BLOG

A Lesson in IT Security, Information Privacy, and Pandemic Preparedness

Posted by Buck Kulkarni on 18 Aug 2014

IT Security

Coders didn’t think consciously about IT security when writing for mainframe computers or even early PCs. The common thinking was that they were secure by default.

Two developments turned this on its head over the last 15 years. Web quickly became the principal conduit for applications, and software was suddenly visible to almost anyone anywhere in the world. This was great for businesses, especially the good guys that businesses wanted to work with, and even better for the bad guys who recognized the potential to profit with almost no risk or barriers. In response to these threats, governments and industry bodies jumped in. With good intent, they wrote many regulations and best practices to improve security and make the world a safer place.

While no one denies the good intentions behind these regulations, they can also be difficult for businesses to navigate. Regulations are made by different departments of the federal government, as well as state and local governments. Add to this mosaic the regulations required by foreign governments and self-regulation by industry bodies, and the landscape can become quite complicated.

Here’s a shortlist of major regulations to consider. There are many more, but this list provides a snapshot of the complexity and effort required to comply:

Alacriti’s customers hail from some of the most heavily regulated industries including financial services, insurance, healthcare, and utilities. As their partner in information capture, processing, storage, and transmission, our clients expect us to build systems and services that are in full compliance with these regulations. We are often a party to their internal/external audits and examinations, and we are committed to staying at the forefront as the regulatory landscape continues to evolve.

Information Security and Information Privacy

As organizations develop responses to risk and security challenges, as well as regulatory compliance, they and their clients/partners sometimes face ambiguity over information security and information privacy. After all, if you have secured information it should automatically be private too, right?

Well, yes and no. Let’s look at common scenarios that unfold in every organization.

Say you have the credit card details or social security numbers of your employees or customers lying on a table or open on a computer screen, but no one looks at it. Is this a security problem or a privacy problem?

Then say that someone looks at it but doesn’t misuse it. Is this a security problem or a privacy problem?

Now say that an employee copies this information and walks away without detection but doesn’t misuse it. Is this a security breach or a privacy breach?

And then say an employee finds a buyer for this information but we don’t know what the buyer does with that data. Is this a security breach or a privacy breach?

And finally, say that professional hackers break into your system and steal data. This is what we most easily understand as both a security breach and a privacy breach.

A security breach may or may not result in a privacy breach. Say someone steals data from your system but you had taken precautions like encrypting crucial data (credit card numbers, social security numbers, etc.) or storing data in multiple pieces that hackers can’t put back together. Due to these measures, the hacker may have your data but they may not be able to use it. This scenario would represent a security breach but not a privacy breach.

A privacy breach can be more difficult to grasp. If an employee casually looks at a piece of paper lying on a desk or an open document on a computer screen and sees sensitive information, then you have a privacy breach.

It’s imperative to make employees aware of what constitutes private, personally identifiable, or protected information. It’s also imperative to create a culture where employees are continuously aware of the data an organization stores, what is expected of them, and what constitutes a breach.

Security can be centralized in the hands of a few, but privacy is everyone’s concern.

Pandemic Preparedness for Business Organizations

Every few years, a global health-related event brings pandemic preparedness to the forefront. And after some time, it recedes from peoples’ memories only to be revived by a future episode. In response, Alacriti developed a robust preparedness capability in the event of a pandemic. Here are four parameters of our framework to help other organizations build their approach.

  1. Pandemic Event Definition

Which events do you declare a pandemic? For example, you may determine that if 40% of your employees are not available to work (whether physically on-site or remote) for more than nine consecutive workdays, it is a pandemic event. Of course, you can tweak the parameters to specific situations, but all stakeholders must have a common understanding of what constitutes a pandemic.

  1. Incorporation with Incident Management Policy

A pandemic event could logically be considered an extension of incident management. Your typical incident management policy identifies people on various teams that respond to an incident. A pandemic event may mean that the people you identified are not available, so a wider circle may need to be identified for effective incident management.

  1. Multi-Location Approach

A pandemic typically means that many people lose access to work simultaneously. Establishing multiple work locations that are geographically diversified is a critical component of pandemic preparedness.

  1. Integration with BCP and DR

Pandemic preparedness should integrate with business continuity plans (BCP) and disaster recovery (DR) and should not be a stand-alone effort. It could be beneficial to add pandemic preparedness to DR exercises like switching over from production facilities to DR facilities and then switching back. This can establish that one single location has the ability to run the entire operation and become an automatic protection against a pandemic event that disables one physical location.

Each organization’s unique situation will require its own considerations, but an integrated approach can be an efficient and cost-effective way of achieving pandemic preparedness.

*This blog was compiled and edited for clarity in 2019.

Buck Kulkarni SVP of Governance, Risk & Compliance Buck leads our Governance, Risk & Regulatory Compliance function to ensure we remain compliant with PCI DSS, HIPAA, HiTrust, SSAE 16, Data Privacy, and other regulations our clients care about. He and his team continuously invest in improving our risk and security posture to provide peace of mind to our clients and use best practices to keep Alacriti on the cutting edge of risk and security management.