The field of Information Security is a broad one encompassing twelve domains
according to the ISO 27002 standard. But
the focus of Information Security has become cyber security these days, and
understandably so given the number and frequency of cyber-attacks being
experienced. However, we shouldn’t
forget that information is created from the aggregation and analysis of items
of data. So, ultimately the core
objective of the ISO standards is to secure data.
There are basically two types of data within scope of the
standards: business data and system
data. Business data includes customers
and their data, product data, product and marketing strategies, and
intellectual property. But it also
includes data regarding employees, legal matters e.g. contracts or law suits,
as well as data related to compliance with any applicable regulations. The loss of confidentiality of this data
would seriously impact the ability of a business to operate and jeopardize its
competitive standing.
In contrast, system data identifies the computer technology, both applications
and infrastructure that enable a business.
These technology components collect, process and store business
data. But they also provide operating
capabilities that deliver products to customers and enable collaboration with
business partners. The loss of
confidentiality of system data would enable the malicious parties to shut down business
operations, and/or locate and steal critical business data. Such events would be disastrous and threaten
the ability of a business to continue operation. So, we can see that securing both types of
data is essential.
In the midst of ever increasing cyber-attacks there is a growing concern
for data privacy. I attended the Strata
Hadoop Conference (http://strataconf.com/stratany2014 ) in New
York City earlier this month and much of the Security Track was devoted to
discussion of data privacy. Government
regulations e.g. the Gramm-Leach Bliley Act (1999) (GLBA) and the Health
Information Portability and Accountability Act (1996) (HIPAA) have mandated
that those entities holding personally identifiable Information in the case of
GLBA, personal health information in the case of HIPAA must ensure protection
of the data.
But most people today view the list of regulated data items as being a
slim representation of the data they consider to be personal. We live in a world where large amounts of
data on individuals is collected about us daily including the products we buy
and from whom, the foods we like, the restaurants we patronize, the political
party we support, the list of our friends and family and their contact
information; and on and on. The fact
that the exact location of where an individual is now and where he or she has
been all day, is information that many people consider to be private and not to
be available to anyone with whom they have not explicitly shared it. And when we place our photos in “The Cloud” our
expectation is that no one will see them other than those specifically given
permission to do so. And, by the way,
software that can recognize my face in other people’s photos and create a link
between us is not a particularly desirable thing.
As you can see, individuals’ expectations of privacy, greatly complicates
the data privacy challenge. Over the
next several months I will explore the data privacy challenge and discuss approaches
to risk mitigation and control.