|
E-Privacy:
A Policy Approach to Building Trust and Confidence
In E-Business
Stage 4: The Pursuit of Excellence in E -privacy
10.1
The final stage in the E-Privacy Policy framework addresses
three issues: the management of E-Privacy risks, the
enhancement of compliance procedures, and the provider's
commitment to continuous improvement. E-Privacy Policy
is not only about engaging a systematic approach to
online personal data privacy but is also concerned with
the evolution of that approach to protect against new
vulnerabilities. A long-term commitment to continuous
improvement of systems security and the competencies
of operational personnel is essential if new challenges
are to be effectively countered.
10.2
Many providers have developed measures that have the
power to raise the bar in respect of E-Privacy standards.
Among these measures three in particular are worthy
of note.
- Risk
Assessment and Review Procedures
These procedures are designed to map security threats
to the system. The better these threats are understood
the more informed providers will be in terms of the
controls that need to be applied to counter those
risks. Risk assessment and review should become the
raw input for better decision-making in respect of
the integrity of the system, and the confidentiality
of customer information stored
in databases.
- Vulnerability
Assessment and Review Procedures
These procedures may be engaged during prototype systems
testing, when piloting the website, or when the systems
architecture is upgraded. Essentially the procedures
use software to review systems capabilities with a
view to discovering vulnerabilities or potential weaknesses
so that preventative measures can be taken.
- Incident
Reporting Procedures
The nature of system breaches e.g. hacking into databases,
is such that it is not possible with complete confidence
to predict where and when an attack will come from.
It is therefore necessary to develop a means of policing
network traffic to report on intrusions, or the suspicion
of intrusion, and establish rapid-response protocols
to deal with these situations. Damage control procedures
have a direct value, in that they seek to minimise
adverse effects, and an indirect value, in that they
provide valuable lessons that can be built into training
and future systems design.
10.3
The rate of change in IT means that new developments
in software pose a continuous, if not growing, threat
to system integrity and, by extension, to E-Privacy.
Inevitably there will always be a small minority in
the IT community that feel the need to demonstrate their
'skill' by penetrating 'secure' systems. And some will
succeed. If providers wish to reassure their customers
that their policy towards E-Privacy is uncompromised
by such activities then it is incumbent upon them to
install, maintain and enhance compliance procedures
that will enable them to deliver on that assurance.
This has been understood by marketers of goods and services
in the physical marketplace where manufacturers and
retailers have endorsed their brands with extraordinary
guarantees. These amount to a supreme level of confidence
in the ability of the brand to satisfy consumer needs.
In the cyber marketplace, for brand, read website. The
challenge is for providers to be able to offer extraordinary
guarantees that personal data privacy will not be infringed.
To do that with any plausibility means that providers
will need to uphold the letter of those guarantees and
offer restitution if, and when, the conditions are violated.
That is something that some may be reluctant to do because
of the responsibility it places on the provider. However,
that sort of thinking by providers will typify excellence
in E-Privacy.
10.4
All systems thinking is premised on the understanding
that a change in one part of the system will influence
related part(s) of the system. It is conceivable therefore
that in spite of the sophistication of IT systems and
protocols E-privacy may be breached intentionally, or
unintentionally, by the staff operating those systems.
It is important therefore to sustain systems integrity
by supplementing the processes outlined with a commitment
to human resource training and development. The important
point here is to recognise that no matter how well a
training programme is designed and executed the real
test of its effectiveness lies in the transfer of that
training to the workplace. This means that good supervision,
and perhaps appropriate rewards, need to be part of
the formula.
[Previous Page][image][Next Page]
|