Microsoft Making Their Internal Privacy Standards Public in August

Yesterday a ZDNet published a story, "Microsoft to publish its privacy rules."

"Microsoft plans in August to publicly release the privacy rules its employees have to follow when developing products.  The move, which offers a look behind the scenes at Microsoft, is meant to give the industry an example of what the software giant sees as best practices in customer privacy, said Peter Cullen, the chief privacy strategist at Microsoft."

Indeed most organizations need help with creating privacy standards.  Privacy is a relatively new concept within organizations, and most still view it solely as a legal issue.  It is so much more. 

Privacy, in addition to information security, must be built into all business processes, from the beginning of the planning stage all the way through to the retirement of a process.  Privacy policies, procedures and standards must be created to ensure consistent privacy implementation throughout all levels and areas of the enterprise.  Most organizations do not have privacy policies (beyond just their posted website privacy statement), let alone privacy procedures and standards.  If Microsoft has good standards to use as a model, then I applaud their efforts.

"This is designed for an IT pro or a developer, in terms of: ‘If you’re building an application that does X, this is what we think should be built,’" he said. "The public document will use a lot of ‘shoulds.’ Inside Microsoft, those are ‘musts.’"

This could be a fantastic document to help CISOs and CPOs partner to provide guidance to IT areas in creating standards for programmers and developers.  It would also be a good start in leading the privacy standards development efforts for the rest of any enterprise.  So many areas have access to personally identifiable information (PII) and communicate directly with customers, consumers and employees, that it is critical they know the ways in which the PII must be protected, and the ways in which communications must occur to be consistent with how they release PII and not end up being social engineered into revealing PII.  This requires more than just high-level policy statements (which are certainly necessary), but also requires detailed procedures specific to business services and products, and standards to ensure consistent application across enterprises.

This is also a good example to set for other vendors who need to be addressing privacy within their own products.  Perhaps Microsoft should challenge the other technology giants to also make their privacy standards public…I wonder how many of them actually even have such documents?

I’m not saying that Microsoft is perfect in their information security and privacy practices…no company is…they can definitely improve in places.  However, it is admirable that they are willing to open themselves up to such scrutiny; will others follow suit?

Technorati Tags

Leave a Reply