I have long been promoting the concept…more accurately, the NEED…of having IT/Information Security and Privacy (often in the legal area) work closely together in order to not only result in each area being the most effective and efficient in their efforts, but also to ensure no conflicting messages are being sent and no gaps in addressing these issues exist. It is additionally good for and improves business to have these areas work closely together; there are at least 20 overlapping topics these areas work on. Unfortunately too often the Privacy and IT/Information Security areas do not even come closely to working together.
Archive for September, 2007
It is great to see a story published about a hospital, actually any type of organization that is a covered entity (CE), that is actively and seriously trying to be in compliance with HIPAA requirements.
Scanning the news this morning, this CNN headline caught my eye, “Mouse click could plunge city into darkness, experts say”
The first sentence is compelling:
In 1990 when I was an internal auditor I was tasked with determining the overall information security posture of my company. One of the things that I decided would be a good thing to do was to go to the offices Saturday and Sunday evening when there would be the fewest personnel around. I wanted to look at their work areas to see what type of information security risks I could find that were a result of the work habits of the personnel.
Yesterday the Office of the Privacy Commissioner of Canada and the Office of the Information and Prrivacy Commissioner of Alberta released their “Report of an Investigation into the Security, Collection and Retention of Personal Information” concerning the TJX breach. The investigation was performed to determine if, and if so to what extent, the incident was a violation of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and/or the Personal Information Protection Act (PIPA).
I’ve been doing some compliance gap analysis work comparing the policies of one of my clients with ISO/IEC 17799:2005. It was renamed in July of this year to ISO/IEC 27002:2005. So, along with the name change, did the content also change? Having the 2005 tacked on the end of the new name would seem to possibly indicate not. Hmm…