (EPIC), Washington, DC. (http://www.EPIC.org)
5. Organization for Economic Cooperation and Development (OECD), Paris, France
(http://www.oecd.org/sti/security-privacy)
6. Open Compliance and Ethics Group (OCEG), Phoenix, AZ, (http://www.oceg.org).
Red Flags - If You Bill Your Customers
Business Beat, Vol. 39, Issue 9, Page 12
PDF Link: www.greatermadisonchamber.com/files/sept09_bb.pdf
More Information on the Small Business Advisory Council (SBAC):
www.greatermadisonchamber.com/about/small-business-advisory-council
Privacy and Information Security — Best Practices
The following article is part three of a three-part series (Part 1, Part 2, Part 3) on privacy and information security written by members of the GMCC Small Business Advisory Council (SBAC). This article series is also featured in the GMCC Business Beat (Part 1, Part 2, Part 3)
Any privacy and information security program must be approved by the highest executive levels in the organization including any board of directors. A top-level management member must be responsible for overseeing the program. In the smallest businesses, it is common for the owner/operator to take on these responsibilities.
There are three types of security that must be addressed. Administrative security, which is commonly lacking in small organizations, involves the four-step process discussed below. Physical security addresses the security of tangible information assets, for example, securing the building, computer hardware and paper records. Technical or cyber security is specific to computerized information systems and the Internet.
The four steps to achieve compliance through best practices include:
1. Risk Assessment. Determine the identity theft, fraud, privacy and information security risks for your organization. Document how each risk is addressed or why it may not be appropriate or feasible to address a particular risk. For example, if the cost to address an improbable risk was high as determined by a good faith assessment, such circumstances may be justification for not addressing the risk.
2. Documentation. Basic top-level documentation includes a privacy and information security policy and a breach response plan. Procedures should be developed for specific handling, storage and retention of sensitive information. Records include employee privacy and security agreements and other training records. If your business shares sensitive employees or other consumer information with service providers, third part privacy and information security agreements are also required.
Some laws may have specific policy requirements. For example, the Red Flags Rule requires an identity theft prevention program.
All laws require policies and procedures that are “reasonable and appropriate” for the size of the organization, the risks it faces and the quantity and types of sensitive information that it handles. In other words, a small business is not expected to implement the same type of program necessary to safeguard privacy and information in a multinational corporation or the Federal Government.
3. Education and Training. This step is perhaps the most important and valuable step because, if done conscientiously with management and employee support and participation, the employees will become active stakeholders and actively facilitate the other three steps. Aware and educated employees will work together to improve privacy and information security in the workplace and they will also become sensitive eyes and ears in detecting fraud and abuse.
4. Review. This step is the audit step of the program. Auditing the effectiveness of the program should be done on an ongoing basis. A thorough review of best practices covering the first three steps should be done at least annually.
When an organization fulfills these four steps to best practices, a legal defense known as safe harbor can reduce or eliminate liability in the event of privacy or information breach if reasonable and appropriate steps were taken in good faith to comply with prevailing regulations and guidelines prior to a breach or other violation.
Conclusion & Resources
Various professionals including privacy and information security consultants, law firms, management consulting firms and insurance and risk management firms may specialize in services to help your organization comply with applicable privacy and information security laws. A do-it-yourself approach is also practical for smaller organizations. The first do-it-yourself guide to privacy best practices has been published by a GMCC Chamber Member to assist small organizations with privacy and information security compliance [1].
When evaluating compliance service providers it is important to ask questions. Is the service provider selling related or non-related compliance products and services? Is their main business focused on making your organization fully compliant, or is compliance just a front for selling ancillary or unrelated products or services? None of the laws require a business to purchase products or services for compliance.
What is being proposed? Which of four steps to best practices are included in their services? Any one of the four steps alone, for example, compliance documentation or employee education alone does not achieve compliance. Is a reasonable and appropriate solution being proposed or is the consultant proposing a complex solution oriented to large organizations that employ a team of compliance and legal professionals. Large company solutions are neither affordable nor manageable by small organizations.
Professional degrees and iconic corporate names do not automatically qualify individuals or firms to offer credible advice or services related to privacy and information security compliance. Similarly, privacy and information certifications do not make experts either; however, such designations can be credibility indicators.
The International Association of Privacy Professionals (IAPP) offers the Certified Information Privacy Professional (CIPP) credential and specialized certifications for privacy professionals who specialize in administrative security such as best practices. The International Information Systems Security Certification Consortium (ISC) 2 credentials the Certified Information Systems Security Professional (CISSP) as one of its highest credentials for those that specialize in cyber security.
Resources
1. Privacy MakeOver: The Essential Guide to Best Practices. How to Protect Assets and Foster Consumer Loyalty. Joseph Campana, Bell House Press, Madison, WI (2008). (http://www.PrivacyMakeOver.com)
2. “Protecting Personal Information. A Guide for Business” and “Fighting Fraud with the Red Flags Rule. A How to Guide for Business.” Federal Trade Commission, Washington, DC. (http://www.FTC.gov)
3. National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) has many publications and policies on information security. (http://csrc.nist.gov)
4. Electronic Privacy Information Center (EPIC), Washington, DC. (http://www.EPIC.org)
5. Organization for Economic Cooperation and Development (OECD), Paris, France
(http://www.oecd.org/sti/security-privacy)
6. Open Compliance and Ethics Group (OCEG), Phoenix, AZ, (http://www.oceg.org).
Red Flags - If You Bill Your Customers
Business Beat, Vol. 39, Issue 9, Page 12
PDF Link: www.greatermadisonchamber.com/files/sept09_bb.pdf
More Information on the Small Business Advisory Council (SBAC):
www.greatermadisonchamber.com/about/small-business-advisory-council