BETA
This is a BETA experience. You may opt-out by clicking here
Edit Story

8 Privacy Steps To Keep "Pirates" Away From Your Firm's "Crown Jewels"

IBM

By Cindy E. Compert, IBM

The best practices of data privacy are similar to playing the children’s game, “Treasure Hunt.”

Imagine yourself in an exotic tropical paradise. Your goal is to find and guard a cache of valuable buried treasure. Pirates from other lands far and wide are swarming the area, and they want that treasure as badly as you do. The rules require you to build your team carefully because you’ll need people to fill a variety of roles, such as navigator, interpreter and defender. The pirates are also collaborating, and they are increasingly crafty.

Here are eight data privacy practices to help you find and guard your company's “crown jewels:”

  1. Learn the Language: Learn privacy terms and use simple technology language. Your board of directors are not experts in cryptography. This handy glossary of privacy terms from the International Association of Privacy Professionals will help you in your quest.
  1. Know and Share the Rules: In these situations, the rules are privacy fundamentals. They include what qualifies as personally identifiable information (PII), how the organization defines PII, your group’s privacy policies and notices, and privacy program operations.
  1. Be Prepared: Buying what you need at the last minute will be more expensive and make your goals more difficult to accomplish. Legendary UCLA Basketball Coach John Wooden once said, “If you don't have time to do it right, when will you have the time to do it over?” Often, privacy and security controls are considered as an afterthought, resulting in higher costs and implementation complexities. Consider adopting Privacy by Design principles.
  1. Have a Treasure Map: As Yogi Berra said, “If you don’t know where you are going, you may end up someplace else.” Learn about the how to secure your company’s “crown jewels” and to take advantage of a critical data protection program to help you get where you’re going faster.
  1. Don’t Be Invasive: During the game, you don’t want a friend eavesdropping into strategic conversations or standing too close while you count your gold. The same applies to privacy: Just because you can collect personal information doesn’t mean you should. There’s plenty of recent news examples of privacy ethics and the implications of actions that, while legal, often overstep the bounds of what is considered ethical. Being invasive could cost you not just friends, but also customers.
  1. Protect Your Treasure: Take a risk management approach to identifying the security controls you need based on an asset’s risk level and value. Consider data activity monitoring. At the same time, data encryption can hide your treasure. Use identity governance, along with identity and access management controls, to ensure only those who are authorized have the credentials to access those applications and data.
  1. Ensure the Rulers are Informed: In privacy, it is critical to collaborate and seek advice from the privacy office, the legal and compliance teams, lines of business, IT and security groups. These decision makers need to guide you not only on privacy policies, but also to understand the implications of your recommendations and make sure the controls you suggest do not interfere with business goals.
  1. Keep Score: The most effective privacy-focused organizations assign accountability by subject area or business function, and design metrics to track a program's effectiveness. Some even require senior executive sign-off on privacy compliance.

Security intelligence can provide a powerful view of the big picture, tying together all aspects of your privacy infrastructure and identifying security risks in real time so you can detect and prevent breaches. You can also stay up-to-date via the X-Force Threat Intelligence Quarterly.

Cindy E. Compert is the CTO for Data Privacy for IBM Security.

A version of this blog appeared on IBM's Security Intelligence blog on May 7, 2015.

There is a new way to work, and it’s made with IBM. Learn more at ibm.com/madewithibm or join the conversation at #MadeWithIBM