DOC PREVIEW
UNCW MSA 516 - Evaluating Privacy Controls

This preview shows page 1 out of 4 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 4 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 4 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

J OURNAL O NLINE© 2008 ISACA. All rights reserved. www.isaca.org.1Privacy breaches are a regular occurrence, as is evidentin popular media.1A more disturbing thought ariseswhen considering the number of privacy breaches thatare unknown or are not reported.2Reported breaches typicallyinvolve lost media, unauthorized access by outsiders orinappropriate access by insiders. These types of exposuressubject an organization to disincentives such as loss ofcustomer confidence, governmental fines and perhaps costassociated with credit monitoring services for affectedindividuals. A system that is regularly audited by a nonbiasedparty may reveal weaknesses prior to an actual breach. Systemauditors have within their power and ability opportunities todiscover security control weaknesses that affect privacyinformation. This article proposes a methodology by which anauditor can evaluate privacy controls to determine anyrelevant shortcomings that might impact the confidentiality ofprivacy information.Organizations have sufficient incentive to implement thenecessary controls to reduce the likelihood of abusive accessto privacy information. Governments from around the worldare instituting laws and regulations that require organizationsto protect privacy information from exposure.3Thoseorganizations that fail to protect privacy information arereported frequently in the media and may face a loss of publicimage due to the exposure. Similarly, the result of anacknowledged breach may allow affected parties the right toconduct litigation against the organization. The costs ofimplementing security controls that can mitigate attempts tobreach privacy are more than likely less than government,image or litigation penalties realizedfrom a breach. A system auditor canleverage these disincentives whenreporting weaknesses in controls usedto protect privacy information.An important aspect in evaluatingprivacy controls is to determine whatrequirements are specified. These canbe gathered from applicable laws,regulations and organizational policies supported bydocumented procedures. These types of requirements form thebasis of the security controls that must be implemented.Unfortunately, these sources of requirement may beambiguous or outdated, given current threats. In such cases,the auditor should consider the ramifications of weakrequirements—those insufficient in specifying the necessaryprivacy controls. Although this may be against the grain ofroutine checklist auditing, the willingness to step up andidentify policy weaknesses supports privacy and securityissues in the long run.4MethodologyIt is recommended that a system auditor follow aregimented methodology when reviewing privacy controls.Following a methodology that documents the test conducted,expected result and actual result provides repeatability forthose that rely upon the results. This significantly adds toconfidence and reliability of the testing conducted and theevaluation of the results. Auditors are advised to consider themanagement, operational and technical controls of a systemwhen evaluating privacy controls. This article recommendsfollowing an evaluation methodology that uses interviews,document reviews, process examination and technical testingof privacy controls. The chosen methodology should focus onthe evaluation of the directive, preventive and detectivecontrols used to protect privacy information. A comprehensivepresentation of these control types is available in the Official(ISC)2Guide to the CISSP CBK.5Directive ControlsThe promulgation of policies and procedures that specifyhandling caveats for privacy information is the first line ofdefense against a privacy breach. Researchers have identifiedthe importance of policy development, comprehension andautomation.6In this regard, directive controls are used toguide insiders on the appropriate handling methods requiredto protect the information from unauthorized exposure.Through the use of policy, training and performanceevaluations, insiders have sufficient awareness that casual, yetinappropriate, access is not permitted.• Policy—This establishes the baseline forappropriate handling and protectionmeasures for privacy information.Organizational policy should explicitlyidentify information types that need to beprotected from unauthorized disclosure.It should further specify appropriate andinappropriate types of access to privacyinformation. The following steps shouldbe taken:– What constitutes privacy information is defined explicitly.– Authorized methods of handling privacy information areaddressed.– The various roles of those with authorized access to theinformation are identified.– Actions required in the event of a privacy breach areidentified.• Procedures—Insiders should have explicit written guidancedetailing the processes and procedures used to appropriatelyhandle privacy information and reporting of suspectedEvaluating Privacy ControlsBy Sean M. Price, CISA, CISSPThe willingness to step up andidentify policy weaknessessupports privacy and securityissues in the long run.J OURNAL O NLINE2compromises. The guidance should have qualities which canbe implemented and easily understood. Procedures shouldspecify these aspects:– Applications authorized to process privacy information– Acceptable storage locations and media – Proper transmission methods – Additional protection measures, as applicable– A protocol for validating requestor access to privacyinformation– Detailed processes used to investigate and report asuspected or actual privacy breach– Procedures that address all areas specified in the policy• Configuration guides—Operating systems and applicationsused to process privacy information provide an opportunityto enforce organizational policy electronically. Securityconfigurations supporting the policy should be explicitlydocumented, including:– Operating system configurations – Application configuration guidance • Training—Individuals with authorized access to privacyinformation should be trained regularly regarding theapplicable policies and procedures. The training shouldsupply the necessary skill set an individual needs to makeappropriate judgments regarding the processing, storage andtransmission of privacy information. The documentedtraining material:– Covers policies and procedures– Focuses on the roles appropriate for the trainee– Is conducted periodically– Provides trainer and trainee with acknowledgment that thetraining


View Full Document

UNCW MSA 516 - Evaluating Privacy Controls

Documents in this Course
Load more
Download Evaluating Privacy Controls
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Evaluating Privacy Controls and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Evaluating Privacy Controls 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?