Archives
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
Categories
- Congress
- Defense
- General News
- Health
- Health IT
- Homeland Security
- IBM suspension
- Industry
- Info Security
- Intelligence
- International
- IT management
- Law
- OMB
- Oversight
- Policy
- Politics
- Privacy
- Procurement
- Program Management
- Project management
- Risk management
- Security
- Spending
- State and Local
- Technology
- Telecommunications
- Tip Thursday
- Virtual World
- Web
- White House
- Wireless
- Workplace
What's happening in the federal IT community
By Wednesday, April 23, 2008 | 10:40 AM
Bruce Schneier recently wrote a wonderful explanation of why the dichotomy between security and privacy is artificial. I recommend it to the privacy officials who must confront security as the rationale for poor privacy practices and to security officials who must find ways to integrate privacy into their thinking and program planning.
So how does FedWorld see this topic? With no subtlety at all, of course.
Privacy equals privacy plans, privacy officials, privacy impact statements, and mandatory disclosure of certain security events that might or might not involve personal information – in other words, as a matter of compliance. Because information security is also mostly treated as a compliance matter, few inside FedWorld bother to worry about the distinctions between security and privacy. Privacy officials worry about their compliance requirements; security officials worry about theirs and seldom do the twain meet … except in various Office of Management and Budget compliance reports, where the fundamental flaw in government security thinking (all Gaul is divided into Major Applications and General Support Systems) means that privacy (along with strategic planning, enterprise architecture, and all other compliance-without-substance matters) is shoehorned into the one-size-fits-all world of OMB compliance orthography.
As I have opined elsewhere, information about people is just one type of information that deserves protection (and not necessarily the most important for most agencies). Personal information deserves protection against unauthorized or inadvertent disclosure (the concern of most privacy advocates), protection against inaccuracy (data integrity is a security concern but seldom a privacy issue), and protection against unauthorized destruction (conceivably applauded by some with privacy concerns).
The central problem I see with “security vs. privacy” in FedWorld is the focus on computerized official (mission-related) records. Do the guards in your building need to have access to personal information about you and your visitors? How long do the security camera tapes or files that record your coming and going need to be maintained? How do you know the memo you received about your performance was the same as the one in your official personnel file?
If one were to develop a privacy program unfettered by OMB and congressional reporting strictures and FISMA (Federal Information Security Management Act) categories, the result would probably be very like the Internal Revenue Service privacy office, as originally created. I suspect the IRS office has become bogged down with compliance paperwork, but its original focus on protection of taxpayer and employee information from unnecessary or unauthorized disclosure has served us taxpayers well.
Comments
Actually, the issues between Privacy and Information Security is the lack of true boundries. For too long InfoSec has been tasked with protection of paper, discussion in the hall way, disposal of various forms of stored material, and inferred meaning. InfoSec should really be focused on the FISMA controls for electronic information systems, while Privacy should focus on the people element. Is a printed document that is inadvertently released a privacy or informaion security issue? I vote privacy...once in the physical realm the information is no longer the direct concern of the information security community instead moving into the privacy sphere of control. This does not mean the two areas do not have overlap...in this instance the information security staff should be interested in determining how the information was released from the system, and if that process was correct with fuctioning controls. The privacy officer then deals with the human element...why did you print it, why or how was it relased from your control.
Mike | Monday, April 28, 2008 | 10:13 AMI have performed several privacy audits for government agencies and I see the same problems everywhere I go. Management focuses on electronic data in their OMB defined major applications and ignores all the other areas where PII exists (minor systems and hard copy information).
Focus should be on what data is important, where is that infomration collected, processed, stored, and disseminated to, and how are we protecting it.
I agree focus on FISMA categories and major systems as defined by OMB has limited the scope of what most agencies are focusing on when trying to protect privacy data.