The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives

by Rebecca Herold


Too many times publications about data protection are written in such a way that only readers with a deep understanding of information technology (IT) can get value from reading them. The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives is written to serve as a "Rosetta Stone" of data protection for all levels of corporate staff. Each chapter is written in such a way to explain the importance of data protection so that four major roles throughout the enterprise, spanning from executive to IT, will understand. The target audiences includes 1) corporate business leaders (CxO, legal counsel; and other roles with holistic business responsibility), 2) compliance professionals (internal auditors, privacy officers, compliance officers, etc.), 3) IT operations (technology architects, engineers, programmers, and others involved with implementation issues), and 4) security personnel (staff responsible for all aspects of information security and safeguards, including technologies and related options).


Chapter 1: What Corporate Business Leaders Need to Know About Data Protection

Chapter 1 explains why executive leaders must be concerned and take an active role in supporting information protection efforts. It also provides the information that CEOs, CFOs, and all other types of CxOs, in addition to lawyers, must know to help make the best possible decisions for information protection activities.

Chapter 2: What Corporate Compliance Leaders Need to Know About Data Protection

In 2008, I presented a conference session about the need for information security and privacy convergence to a group of compliance officers, none of which came from an IT or information security background. I provided a description of a scenario to show how, even though all the requirements on a compliance checklist had been met, a breach could still occur in many different ways. The exercise went over well, with many telling me afterwards that they now saw data protection went well beyond the scope of what they had always considered.

However, one of the chief compliance officers in attendance came to me and angrily said, "You wasted my time! It’s not my role to know all this stuff; it's up to IT and information security to deal with this. As long as the specific compliance items are addressed, I'm doing my job. I'm not going to worry about doing other peoples' jobs as well!" Whew! I apparently touched a nerve with this individual!

What do you think? Do compliance officers, privacy officers, and internal auditors have responsibilities for data protection activities beyond the specific items on checklists?

Yes, they do. In this chapter, I will provide compelling reasons why such compliance professionals must know and understand data protection issues in order to more successfully perform their job responsibilities.

Chapter 3: How Information Security Leaders Need to Address Data Protection Within the Business Context

A few years ago, in a large financial services organization that had around 15 different business units selling different products and services, the marketing folks got what seemed like a great idea to feed people’s growing appetites for new technologies. They decided that they would give a free Blackberry phone (not nearly as common as they are now) to all brokers that reached a specific sales goal for the upcoming month.

To the marketers’ great joy, almost all of the approximately 800 brokers met their goal! Along with the Blackberrys, the marketers sent instructions along with this magical and delightful gadget that described how the brokers could synchronize their email with the device. They advised in the instructions that the brokers should not try to do the synchronization until 9:00am PST on a specified Monday so that they would be sure to have staff on hand from any of the time zones in case the brokers had problems. Sound like good preplanning?

That Monday came, and mysteriously the response time of a section of the corporate network not only ground to a standstill but also the call center was flooded with calls, primarily from brokers saying that the synchronization did not work. The brokers basically inadvertently performed a nicely coordinated Denial of Service (DoS) attack

Chapter 3 offers insight on leading practices organizations need to follow to help ensure an effective privacy program as well as to help demonstrate due diligence.

Chapter 4: What IT Operations Need to Know About Data Protection Implementation

IT leaders, administrators, developers, architects, and others who are the digital information custodians of the enterprise and are responsible for implementing security controls must understand the criticality and importance of their roles to ensuring data protection safeguards are effectively implemented and maintained.

A simple but effective roadmap for IT to follow to help them address important IT data protection requirements includes the following steps:

1. Identify IT security and privacy risks
2. Identify common data protection compliance requirements
3. Map the compliance requirements to the risks
4. Establish systems and applications controls
5. Monitor, manage, and update the IT data protection practices

The final chapter of this eBook discusses in depth these five steps, as well as actual case studies and key IT data protection deployment activities that will result in a much more secure digital enterprise.