 |
 |
|---|
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
||
|
An Effective Compromise Between Security and Privacy
The Challenges of Today Demand That We as Individuals, Businesses and Governments Get It Right “We the people of the United States, in order to form a more perfect union, establish justice, insure domestic tranquility, provide for the common defense, promote the general welfare, and secure the blessings of liberty to ourselves and our posterity, do ordain and establish this Constitution for the United States of America." Though it was authored over two hundred years ago, possibly no other statement in our Nation’s history articulates the delicate balance between the citizens’ need for security and their right to privacy than the Preamble to the Constitution. This document establishes both the fundamental principle that only the people can provide our government with its inherent power and also the principle that only individuals can decide which of our freedoms to either maintain or to eliminate in order to realize the security promised by government. During America's long history, that balance between security and privacy has often been altered and reestablished, particularly in times of national emergency. Does this centuries old debate sound familiar? It should. As we as a nation of individuals pursue ever more vigilance in order to guarantee our rights to security against cyber terrorists and bioterrorists alike, we must also be conscious, at the same time, of maintaining our rights of privacy. It always seems necessary for Americans to give up a measure of privacy to combat threats to security and freedom. In exchange, citizens have the right to demand that governments follow three principles. First, specific liberties may be temporarily, but not permanently, surrendered. Second, increased surveillance must be monitored by the courts and documented. Finally, individuals must have access to all their personal data. Technology is the primary tool used by both the public and private sectors to combat threats to our freedom. Security providers at all levels utilize sophisticated databases - police networks, intelligence agency files, and, at times, those of private corporations, such as airlines or credit card companies. Security firms can also provide the most advanced intrusion detection and network testing devices, as well as forensic software. Both public and private security providers are currently pursuing biometrics and facial-recognition software, as well as other “cutting edge” video graphic technology and equipment to monitor movement. They require increased powers to use their software to monitor digital communications via e-mail, cell phones, and personal digital assistants. There is growing pressure for "smart" national ID cards. Individuals are, as a result of this increased vigilance to secure our way of life, being asked to give up freedoms in the name of security. Most Americans support these initiatives. A recent Harris Poll shows that 86% favor wider use of facial surveillance, 81% want closer monitoring of bank and credit-card transactions, and 68% support a national ID card. In the interest of a fair and balanced exchange of security and privacy rights, it is reasonable to assume that only a minimum of personal data will be monitored: perhaps name, address, fingerprint, blood type, U.S. citizenship, immigration status, country of origin, and visa status. For a nation of individuals incredibly protective of their rights and liberties, the polls reflect a dramatic showing of trust in the way we provide security. Just a year ago, polls showed Americans worried about commercial encroachments on their privacy, from data marketing companies to credit bureaus. They still are worried but appear to trust security providers at all levels to maintain the right balance in any time of emergency. Security providers must not abuse this trust. Rest assured, the people can and will reclaim their rights when their rights are unnecessarily violated, as they have time and time again. Concurrent with the advent of the information revolution and the rise of the Internet and computers over the past ten years, people have had a myriad of concerns about privacy and security, but mostly they’ve been focusing on keeping their personal information secure. They were worried about losing their privacy to the prying eyes of government, or to businesses, or to hackers looking to steal their information. As of September 11th, all of a sudden, we’ve all been reminded of our own mortality. And now, people’s security concerns are focused on how we keep ourselves safe, our homes safe and our loved ones safe. Now the whole issue of what trade-offs in our privacy we are willing to make in terms of keeping ourselves secure has taken on an entirely new kind of urgency. Given this historical backdrop, the resultant debate in corporate America concerning the relative value of security and privacy affects every business to some extent. While it seems very clear that security of computer systems, customer information, e-mail, communications, and physical facilities is a top priority for businesses, it also seems clear that the struggle to achieve and maintain a sense of security without sacrificing privacy rights is a dilemma with no clear resolution in sight. The issue is ultimately very complicated, particularly in a global environment where different levels of tolerance and morality regarding privacy, freedoms and job efficiency are the reality. There is a fine balance between monitoring employees and infringing on their legal rights, and employers should place a great deal of significance on how monitoring is implemented. The plain fact of the matter is that the situation gets less clear with every new piece of legislation. Regardless, there are controls and practices, which security consultants and providers should routinely emphasize. This is and always has been the key to providing adequate security without sacrificing individual rights. As an employer one thing is generally clear: it would be very unwise and risky to start monitoring without their employees' knowledge. Clearly documenting and articulating the security objective before any controls are implemented should be treated by organizations as a “best practice”. Employers must be as open as possible about communicating their security parameters. This will ultimately result in a positive development and a step in the right direction, particularly if employees understand the issues and are proactively engaged in the process of protecting their company. Security should be all about communication, and not about infringement of rights. Employers should communicate clearly to their employees what they plan to monitor, why they plan to monitor it, and how they plan to monitor it. Employers should be able to demonstrate that they are monitoring to protect the company from litigation and to protect their business systems. Employers should always publish