While we are so busy concentrating on our own security structures (You are, aren't you?) how do we make sure that our partners are protecting our data?
There are several places where this is important
- The obvious first one: you give your credit card information to someone. What they can and can't do with it is governed by a standard made by the credit card companies. It is called PCI compliance. It seems most companies don't abide by the rules but the fact is that the rules have been very well designed and slowly, hopefully, companies will abide by them. The nice thing is that PCI complience is worked out already. You don't have to worry. You should as a matter of principal make sure that a company is PCI compliant. I think it would be a good idea for the credit card guys (visa, mastercard, etc) to actually promote PCI compliance as a marketing tool for companies to diplay proudly on their websites and in their stores.
- You fill in a form, any form, anywhere, online or offline. This is your personal, private information and you should be aware exactly what happens with it. If you have to give the information across for some law such as the ones preventing money laundering, you don't want that form going to the company's marketing department. ("You are a treasured customer of ours, do you want to be the first to use our new services...?") You also don't want it put into a dustbin and used by anyone who finds it in the street. '
- You are trusted with someone's details and have to send them to a 3rd party. If something happens to the details - its you to blame.
The PCI standard came out of a need to protect data but there should be a broader standard for all types of data allowing us to make spot decisions on who to trust and who not to trust with our data.
And, taking an observation from Andy but broadening it: the specification of how data is looked after should be more specific than a framework. A framework is fine for protecting your own data, but other people should be able to judge exactly how you treat their data.
But, on the other hand, you don't exactly want to go around to every company that you deal with (perhaps all over the world) investigating in minute detail exactly what methods they use to protect their network and data. You can't be expected to watch that none of their staff take their laptops home etc.
You shouldn't even be expected to take a look at their policies.
You should just want to be able to see a logo that says "we are secure up to the level 3 of the "3rd party information control standard (3pics)". This should be good enough for a bank but a video shop may be able to get away with level 2 and a doctor should have level 4.
By the way, I made up 3pics because, as far as I can see, there is no widely accepted standard with clearly defined levels that the man in the street can trust and be used to (except PCI and that is for credit card information only). But shouldn't there be? Wouldn't it be nice to be able to trust that a company you are about to deal with is going to treat your information the same way you do?
Rebecca's PDF document (linked to above) goes into great detail about how one can manage personal information that is given to 3rd parties but it is a lot of work and is fine for companies who have few partners but when there are many partners it would be nice to be able to just check their "3pics" compliance level and start dealing with them.
In case you argue that it is possible already using ISO, SOX etc, then read what Andy said in his article about how they are just frameworks and not generally accepted standards.
What we need is someone (who me? I'm too busy ;) to create a(n auditable) standard with a few levels that are easy to understand and implement. And for companies to use the standard and brag about their level of security.
I think part of my thinking comes from discovering this week (but not being rich enough to follow through with actually buying and reading) a book by Stephen Covey (Jnr) about how once trust is established, business can proceed quickly. It is up to us as the public to demand that companies show how they can be trusted with our private information. It is up to us Information Security specialists to make it easy for them to do it.
1 comment:
Brother Allen, :)
Good post and I agree that something such as this would be a great idea. The only problem that I see with it is that of enforcement. Many of the regulations that we have in the US are not enforced (HIPAA) and those that are enforced are only done so in a very small number of cases. SOX scares the C level so they push it to stay out of jail. PCI scares the CFO because of the potential financial ramifications, but we still are waiting to see just how much bite it has.
A standard that has no real way to enforce it or any real way to punish non-enforcement will not be followed.
In my opinion this should be a non-issue. Companies should be protecting this data just as a normal part of business because it is the right thing to do. I know this isn't reality, but it's nice to dream. :)
Thanks for the great insight and keep up the good work.
Post a Comment