Privacy Advisor

Five Tips for Developing Practical and Effective Information Security Programs

March 1, 2008

By Jill Frisby

For many organizations, data privacy is a world of extremes. Consider these two common scenarios:

  • Company A has an information security program that is practical, but not effective. Although the program doesn't impede the organization's ability to do business and carries minimal costs, it has been proven to be ineffective by either a regulatory audit or a data security breach.
  • Company B has an information security program that is effective, but not practical. The program is stringent and, as such, meets regulatory guidelines and protects data. The business functions, however, feel that the program impedes their progress; some units even consciously perform activities that the program prohibits because they perceive it to be a roadblock to their goals.

Somewhere between these two extremes lies Company C, which has an information security program that is both practical and effective. The program operates in a sensible manner that protects sensitive business and customer records without imposing unreasonable or costly requirements on the business units that it serves.

Practical does not mean an unacceptable risk of data loss, and effective does not mean that the cost is unmanageable for the business. A practical and effective information security program seeks to safeguard data by first understanding its business use and then identifying effective controls to protect the data. It also attempts to empower employees across the organization to help identify data protection issues and develop appropriate solutions.

Five Tested Strategies
For companies struggling to cope with this type of information security tug-of-war, there are five proven strategies for obtaining a balance between the practical and the effective:

   1. Start with a top-down privacy risk assessment. The first step in developing any good risk management program is to assess what risks need to be managed and how they affect the business. The process of completing a risk assessment can be daunting, but if you start with the organizational units and work down to the data itself, you can gain a more complete understanding of the management of private data throughout the enterprise. Here are some guidelines for conducting a top-down risk assessment:

      - Identify all relevant business units and processes. For each process, develop a general understanding of what private data is used as part of this process, and how it is used. Processes that do not affect private data can be removed from the scope of further analysis.

      - Identify all information assets associated with each process. An information asset may be an application, hardware device, mobile media, paper documents or a set of files. Determine how significant a breach of the data in that information asset might be, based on the volume and type of information.

      - Confirm the controls in place, and their appropriateness, to protect each information asset. Identify assets for which the data is not properly controlled. Make recommendations for remediation of these data control issues.

      When organizations start their privacy risk assessment from the bottom up, they risk giving equal weight to all data and, therefore, creating a privacy framework that is costly and difficult to implement. For example, if an organization were to assess computer disks or database fields, the initial solution might be "encrypt" or "eliminate remote access to" the data. If the business process requires the transfer of this data into other applications, or access of the data by third-party vendors, the solution would be impractical.

      In other cases, the use of the data in the business process could make a particular control ineffective. For example, if the desired control was to require all paper forms with customer data to be in a locked file cabinet at all times, but the business process required transporting these forms from office to office, the control would be ineffective and impractical.

      By performing the risk assessment from the top down, organizations can avoid these problems while creating information security programs that are practical, yet effective.

   2. Obtain senior-level buy-in. This is a key requirement for the success of any data privacy program. Too often, organizations spend money on, and dedicate resources to, information security programs that middle management and employees ignore because of a lack of senior management support. In other cases, senior management fails to define what levels of risk it considers to be acceptable and, as such, companies spend too much or too little on information security.

      Establishing the appropriate "tone at the top," and developing a corporate culture that places high emphasis on protecting information assets, will help assure that employees follow the desired policies and procedures. Involving senior management will help the information security function make sound decisions that align with the company's risk posture.

      In addition, middle managers play an integral role in enforcing data security standards. Organizations may send them to specific training, or provide checklists for departmental self-assessment.

      This will help prepare these managers for appropriate policy enforcement, which may even include inspecting trash bins to confirm that employees are following the shredding policy and checking desktops to confirm that sensitive documents are appropriately secured, computers are locked, and passwords are not written down in plain sight.

   3. Appoint a data privacy "champion" who has sufficient technical knowledge. Every major organizational initiative needs a champion or chief coordinator who can act as a subject matter expert. Management should appoint an information security officer, manager or equivalent who receives appropriate resources to manage the program.

      The information security officer should develop a strong network of consultants, peers and professional organizations, such as the IAPP, on which to rely for support. Continuing education and participation in industry conferences about information security and privacy should be ongoing requirements so that this individual is able to keep pace with the latest threats, vulnerabilities and safeguards.

   4. Communicate with all employees. Even the most skilled security professionals cannot control every aspect of their data privacy programs. Employees need to be enabled to implement the security program and propose changes if it is not effective.

      For example, while the data security officer can contract for document shredding, place receptacles throughout the facility and establish a policy on document destruction, each employee must make a conscious choice to place documents in a shred bin. Managers must play a role, monitoring employees' disposal of documents. Furthermore, employees should feel enabled to escalate issues, such as how to dispose of disks with sensitive data.

      When employees feel empowered to implement and assess the program in this way, information security officers can help provide appropriate solutions.

   5. Validate program effectiveness through independent testing. Once a data privacy program has been developed in line with objectives, supported by senior management, disseminated in a top-down fashion, led by a skilled champion and communicated to employees, it must be tested. Management must seek an independent analysis to identify areas where the program should be expanded or where it has not been implemented effectively.

      This testing must occur periodically, with examination of high-risk program components scheduled at least annually. This is necessary to confirm the effectiveness of program implementation.

Striking a Balance
Striking an appropriate balance between practical and effective will, at some level, be a continuous process of information security risk management. By completing an effective risk assessment and developing a baseline program aligned with business objectives, management will be poised to make appropriate decisions as new information security challenges arise.

By becoming aware of the pitfalls of ineffective and impractical programs, organizations can avoid common mistakes and develop an information security program that is respected, is followed and helps prevent costly disclosure of information.

Jill Frisby is a manager concentrating on data privacy issues with Crowe Chizek and Company LLC, a major accounting and consulting firm. She can be reached at 630.575.4317 or jfrisby@crowechizek.com.