�The board and CEO should integrate policies, processes and counter
measures into a unified approach covering physical security, information
security, information privacy, fraud detection, a means for employees to
report issues, and ethics training.
Keeping the Kimono Closed: Data Privacy ...............................................
If there was a hit parade of IT GRC issues, data privacy would top the charts.
It has become a hot area for government regulation and has received an
immense amount of media attention, which means it is being considered
beyond business circles and is generally out in the public consciousness. In
fact, public awareness of the risk of identity theft has sparked increased use
of shredders at home, firewalls on personal computers, as well as a whole
host of other counter measures to protect private information.
Public policy setters, being the keen observers that they are, have been busy
looking for ways to enforce the public’s wish that government agencies,
nonprofits, and the business community take steps to protect all forms of
information.
HIPAA (the Health Insurance Portability and Accountability Act) is but one
example of efforts to hold organizations accountable for protecting private
information. Not only does the law protect health information, but billing
information as well. Further, national standards have been set for maintaining
the security of this information, which specify a series of administrative,
technical, and physical security procedures to assure the confidentiality of
health information stored electronically.
HIPAA is but one example of laws requiring organizations to take steps to
assure the integrity of their information systems in order to protect con-
sumers’ e-mail addresses, Social Security numbers, contact information,
credit card numbers, bank account numbers, and on and on.
With the attention this one issue has received by the media, there is also
a certain amount of corporate peer pressure being applied. Consider for a
moment the hit your brand and reputation would take if it were to become
public knowledge that someone lost a laptop with thousands of credit card
numbers.
Generally speaking, protecting this information has landed on the CIO’s desk
because this role is responsible for and has direct jurisdiction over digital
assets. However, accountability, unlike water, generally flows up, so it is
important for business side executives and board members to take an active
interest in the measures being taken to secure data.
Chapter 14: IT GRC 275
