The Data
Computer data. Who owns it, the organization or
the customer? Executive management is
responsible for the oversight of information
systems and data. This data, held in the
computers, can be a mix of organization owned
information and information obtained from
external sources such as its customers.When a
security breach occurs, who owns the data and
whose information has been compromised? Is it
the organization’s or the customer’s
information? When an organization’s proprietary
information (e.g. financials, intellectual
property, etc.) has been compromised, it is the
organization’s data. When a customer’s
personally identifiable information (PII) has
been disclosed to unauthorized parties, it is
the customer’s data.
The Bank Vault
Executive management should view their
information systems as a bank vault where the
organization is the custodian of customer data.
Since the organization does not own customer
data, the customers own their data and the
organization is only a custodian.
As a custodian, it is the organization’s role
to hold in safekeeping the customer data.
Safekeeping and privacy compliance obligations include minimizing the
risk of theft or loss, whether the information
is in physical or electronic form.
As a result of the increase in the number of
data breaches, various laws and regulations have
been enacted to protect the privacy of
individuals and their information. Prior to
these privacy compliance requirements, many organizations were not
allocating sufficient resources to protect
customer data. Information collected was shared
with outside parties and the customer was never
informed.
Security Controls
Since information systems face a variety of
risks (e.g. compliance risks, unauthorized
access, etc.), executive management should
perform a risk assessment to identify their
assets and threats to the assets. Once the
assets and threats have been identified,
preventive, detective, and corrective controls
are then implemented to mitigate and reduce
risks.
Once your organization’s controls are in
place, contact a Certified Auditor to review
your controls for sufficiency and effectiveness.
For more information please see:
Security Blog menu
Tags: privacy | privacy compliance | privacy audit | data ownership
|