Privacy Versus Security: How Government Leadership can Strike the Right Balance
As a continuation of Makpar C4C series (Cybersecurity for C-Suite), this blog post is to provide federal government C-suite executives with the right insight to make the pressing business decisions they are faced with.
Balance is key.
This is not a technical article. Rather, in this blog, we are interested in exploring the criteria that makes good governance and policy on privacy protection*. Our goal here is to guiding decision-makers in the following three key areas:
IDENTIFY the key governance principles to consider in creating privacy laws
IDENTIFY the key policies needed to protect data privacy
Know how to BALANCE privacy and security
*Note: The advice in this article is focused on personal information (PI, PII), as opposed to contracts, Intellectual Property and other non-personal assets.
1). IDENTIFY the Key Governance Principles to Consider in Creating Privacy Laws
Governance for the purposes of this article is defined as how the agency is managed in the context of the business, particularly with the demands of meeting compliance obligations. At the same time, always keeping in mind the aim of creating long term mission success.
What to Consider:
Consider data privacy as job no. 1 in the organization. Data in the cloud is also your responsibility. A breach will result in financial loss and worse, loss of customer trust. Therefore, the first data governance principles should state how data is collected, used and stored.
Cloud first approach. Cloud security has come a long way and is cheaper and more effective than most onsite installations.
Know that insider threats are as lethal as outside attacks.
Protect data in transit and at rest and do so at all layers of the infrastructure.
Leadership should audit all data assets and mandate the classification of all data assets based on sensitivity, PI and PII including.
Identify key compliance requirements for your business, align with strategic business plans.
For medium and larger agencies, identify a Data Privacy Office/Officer.
Develop key decisions involving budget – for example, ensure that data is not only backed up and stored to ensure clean copies are available (worst case). Conversely, better data should be replicated and “stored” should one instance be found to be corrupted and/or tampered. This could be a significant cost that leadership needs to budget for based on the mission.
Budget for Data Privacy in relation to human capital and technology know-how as a service (Consultants on demand, and/or consumed as-a-service), rather than depending on internal IT (or a cloud vendor) alone.
Adopt the appropriate NIST 800-53 and 800-37 frameworks at a minimum.
Governance should consider the shared security model if assets are on cloud platforms. Porting in-house specific governance to the cloud is a start. However, the cloud requires nuances when it comes to authentication, monitoring, compliance and securing of data privacy for which an organization needs to understand its responsibilities versus the vendor/cloud provider responsibilities.
Have a long-term vision. Governance in terms of achieving short term objectives always typically fail. A data privacy and security vision is the most important aspect of Governance in this context.
2) IDENTIFY the Key Policies Needed to Protect Data Privacy
Policies in the context of this article are the high-level guidelines for the agency across the board. For example, all policies should be based on a comprehensive data-driven risk analysis.
What to Consider:
Anticipate a breach – it is only a matter of time before a data privacy breach occurs. Policy therefore should state how the organization will react.
Patching – the most important and biggest bang for the buck is patching known vulnerabilities – often and surprisingly neglected. Hence the 1st Policy is to dictate a very clear directive in regard to its priority. Open-source software/libraries make up to 70% of systems, and therefore patching a difficult yet critical activity.
Monitor and log privacy related activities efficiently – have the people, tools, and operational processes in place to do so.
Implement “least privilege” and separation of duties.
Have the capacity and processes (including change control) to make incremental changes to improve privacy while managing the delicate balance with security.
Require a Traceability Architecture (ala AWS), which includes monitoring, alerting, and logging at each layer and area of the network.
Ensure leadership buy-in and participation to support data privacy as a critical on-going effort. This means leadership engagement and delegation without abdication of responsibility to others including CSO, CISO.
As with Governance, policies should consider and adapt to a shared security model when it comes to cloud.
Policies should consider archived data, in most instances vast amounts often forgotten and prone to attack.
3) How to BALANCE Privacy and Security
In general, while there is a tradeoff, it is possible to have both privacy and security, without compromising either. Although there are genuine differences, security is related to physical and technical solutioning, and privacy is about good governance and custodianship of rights as individuals.
“The crux of data security is that even if one has the right access to data, there has to be controls driven by policies to ensure limits to what this person can do with the data.”
Data privacy related attacks are not so different from other types of cyber-attacks. They occur over time, where attackers typically start by doing port scans, RDP brute force attempts, and gradually they gain access to basic accounts. From there, they try to graduate to the admin accounts before they hit their targets – in this case PI data exfiltration. Therefore, executives need to plan for the long-haul monitoring and managing of privacy related threats.
As a C-Suite executive, you should focus on the following key areas in order to meet requirements while maintaining balance:
Awareness and training – senior executives need to rigorously champion awareness and training session related to data privacy and security on a continuous basis, and further emphasize training on efficiently (think automation, data driven) collecting, monitoring, responding and of managing compliance related systems.
Have clear visibility of your controls related to compliance – all controls related to privacy and security should be centralized into one central system.
Budget the necessary funds for people resources, and thereafter tools with a strategic objective. A strategic view beyond a typical senior executives’ tenure, in the writer’s opinion a 3 to 5 years view into the future.
Develop and monitor a weekly Privacy Scorecard. This can consist of a handful (2-5) privacy related indicators that you review weekly and take action based on the metric not meeting a desired threshold and/or range. Some suggested metrics to capture: Regulatory metric, a Compliance metric, a Privacy Event vs Privacy Incident proportion metric. This will be your Privacy Dashboard, real-time, and data driven indicators that serves as an early warning mechanism.
The above is a checklist to get you started in the right direction. Your success will ultimately depend on assembling the most experienced team, well versed on relevant FISMA, and NIST guidelines, those who will help you mitigate privacy related risks via a data driven approach.
Makpar offers a wide-range of educational content to provide federal agency leaders with all of the strategic tools and insights they need to develop the strongest possible cybersecurity postures today – and into the future. Click here to access our comprehensive library of cyber-related content.
The Makpar Innovation Lab also continually introduces new products and services for our government clients through testing and development of the latest emerging technologies – including new tools for better capturing and cataloging of data. Learn more here.
Finally, Makpar’s highly skilled and certified cybersecurity experts understand the technology and methodologies required to preserve the Confidentiality, Integrity, and Availability of information in all computing environments. Please click here to learn more.