In an interconnected world of instant information, information privacy and security are elements under crossfire: while there’s increasingly a demand for access to personal information in order generate products more adjusted to the tastes of people, and security requires a knowledge of records and movements of transactions as a prerequisite for monitoring and control by the state.
However, that crossfire does not stop the flow of information.
Both security and privacy set different and complementary domains of action, requiring a particular specialty level to develop a set of practices that conceptualize and materialize the exercise of access and control. Information security and privacy create a challenge for engineering and corporate practice that should attend the statements of a company’s corporate governance where the information is defined as a strategic asset and a source of value to capitalize new and renewed business strategies.
In establishing the limits of the performance of the privacy professional and the Information security manager, it’s necessary to understand in detail the basics of each of the roles and confront the current dynamics of the organization where these two job descriptions appear to comply with a legal requirement or conform with some good international practice required to compete in a particular market.
Understanding that privacy is not confidentiality and information security is not privacy is, therefore, a reflection to be undertaken.
Privacy is a connotation of larger organizations, which requires a detailed understanding of the law that assists citizens against the law of nations, while security is a practice of the protection of information that provides care for the declared strategic asset.
In reason with that, we can see there will be practices of information security that apply to the exercise of privacy, and privacy concepts similar to the principles in information security.
Information Security and Privacy: Two Different Domains
After reviewing the annotations of Prof. Konstantinos Lambrinoudakis in the Department of Digital Systems of the University of Piraeus in Greece, it is clear that information security and information privacy belong to different domains.
While the security of information refers to the protection of information stored, processed and transmitted to comply with the functions and purposes of the information systems in an organization, the privacy of information is related to the protection of the information related to a subject's identity. Similarly, the security of information is an important tool to protect information assets and business objectives, while privacy is focused on the safeguarding of individual’s rights when it comes to the same information.
Currently, information privacy has been addressed as a legal issue, which has not been handled properly by information security standards. While the principle of confidentiality seeks to prevent the disclosure of sensitive data to unauthorized entities, it doesn't focus on hiding the identity of the owner of the data or making it impossible to link the data and its owner. So the principles of information security such as confidentiality, integrity and availability are not equivalent to the features that should be secured in information privacy, such as anonymity, the inability to link, the inability to distinguish, the inability to track and the pseudonimia. Therefore, while the exercise of information protection strategies ensures correct access, privacy protection demands the blurring of data to avoid identifying it, dismantling all kinds of links between data and its owner, facilitating the use of pseudonyms and alternate names and allowing access anonymously.
Information systems that meet security and control mechanisms do not necessarily meet the demands of privacy compliance. In this sense, the information privacy, like the establishment of rules governing the treatment of personal information, demand companies to design alternative mechanisms to safeguard the identity of persons and access to sensitive information in order to prevent discrimination or affect privacy.
So, designing an information system with privacy by default cannot be done exclusively with information-security mechanisms. You will need to integrate the conditions listed previously, among other actions, to:
• Inform the state of privacy in the information system.
• Establish operations and simple language to learn and understand about the privacy options that it has available.
• Confirm options that should check before proceeding with actions that may be contrary to their privacy.
• Provide effective outputs of any selected option at any time during the implementation to protect your privacy.
• Destroy any personal information that has been used in development of a working session.
In short, we could say:
VARIABLES | Information Security | Privacy |
Foundation | Is a process | Is a right |
Purpose | Protection of business information | Protection of personal information |
Features that should be ensured | Confidentiality, integrity, and availability | Unlinkability, untraceability, unobservability, anonymity and pseudonimia |
Responsible for | Chief Information Security Officer (CISO) | Personal data protection delegate (PDPD) / Chief Privacy Officer (CPO) |
Focus | Data centric | Person-centered |
Good practices | Series ISO 27000, NIST and ENISA Documents | ISO/IEC 29100 Information Technology –Security Techniques –Privacy framework |
Report | Independent | Independent |
Figure No.1 Information Security V. Privacy
The Information Security Officer and Privacy Officer
Understanding that we have two different domains of knowledge that complement each other, it is important to detail the two roles or positions responsible for both information security and privacy. In this organizational exercise, it is important to understand the key objectives of each figure, their achievements and the challenges illustrating common and divergent areas.
VARIABLES | Chief Information Security Officer | Chief Privacy Officer |
Foundation | Ensure a process | Ensure a right |
Purpose | Protection of business information | Protection of personal información |
Key aspects to ensure | Protection of information assets Focus on the business value Trusted advisor | Guarantees for the exercise of the right of privacy Privacy program Verification of compliance of privacy practices |
Profile | Political intelligence Proven experience in security and control (minimum of 12 years) Business and technical language | Tactical and legal intelligence Proven experience in privacy (minimum of 12 years) Legal and technical language |
Focus | Data-centric | Person-centered |
Good practices | Series ISO 27000, NIST and ENISA Documents | ISO/IEC 29100 Information Technology –Security Techniques –Privacy framework |
Education | Professional in any discipline Graduate in business | Lawyer or IT Professional Graduate in law and/or business |
Report | Independent | Independent |
Figure No.2 CISO V. CPO
On the one hand, if we review the factors that influence the risk of privacy management, we find that ISO 29100 provides a framework for action covering topics such as legal factors and regulatory, contractual factors, factors of business and other related systems of internal control, technical standards and management of personal data.