a clearly stated policy on business activities, set out incident handling procedures with employee representatives, and even consider assigning additional security duties and responsibilities to employees if the size of their company permits it and if it is deemed necessary. Frankly, the risk of not effectively establishing and communicating security parameters is greater in legal costs alone than most businesses would want to incur. But there remain many risks and associated costs that may not be as obvious. What is the risk, let’s say, of not monitoring employee emails, as perceived by most corporations? For one thing, unless it is filtered out, incoming email will waste bandwidth, storage, and user time, and in the case of virus infection, cost companies significantly in lost production or disruption of service. In the case of inappropriate content -- bad jokes, profane remarks and links to unsuitable sites -- the mindset and morale of your employees could very possibly be at risk. The storage or distribution of illicit or pornographic content, depending on its nature, may even be illegal. In the case of outgoing email, most companies would not consider allowing rude jokes, gossip and personal insults to be sent out on correspondence bearing the corporate letterhead. At the same time, ignoring outgoing email using a company's domain name quite likely might be based on the assumption that an email doesn’t qualify as a legal document. This could be a very risky approach indeed. Security should always represent a pact between an organization and its members when implemented correctly. For all new employees, corporations should consider including their documented agreement to specifically stated company monitoring as part of the standard contract of employment. This would also apply to Web browsing. Companies should always be extremely explicit in defining the procedures to be used in the processing of personal or private data. Procedures in this area should be clearly defined and documented by management and “signed off” by employees. Corporations should strike a balance between monitoring and privacy. If an organization does not do an adequate job of assessing this balance, the costs to their overall enterprise could be quite significant. Though employees do tend to routinely accept new security related restrictions and the associated loss of privacy that comes with being monitored, companies still should be quite careful concerning the implementation of these “services”. Security firms that market monitoring and filtering systems should encourage clients to be open with their employees when deploying technological devices of this type. They should also consider installing a screen link, which “spells out” their Internet-use policy whenever employees try to connect to a blocked site, for example. Of course, as with all monitoring and filtering products, it is entirely up to the company concerning their implementation. Companies should also decide whether to allow full access and only look for abusive behavior, or whether they should monitor everyone closely and block access to most sites. One thing, however, that is not debated nearly as much in this security vs. privacy discussion is who would manage these security systems. The clear choice, in most cases, is the company's IT department or network managers, as the case may be. They are generally the organizational resources that have the necessary technical expertise, though larger corporations do have the luxury of hiring specialized security managers and staffs, which almost inevitably triggers a delicate “tight rope” act between the IT and security departments. Clear delineation of duties is essential in increasing the likelihood of a successful and cost effective “mesh” of these two disciplines in businesses today, though frequent and timely input and guidance from a proactive and focused HR staff is also beneficial in this area. The current debate surrounding encryption is probably as good an analogy as any to conclude this discussion about security vs. privacy and how it continues to affect everyone on a daily basis. Encryption is, quite simply, a way to code information so that someone else can’t read it. One of the big controversies that have been prevalent for a number of years now is whether businesses should be able to encrypt their information in ways that the government would not be able to decode it in order to monitor for illicit activity. There has always been a reluctance to allow an extremely resistant form of encryption to be maintained in the mainstream of society. But with our heightened national sense of awareness of terrorist threats, people are beginning to rationalize that if security providers have this sort of ability to get into encrypted messages, it might assist in preventing future security threats. This is precisely the type of issue that we’re faced with in the financial, health care and legal arenas throughout the business world daily. But remember that this article represents an awareness of more than just business concerns. Even individuals suddenly have to worry about the myriad of ways people can penetrate through the network of wires into their homes, “hack” on to their computers, and gain access to information which we’d all like to keep private. Scary? You bet it is. And the problem is not going to go away anytime soon, whether we’re referring to the boardroom or the bedroom. In the meantime, our best course of action seems to be, first and foremost, maintaining an intelligent and reasoned compromise between our security and privacy rights. That translates for most security providers to a clear mandate: be vigilant, but remember to always conform to best practices and common sense. SSC, as a recognized leader in the security industry and an integrated information systems security provider, advocates strongly that businesses, first and foremost, begin to implement security “best practices” with a complete and thorough understanding of their information network and, most importantly, its vulnerabilities. The best way for organizations to gain this knowledge is through a detailed, cost effective and all - inclusive security analysis and risk assessment provided by a qualified, objective and experienced party, complete with recommendations addressing specific security weaknesses. An analysis and assessment of this type should always include implementation of an effective monitoring and audit capability. Secondly, incident response procedures and responsible parties should be clearly defined, reviewed and rehearsed. Lastly, and maybe most importantly, businesses and organizations must clearly document and communicate their security plans and procedures to employees at all levels. Adherenceto these three, straightforward security practices and controls will go a long way toward insuring that a reasonable and effective balance exists between security and privacy, along, of course, with vigilance and common sense. 
|
||
