I NFORMATION S YSTEMS C ONTROL J OURNAL, VOLUME 2, 2007 1Copyright © 2007 ISACA. All rights reserved. www.isaca.org.Achieving Privacy Through Security MeasuresBy C. Warren Axelrod, Ph.D., CISM, CISSPThe main difference between security and privacy is that,for privacy, the individual about whom the personalinformation is collected and handled effectively “owns”that information and, as such, should be able to control whathappens to it. That is to say, the person should be able tocontrol what personal information about him/her can be and iscollected; ensure that it is correct and current; and decide whocan look at it, share it and/or change it. However, there isconsiderable controversy over a recent change in AT&T’sprivacy policy, whereby AT&T asserts that it collectsinformation regarding customer access habits as they relate toAT&T Yahoo-branded web pages.1The areas relating specifically to security or privacy and theintersection between information security and data privacy areshown in figure 1.Functions that fall into the specific “information securityonly” space include physical security and human safety,business continuity planning, and disaster recovery planning.Factors falling into the “data privacy only” space includecustomer awareness via privacy notices, customer opt-in andopt-out options, and controls specific to customers who needto access, verify and modify personal information. Figure 2indicates whether the various security categories, as listed inISO 17799, relate to security, privacy or both.The focus of this article is on examining security measuresthat impact privacy, namely the “common security/privacyfactors” in figure 1. Areas and technologies that affect and areaffected by privacy and security include access control, dataprotection and operational risk management, includingincident response management.Safeguarding Customer InformationIn attachment A to the US Office of the Comptroller of theCurrency (OCC) document OCC 2001-35 (available atwww.ffiec.gov/exam/conference/Presentations/2001-35a.pdf),the OCC provides examination procedures for evaluatingcompliance with guidelines to safeguard customer information.The guidelines published by the OCC “…address standards fordeveloping and implementing administrative, technical andphysical safeguards to protect the security, confidentiality andintegrity of customer information.” In the section of the OCCguidelines on evaluating the adequacy of risk management andcontrol, the controls to be considered are shown in the leftcolumn of figure 3. Also shown are the specific securitymeasures that can be used to establish and maintain thecontrols. Controlling Application AccessThe ability to monitor and control who can access what isparamount in the effort to protect personal information fromunauthorized access and misuse. Applications are by far thepreferred avenue of attack, as opposed to databases, since it isrelatively easy for an outsider, and also insiders, to penetrateapplications, since specialized knowledge of the infrastructureis not generally required. Consequently, it is of utmostimportance to control access into applications and throughthem to functions, such as the ability to change or destroy thedata. The exercise of protecting personal information fromaccess via applications involves the management and controlof access to the applications and ensuring that secure codingpractices are enforced and tested.Figure 2—Attribution of Various SecurityCategories to Security, Privacy or BothISO 17799 Category Security PrivacySecurity policy XOrganization of information security XAsset management X XHuman resources security XPhysical and environmental security XCommunications and operations management X XAccess control X XInformation systems acquisition, development Xand maintenanceInformation security incident management X XBusiness continuity management X XCompliance XDataPrivacyOnlyInformationSecurityOnlyCommonSecurity/PrivacyFactorsFigure 1—The Intersection of Information Security and Data PrivacyI NFORMATION S YSTEMS C ONTROL J OURNAL, VOLUME 2, 2007Identity and Access Management (IAM)IAM is unquestionably the most critical control for privacyand, in some ways, the most difficult and costly to implement.Users (sometimes included under the more general term“subjects”)—whether employees, customers, contractors orcomputer applications—are gaining authorized access to arapidly increasing number of personal and corporateapplications. The applications themselves are becoming moreand more complex in terms of the permutations andcombinations of potential services offered within eachapplication and the interconnectivity among the applications.The growth in access rights is increasing exponentially as morecapabilities are being introduced with the proliferation ofapplications, particularly those that are web-enabled. Theadvent of web services and service-oriented architecture (SOA)is calling into question the very definition of an application.The direction is toward the use of functions or services ratherthan traditional applications, and this will make the control ofaccess that much more difficult.In addition to the burden of managing access, the privacylaws and regulations suggest, in effect, that details of use ofpersonal information should be monitored and known at alltimes for every access or attempted access.2Monitoring and controlling such a huge amount of activitycreates enormously burdensome administrative overhead thatcan only be handled effectively, even in medium-sizedorganizations, through sophisticated automation. Unfortunately,such products have been slow in evolving and continue to lagbehind the need for a universal product that is easy toimplement and run in today’s complex computer and networkworlds. Nevertheless, automation is generally the only feasiblemeans of addressing the requirements for control, monitoringand response in the distributed systems and dispersed userenvironments.Ensuring that the dictates of privacy laws and regulationsare adhered to raises the bar on managing access to personaldata. Legacy systems were never designed to provide thegranularity needed to ensure compliance with today’s legal andregulatory requirements. To attain the necessary level ofcontrol and reporting for such systems, major changes need tobe made to current legacy applications, or they need to bereplaced. The costs of achieving this for the larger establishedorganizations with