Affiliations
Blog‎ > ‎

Privacy & Information Security - How Are These Different?

posted Oct 14, 2009 11:11 PM by Eddie Cox   [ updated Oct 31, 2010 12:25 PM by Michael Cox ]
Privacy is strategic - information security is tactical

 

Privacy is strategic in nature.  The primary objective is to develop the organizational strategy to protect this sensitive personal information.  This includes ensuring the “appropriate use” of personal information which is defined by law, public sensitivity, customer preferences, and circumstances or context.  In this age of information marketing, this is a complex and rapidly evolving area.  This involves engaging executives in the development and support of this organizational strategy which is critical to the solid establishment of information security across the enterprise. 

 

The law, regulations and standards can not keep up with this information age, the Internet, new technologies, and the bad guys.  Evolving public sensitivity must be anticipated.  The organizational strategy to protect this information, including appropriate use, should be forward-looking to mitigate organizational liability.  Following a certain standard or set of standards does not necessarily eliminate organizational liability.  Although certified compliant with PCI standards, Hannaford Grocery, a large northeastern U.S. regional supermarket, suffered a major breach.           

 

As a complement to privacy, information security is tactical in nature and addresses three objectives: information integrity, availability and confidentiality.  Information security generally follows a single standard, such as ISO 17799, or a set of best practices that cuts across multiple standards. 
 
Privacy and information security professionals must work together to strategically and tactically protect sensitive customer information.  An organization can have information security without privacy (appropriate use).  However it can not have privacy without information security (tactical implementation). 

 

Lastly, both privacy and information security have scopes that do not overlap.  Information security is not concerned about appropriate use of sensitive personal information.  Privacy is not concerned about availability of information and is only concerned about integrity of information when it is used in customer decision-making.
 
Michael Cox, CIPP
President, SoCal Privacy Consultants 

Sign in|Report Abuse|Print Page|Remove Access|Powered By Google Sites