In A CISOs Guide to Principles of Data Privacy and Security, David Sheidlower, a CISO of an international media and advertising firm examines the key issues surrounding data privacy and security. The eBook is currently publicly available on Security Current.
The Guide addresses privacy policies, Big Data, consent, governance, and security. In the introduction, Sheidlower quotes Ed Mierzwinski, consumer program director at the U.S. Public Interest Research Group (USPIRG): “There should be no secret databases. That’s a basic rule of privacy practices. Consumers should know that information is being collected about them.”
Sheidlower said he was struck by Mierzwinski’s assumption that people are even aware there were “basic rules” or privacy practices. The eBook examines five privacy principles in-depth.
“The fundamental principles of privacy and security continue to evolve. I’ve tried to look into each of them from the consent process, which most people find problematic, to the need for a framework for data protection, which is where an organization’s security program comes in,” Sheidlower told Security Current. Sheidlower’s A CISOs Guide… is the first book in the Security Current eBook series.
Let’s take a look at the Table of Contents and a sentence or two from each chapter:
- Privacy Policies: Would You Give Customer Data to the Government? “Notice,” which is the first of the principles of data privacy and security, is to make sure there are no misunderstandings.
- I Am Not a Number; I Am a Bunch of Numbers To fully understand what a given notice is telling you, you need to identify who is performing each of these roles. For the information security professional to ensure data confidentiality and integrity, understanding these roles is crucial.
- Consent: The Part of ‘Yes’ that We Don’t Necessarily Understand Consent forms tell you that you control the use, disclosure, and collection of data about you except in certain circumstances.
- Being Data—The Principle of Participation Who “owns” the data? It doesn’t matter. What matters is the rights and responsibilities of each entity in the collection, disclosure, and use of the data.
- Not Like the Others Security is not a single transaction. In fact, when it is done successfully, the subjects and users of the data should not even be aware of most security controls.
- Security, Where Myths Should Go to Die The security function in an organization debunks myths regularly, or it risks colossal failure.
- Coming Clean—Data Privacy and Security Fostering a corporate culture where data protection is seen as a core competency will do more to ensure that employees “play by the rules” than fear of getting caught and fined.
The examples presented in each chapter are straightforward and familiar. CISOs concerned about how their organizations handle data collection and use should take a look at A CISOs Guide to Principles of Data Privacy and Security—it’s a quick read.