The privacy manager will have extensive interaction with the legal department, a key ally to implement and develop the distinction of privacy in an organization. That’s in addition to the fact that, in the exercise of their function, privacy managers must be tuned and become part of the internal control corporate systems as part of the requirements of legal compliance that affect the company transversely.
On the other hand, when we talk about the information security executive, usually—and wrongly—we mean a person with an eminently technical profile. However, the head of information security moves under the declaration that the information is an asset; key risks associated with loss or leakage of information and as record must ensure the aspects of compliance, security and control against regulatory requirements and legislation, both internal and external.
In this sense, the CISO should establish the threshold of risk allowed by the organization against the materialization of risks identified that threaten the protection of the information. This statement must be mediated by a business impact analysis, as well as by the expectations of the first management level of the company, in order to establish routes necessary to maintain a known level of exposure and ensure in daily management elements to manage identified risks.
These two organizational figures, according to SHEY and ROSE, are charges that should be reported to the first level of the company every time that the responsibilities and impacts of its management directly affect corporate governance, potentially compromising the image of the corporation.
As a privacy officer seeks to identify the points of responsibility that the organization has for the treatment of personal data, the security officer identifies and secures the organization's relevant information. Both should develop the organizational culture of privacy and security; establish a reference framework to identify, monitor and analyze emerging threats, and verify the correct application of the practices key for each domain.
Info-Sec Officer and Privacy Officer, Together or Separate?
There is currently an international trend that seeks to establish a consolidated view of the areas of corporate compliance. This exercise shows an executive of the first corporate level, which brings together all the themes that must meet legislative and international practices in order to deliver a unified view of the state of business compliance.
In this tenor, the vice president of corporate compliance ensures corporate practices against such various issues as security of information, privacy, ethics, fraud, money-laundering, compliance with related international laws required to operate, indicating effective points and those of improvement where they are evident, with greater clarity and greater exposure of the company that can generate nonconformity and compromise the goals of the organization.
A unified view allows you to combine efforts of culture intervention, streamline practices, adjust and tune controls and increase the effectiveness and reliability of operations without compromising efficiency. As each theme requires a particular specialty, the VP of corporate compliance will need to understand the variety of subjects under its responsibility, seeking to integrate a joint view that reveals what is key to the organization without losing the specialization of knowledge of each revised subject. Therefore, a unified area of information security and privacy of information suggests advantages as those mentioned previously but has limitations that must be analyzed and known—not to mitigate the risks inherent in this merger but to manage them with concrete actions that maintain a known level of exposure—and procedures in place when they materialize.
The merged world of security and privacy faces risks and challenges in the legal system. While privacy is a fundamental right to information self-determination, security is good practice.
Therefore, the level of importance and assessment of an incident—security or privacy—affect the executive level, based on its impact, possibly leaving it to prime one or the other in a specific situation, compromising its visibility in an organizational context. On the other hand, this union of knowledge domains requires specialized profiles or knowledge of the subject, which must give priority to corporate compliance demands on the relevance and importance that each theme for the development of the business of the company being in a joint view; i.e., we will have to build a distinction that adds the benefits of practices of both subjects, and the efforts where one is dominant and the other is not will outweigh.
The impact at the technological level against the merger of these two themes can generate charges and excessive controls in the execution of business processes supported by information systems if there are not established synergies between these two domains. We can notice a loss of business speed that can blur the efforts both areas make to protect the company against situations that compromise its image and good name. So, merging the two areas is a decision that should be informed; that is, the organization must be aware of the potential and risk that this implies to harmonize two compliance issues.
Final Reflections
We are at a moment in history where the information privacy and security face a territorial challenge where data is converted into the essence of that conquest. While the security plan focuses on authorizations and access control, privacy reflects and requires explicit and informed consent to the processing of information.
In this context, privacy without security becomes a sterile rights exercise that does not find a real hold of practical implementation allowing the person to require adequate treatment of information. Security without privacy is a discipline of information protection, which focuses on the protection of a key asset but not a way that transcends to the implications of this exercise in the person.
Both privacy and security require exercise of joint construction, which allows matching the relevancy of both domains to develop a joint vision, allowing data to prevail as a source of competitive advantage, i.e., articulate the inherent relationships between people, processes and technologies to incorporate practices that move the organizational culture toward the preservation of data as the basis for business strategy.