Share This Article
Protecting Customer Privacy Information
The public media regularly reveals exposure and misuse of customer or employee privacy information. The pervasiveness of unreported occurrences is likely to be significant and equally disturbing to those reported. The reported occurrences commonly include lost media, unauthorized access by outsiders, or inappropriate access by insiders. When such exposures are made public the affected organization is often penalized through economic disincentives such as loss of customer confidence affecting sales, government fines, and costly credit monitoring. However, an organization can reduce or mitigate the likelihood of abusive access to privacy information by implementing appropriate security controls that are directive, preventative, and detective.
Organizations have sufficient incentive to implement the necessary controls to reduce the likelihood of abusive access to privacy information. Governments from around the world have instituted laws and regulations that require organizations to protect privacy information from exposure. Those organizations that fail to protect privacy information and are frequently reported in the media and may face a loss of public image due to the exposure. Similarly, the result of an acknowledged breach may allow affected parties the right to conduct litigation against the organization. The costs of implementing security controls, which can mitigate attempts to breach privacy, are most likely to be less than government, image, or litigation penalties realized.
The first line of defense against a privacy breach is through the use of directive controls. These controls seek to provide a disincentive for insiders who might abuse their rights or access to privacy information by informing of what is and is not appropriate activity. Through the appropriate use of policy, training, performance evaluations, and data access acknowledgements insiders will have sufficient awareness that casual inappropriate access may be deterred.
- Policy—Organizational policy should explicitly identify information types which need to be protected from unauthorized disclosure. It should further specify appropriate and inappropriate types of access to privacy information.
- Procedures—Detailed processes and procedures should be documented which provide sufficient guidance for insider access to privacy information. Procedures should contain explicit detail which leaves not doubt as to the processes which must be followed when processing, storing, or transmitting privacy information.
- Training—Those afforded access to privacy information should have regular training and awareness regarding the policies and procedures for proper handling. Records should be kept of those trained. Ideally, employees will acknowledge receipt of the training and that they understand and agree to abide by the policies and procedures promulgated to protect privacy information.
- Performance Evaluation—Employee and subcontractor performance evaluations should consider violations of policies and procedures associated with the handling of privacy information. This provides an opportunity for managers to eliminate those subordinates which fail to comply with established rules for handling privacy information. Evaluations can also be used as a means to reward those employees who have taken additional steps, made corrections, or noted weaknesses in controls that affect the protection of privacy information.
- Data Access Acknowledgement—Insiders that periodically access privacy information should be required to acknowledge the legitimacy of their access. This is less practical for those whose duties are primarily involved with handling privacy information. For instance, insiders should be required to provide reasons for accessing a particular record that might be outside the scope of their work. This could be instituted with a dropdown box on an electronic form which allows the employee to select the reason for the access. This extra step provides a form of auditing as well as a deterrent for an insider which might be browsing out of curiosity.
In the most ideal scenario unauthorized access is prevented as well as inappropriate access. This is difficult given the weaknesses inherent in discretionary access control (DAC) which is the predominate access mechanism. However, with proper planning and implementation, DAC can be leverage to mitigate potential abuses. The following techniques will greatly enhance efforts to protect privacy information.
- Separation of duties—Ensure that those users which require access to privacy information are identified. Create specialized groups to assign access privileges. Knowing who should be authorized access to what is a critical element in establishing appropriate access to privacy information.
- Least privilege—Individuals with access to privacy information should have limited functionality to prevent unauthorized or intended flows of privacy information. For instance, limit what processes should be executing while the user is access privacy data. Limiting the functionality available on the workstation used to access can counter malicious code attempting to access privacy data with user credentials as well as prevent users from moving information through other applications. Restricting access to removable media and printing should also be considered.
- Ad hoc access prevention—Restrict the ability to conduct ad hoc queries of records containing privacy information. Prevent browsing of directories with files containing privacy information. Limiting ad hoc access follows the concept of least privilege and can reduce excessive exposure when a compromise is materialized.
