By Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI

"Privacy requires the implementation of information security controls and appropriate safeguards."

The need for convergence is nothing new
With all the recent talk regarding a convergence of information security and privacy it bears noting that this is not a new idea. Such convergence has actually existed ever since privacy became a concern. After all, privacy requires the implementation of information security controls and appropriate safeguards.

I experienced this relationship firsthand during the early 1990s before the passage of the Gramm Leach Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA). At the time, although bills addressing privacy had been considered in the U.S. and around the world, the Organisation for Economic Co-operation and Development (OECD) Privacy principles were the basis for most of the privacy requirements. While establishing the security requirements for one of the very first online banks, I recognized the need for a privacy policy based not upon legislation but on the need to obtain and maintain customer trust. This policy, based predominately upon the OECD Privacy principles, brought the need for security controls clearly into focus.

Convergence issues

Over time, I've identified 20 business areas where information security and privacy responsibilities and activities converge—a number that grows as technology, laws and business evolve. Understanding and complying with the multiple requirements of the 45 U.S. privacy breach notice laws is a recent example of how privacy and information security need to work together for effective management enterprise-wide.

Additionally, the growing number of incidents, accompanied by growing numbers of fines, penalties and civil actions, emphasize the need for convergence. The basics on complying with the hundreds of laws and regulations involves:

  • knowing the information that is considered personally identifiable information (PII) within the organization;
  • knowing where this PII is collected, stored, and leaves the organization; and,
  • establishing effective safeguards to protect this PII throughout the entire information lifecycle.

Privacy is not strictly a legal issue, and information security is certainly not strictly a technical issue; privacy and security intersect in many ways.

Unequal authority in the organization
Unfortunately, responsibilities for privacy and information security often fall within different areas of an organization, and often at different levels within the organizational structure. I have seen firsthand how poor communication and unequal authority among these groups can lead to either gaps in privacy protections or conflicting directives on the same issue.

For example, a few years ago a large manufacturing organization created the privacy responsibility within its law office with a direct reporting responsibility to the CEO. The information security responsibility, on the other hand, was many levels down in the organization. The information security officer (ISO) was a manager, reporting to a director, reporting to a CIO, reporting to the operations VP, reporting to the CEO. The ISO was worried about the proliferation of laptops used for business processing, particularly for processing the orders of individuals as well as other companies. She did a risk assessment and submitted the resulting report with a recommendation to require full-disk encryption on the laptops.

The recommendation was denied because, according to the opinion rendered by the privacy officer in the law office, no laws explicitly required encryption, and the expense to implement encryption would not be necessary to advance the business. There had been no discussion between the privacy officer and the ISO prior to issuing this opinion. In this example, the decision was made purely on the letter of the law. Information security risks were not considered even though most data protection laws require consideration of risks to be the basis for security decisions.

A thorough understanding of information security risks is required before adequate and proper safeguards can be implemented to meet risk-based compliance requirements. Close collaboration and mutual respect between functional areas will ensure effectiveness in the respective information security and privacy programs.

Integrating enterprise privacy and information security

Organizations will benefit from taking a practical, structured approach for integrating privacy and information security responsibilities and activities enterprise-wide. Not only will the security program be stronger, but there will also be more comprehensive and risk-based compliance for data protection and privacy laws.

Step 1: Identify business overlaps
Identify the business issues where information security and privacy activities and responsibilities overlap. Wherever PII is collected, handled, transmitted or stored, there will be overlapping issues. You should find at least 20 overlaps (and maybe more).

Step 2: Determine risks
Determine the privacy and information security risks for the overlapping issues. Spyware, for example, is a shared concern. Information security should identify ways in which spyware can make its way into your organization (e.g. Internet Web sites, personnel using peer-to-peer tools such as instant messaging and texting, e-mail attachments, etc.). Privacy should identify the types of PII vulnerable to spyware, and address the related regulatory requirements that require PII protection from this type of risk.

Step 3: Establish policies and procedures

The areas must work together to establish feasible, effective policies to address the identified risks. If this doesn't happen, there will be coverage gaps and multiple conflicting policies on the same topic.

Recently I conducted a policy analysis that included 12 departments of a large multinational organization. I uncovered 38 information security and privacy topics covered by multiple policies, as well as numerous gaps. Many policies were worded in a way that created conflict and confusion. In addition, there were conflicting directives from different organizations. For example, the HR policy for remote workers did not require encrypting business information, but the information security policy had an encryption requirement for remote workers.

Having different policies for the same topic, maintained by more than one department, creates the risk that personnel will choose to follow the policy that is most convenient for their needs, and then claim compliance with corporate policy if found to be in non-compliance with any other departmental policy. There should be only one policy per topic to ensure policy effectiveness and eliminate staff choice and confusion.

The privacy and information security areas must also collaborate and work with all business units to ensure that documented procedures are created to support policies.

Step 4: Integrate information security and privacy into the business culture
Unless information security and privacy are part of every work day, privacy requirements and expectations will not be met and information security will be ineffective. A pervasive information security and privacy culture can be created and integrated into everyday job roles in three effective ways:

  • Document information security and privacy responsibilities into job descriptions. This reinforces the reality that privacy and information safeguarding are not standalone operations that belong to someone else, but a responsibility that is expected of "me."
  • Include information security and privacy within job appraisals. When it becomes personal—when everyone knows that their annual appraisals will include how well they protect PII—it's natural that diligence and compliance will increase. Confidential papers will be locked away. Computers will be locked when people are away from their desks. And it is likely they will think twice before sending PII in e-mail messages, or before loading PII onto laptops or flash drives.
  • Include privacy and information security considerations into daily procedures. Incorporate privacy and information security checks into all procedures that involve handling or accessing PII.

Step 5: Implement cooperative awareness and training
Organizations will experience fewer incidents when the privacy and information security areas work together to implement cooperative awareness and training throughout the enterprise. Well-informed personnel not only have the knowledge to protect PII, but also training makes them more accountable for their actions.

A thoughtful, integrated education program should include:

   1. Establishing benchmarks. Before launching training and awareness activities, measure information security and privacy awareness within your organization.
   2. Developing targeted training applicable to job roles. Increase awareness across the organization to all staff and then provide customized, targeted training to those with significant responsibilities involving PII. These areas include, but are not limited to, call centers, marketing, IT, HR, and executive management.
   3. Providing ongoing awareness communications and activities. Training must be complemented with ongoing awareness communications to reinforce information security and privacy requirements, and to keep these issues top-of-mind in day-to-day work.
   4. Evaluating how well awareness has been raised. Training events and awareness activities must be evaluated to determine how knowledge has increased and identify where improvements and effort are needed.

Information security and privacy convergence improves business

It is critical for those responsible for information security, privacy, and the associated legal and compliance requirements to work closely together in partnership. Without this collaboration, organizations will operate inefficiently, with conflicting policies and directives. More importantly, there will be privacy and information security gaps ready for exploitation.

Successful programs require information security and privacy to have complementary strategies that are integrated enterprise-wide—within every business process and at every level within the organization. When information security and privacy work together and collaborate, there are fewer incidents, less negative business impact, and business is improved.

Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI, has provided information security, privacy and compliance training, services, tools and products to organizations in a wide range of industries throughout the world for more than 17 years. Rebecca was named one of the "Best Privacy Advisers" in two of three categories by Computerworld magazine and one of the "Top 59 Influencers in IT Security" for 2007 by IT Security magazine. She is an author and adjunct professor for the Norwich University Master of Science in Information Assurance (MSIA) program. rebeccaherold@rebeccaherold.com; www.privacyguidance.com.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»