As a security professional, I have an ongoing love/hate relationship with privacy. I have always been the person supporting privacy policies at the University, I even have Privacy as one of my seven pillars of a security program. I have to say that sometimes I feel that I care more about my customer’s (what do you call the people you protect?) privacy than they do.
It is amazing to me how much data the average person will give away with very little thought as to who may be asking or accessing the information. I have a situation (not at the University, but it’s funny that when you’re in IT, you become the go to person for any group you belong to) where someone in a position of leadership has set up their Facebook account with no privacy settings. This has caused no end to problems for them and the organization.
We see this almost daily in the media – it is usually a Twitter post. Someone makes a comment on Twitter that SHOULD have been made in the Cone of Silence and the entire Twitterverse is in an uproar.
I am one of those people who believe that Privacy and Security are not mutually exclusive, but I think that it’s not unreasonable to ask people to meet us (the Security world) halfway.
I have a few suggestion for both sides of the table:
Security
- Just because you CAN look, doesn’t mean you have to
- Never collect information you don’t have a valid business reason to have
- Delete information you no longer need – a log retention policy is essential
- Just being in Security does not mean that you need access to everything
- Automation can be used to reduce privacy exposures – I really don’t want to read people’s emails
I know that some of these will make the job harder to do, but really, did you go into Security because you thought it would be easy
People
- Use privacy settings!!!!! Please do not make everything you do public and then get violently annoyed when the wrong person looks
- Stop giving away your private information (passwords, credit card numbers, Social Security numbers, Bank account numbers, etc.) to the bad guys. The good guys will not send you an email asking for this information, or call you on the phone and ask for this information. No legitimate organization will give you flack for asking for confirmations or alternate contact points
- Don’t put information into an email that you would not send on a post card (unless you know how to use encryption and actually use it)
- Think before you Tweet
I am sure that there are lots of other points that could be added, but consider this a starting point. The health of Privacy depends on all of us – If you believe in Privacy, clap your hands.