- Restricted applications—Where possible restrict what applications execute on workstations and servers used to access privacy information. Institute controls which regularly look for unauthorized software on the system.
- Firewall techniques—Limit which types of ports can be opened to access records or files on servers containing privacy information. Similarly, restrict protocol types which can be used to access the information as well. Consider placing firewalls between servers containing privacy information and the rest of the network.
- Encryption—Privacy information in transit and storage should be protected from compromise through the use of encryption. User access to privacy information over the network should be protected from interception through cryptographic protocols such as secure socket layer or internet protocol security. Privacy information stored in files should be encrypted where possible. This will protect the information in the event the media containing the information becomes lost or is inappropriate access outside of the application managing the cryptographic activities of the files. Properly manage cryptographic keys against loss or exposure which may allow an outsider the ability to decrypt the protected information.
- Strong authentication—Implement strong authentication techniques such as tokens or smartcard which provide an extra layer of protection for those accessing privacy information. Rather than simply use this control for system logon, it should be used in conjunction with access to privacy information. Integrating strong authentication with the application used to access the information can prevent direct access to privacy information by malicious content executing unknowingly in the context of the user.
The last lines of defense against inappropriate access to privacy information are detection controls. These types of controls reveal access actions to privacy information and can be used to evaluate the appropriateness of the activity.
- Auditing—Files and records containing privacy information should have some level of auditing enabled. Auditing is the primary control used to hold individuals accountable for their actions. When auditing is enabled the two possible events which will generate an audit action are failed and successful accesses. A failed access occurs when a subject attempts to access a file or record for which they are not authorized. This may provide insight into insider abuse of access or even the existence of malicious software attempting to compromise a system. Audits which indicate successful access provide a record of authorized access to the protected information. This provides the essential proof that an individual accessed the privacy information. The downside of auditing successful access to privacy information is that it can generate an enormous volume of audit information. The good news is that today storage is less expensive and a plethora of audit reduction tools exist which can be used to extract useful information from a copious amount of audit information.
- Conspicuous privacy information—Managers should take note of privacy information on individuals of special interest. Insider might be tempted to learn juicy information on corporate executives, politicians, or others with celebrity status. Managers should regularly correlate access to records of these individuals with successful audits to identify any inappropriate access.
- Information flow monitoring—Sometime privacy information will be transferred intentionally or accidentally into data repositories which are not authorized for its storage. Where possible controls and processes should be instituted to detect inappropriate flows of privacy information. Auditing type activity plays an important factor in monitoring information flows. Tools should be implemented which can evaluate write actions which might contain privacy information. For example, dirty word searches of email content could be used to discover privacy information inappropriately transmitted via email. Likewise, periodic evaluation of files on shared drives should also be analyzed. This can be done through the scripting of operating system commands such as grep on Unix and Search on Windows to look for keywords in shared files.
- Supervisor involvement—Managers need to be cognizant of subordinate activities. They should take an interest in training and monitoring to help protect privacy information. The actions of managers provide a cue to subordinates of what they might be able to get away with. Managers whom regularly emphasize the need to protect privacy data represent an excellent deterrence. Indeed, managers which are involved with the process of reviewing questionable subordinate access to privacy information can expedite internal and external investigations when armed with the knowledge of what types of access a subordinate is authorized.
Sean M. Price, CISA, CISSP, is an independent security researcher and consultant living in northern Virginia. He specializes in designing and evaluating organizational information assurance programs and system security architectures. Research interests include insider threat, information flows, and applications of artificial intelligence to information assurance problems. Prior publications include the Information Security Management Handbook, Official (ISC)2 Guide to the CISSP CBK, Second Edition, IEEE Computer, as well as other journals and conferences. You can reach him at firstname.lastname@example.org.
Protecting privacy information is best accomplished when it is pursued with the appropriate security controls. This requires some planning to assure that the most appropriate controls are implemented. When directive, preventative, and detective controls are properly implemented the anticipated result is a reduction in the likelihood that inappropriate and unauthorized access to privacy information will occur.