IMPLEMENTING PRIVACY IN THE ORGANISATION

Implementing the ethical information security awareness control of privacy has become a pressing issue for organisations. Many of them have already begun to

implement new reengineered information systems and data handling practices to deal with the issue effectively and efficiently [EPIC 02] [CRAN 00] [GOTT 00].

After an extensive literature review, five stages of privacy implementation for reengineering an organisation have been identified. These stages describe the

“what” of implementing a reengineered system. They are described in the following table:

Stages Description – What must be done to automate a privacy policy?

1 Privacy policy development

Active involvement from government institutions, virtual communities and individuals. Initiated through a response from external stimuli by these participants.

2 Private information handling

assessment

IT department and the user departments must locate and identify all procedures for handling information, i.e. what information is collected, how it is secured and whether it is shared with third parties.

3 Compliance and risk assessment

A comparison must be made of the actual information handling procedures and the organisation’s privacy policy. Is there a discrepancy?

4 Enforcement If there is a discrepancy, there should be an enforcement and upgrading of their policies, in line with the actual procedures.

5 Monitoring and auditing

All future transactions should be monitored for compliance with the upgraded privacy policy.

Table 4.1 Implementation of privacy policies in an organisation

The correct reengineering and implementation of a privacy policy within an organisation is a crucial undertaking. Adopting the five stages to correctly assess, develop and monitor this implementation will guarantee its success.

However, for each stage there is an implication in automating a privacy policy.

How does an organisation implement a reengineered privacy policy? There are numerous methods, each of which use tools such as XML (extensible mark-up

language). This enables a universal and easily adaptable mark-up language to be used so that each organisation can define terms that are specific to its privacy needs. Having considered what should be included in an organisation's privacy policy, it is important to note the way in which this is done. The “how” can be divided into the same five stages. These are summarised in the table below:

Stages Implication – How can this be achieved?

1 Privacy policy development

It is necessary to design clear, effective and comprehensive privacy policies to gain support for policy development from employees within the organisation, its trading affiliates and its customers.

2 ^Private information handling assessment

Information handling practices must also be digital. If privacy policies are in digital format, such as XML, it is easier to assess the information handling procedures based on written versus actual procedures.

3 Compliance and risk assessment

These privacy policies must be digital, i.e. policies and practices must be modelled together in order to perform true gap analysis and conflict identification.

4 Enforcement Tools also need privacy intelligence for the effective enforcement of policies. It is necessary to include intelligence in the systems so that there will be some degree of automation and adaptation to this changing environment.

5 Monitoring and auditing

Standards are also important to assist in the implementation of a privacy policy. Interoperability among standards for privacy will assist in the further monitoring and implementation of privacy policies within the organisation as well as among organisations.

Table 4.2 Implication for each stage of privacy policy development

An organisation must adopt an automated stance to privacy policy development.

If intelligent and easily maintainable standards are adopted, such as XML, the

assessment and adaptation to changes in a dynamic environment will be more rapid.

4.6 CONCLUSION

In this chapter the sensitive nature of privacy of information was discussed.

Privacy is an issue that information systems managers, government agencies and individuals will be called upon to manage and be accountable for. Using the solutions detailed in this chapter, each of these role players should then be assured of their success in managing privacy. These tools can be incorporated in a step-by-step procedure for implementing an intelligent, self-automating privacy policy. Finally, the privacy of information can be closely associated with the property of that information. This is the focus of the next chapter. In chapter 5 the need to protect the ethical information security control of property will be discussed.

CHAPTER 5 PROPERTY

“Ultimately, property rights and personal rights are the same thing. The one cannot be preserved if the other be violated.” [COOL 99]

5.1 INTRODUCTION

The environment in which a cultural society has been established will determine the ethical philosophy to which the people aspire. It has been found that people who originate from an eastern culture have adopted the deontological ethical approach, i.e. an action is correct if it ascribes to a certain moral rule. This eastern culture has adopted the viewpoint that if information is to be hidden from all to see, then some form of hidden sinister intent is involved. Conversely, western culture has predominantly adopted the instrumentalist approach. They tend to feel that it is their right to keep all information about themselves private and confidential, primarily due to the fact that this information about themselves is their property [BENJ 98].

Chapter 4 took an in-depth look at the privacy of information. This chapter will expand on the approach to creating an ethical information security awareness within the organisation, by including the second control of property. This chapter will take a detailed look at this control with the intent to further the development of a secure pillar of strength for an organisation.

5. Ethical awareness obligation

7. ISM

6. Security policies and procedures

4. Adherence to the law − legislation 3. Standards

privacy property

Codes of conduct

1. E-business − external link

2. Technical services − firewall, IDS

Figure 5.1 Ethical control of property

This chapter will be consistent with the structure that was followed in chapter 4.

The first step will be to define property of information and suggest possible solutions to controlling an organisation's right to protect its property from being misused or stolen intentionally or unintentionally.

5.2 PROPERTY DEFINED IN TERMS OF ETHICAL INFORMATION