In yesterday's PM edition of the National Journal's Technology Daily, writer Sarah Lai Stirland reported on Tuesday's panel discussion held by the National Institute of Standards and Technology advisory board on information security and privacy.Since most of you probably don't subscribe to Technology Daily, and probably aren't willing to pay the few thousand bucks a year for a subscription, I'll do my best to paraphrase the article. The article can be read for free at GovExec.com. Thanks Stephen!The panel is preparing a report for the Bush administration summarizing "best practices" for federal chief privacy officers (CPOs). But according to the article, the the committee is considering rejecting a proposal for mandatory outside audits of federal CPO activities. A recent appropriations bill required the establishment of CPOs in each federal agency, and requires the department's inspectors general to engage outside auditors. But due to the odd wording of the law, the auditors would be auditing the work of the CPO, not the practices of the department.According to the article:
Rebecca Leng, deputy assistant inspector general for information technology and computer security at the Transportation Department, said the appropriations language does not outline the criteria for such audits. The law simply says inspectors general must hire auditors to check the CPOs' activities. "At this point in time, nobody knows what good practices are in the field [of privacy,]" she said.
Maybe nobody in the security field knows what good privacy practices are, but thankfully, they did have privacy professionals from IBM, AOL, and even the Department of Health & Human Services, to tell them all about these new fangled privacy practices. L-)As I've promoted the role of the CPO over the years, I've occasionally been met with skepticism from security professionals. But once educated about the complimentary, but fundamentally distinct roles of privacy officers and security officers, most security professionals are able to understand what, for them, are the most important elements of the debate: a) privacy officers pose no threat to the territory of the security officers, and b) privacy officers are usually tasked with managing issues that are much more subjective and politically sensitive than many security officers would ever even want to deal with.It sounds to me like this panel needs some more information about privacy practices generally and the role of privacy officers.But let's not miss the bigger point here. Assuming Congress could fix the law so that it would require the auditing of privacy practices, instead of the day-to-day work of the Privacy Officer, this is something that should be encouraged. A critical element of the Federal Trade Commission's enforcement actions in the realm of privacy has been the requirement for companies to bring in outside auditors to oversee their privacy fixes and ongoing practices. If this panel believes that you should only audit after a problem is discovered, then they don't appear to have a good grasp on the reality of the prevailing privacy methodology that is at work in most enlightened organizations.That methology is pretty simple: I ought to know, I helped develop it. The four elements of a coherent privacy program are:
- Know your current privacy-related practices
- Articulate those practices in a Privacy Policy
- Implement those practices through training and oversight
- Audit those practices, from within and without, to ensure compliance
It ain't always easy to do, but it ain't rocket science either. Hopefully the security-minded folks that appear to dominate the advisory committee will get some additional folks in there who can help them wrap their minds around the distinct issues arising from privacy matters.Finally, I was particularly amused by the comments of Franklin Reeder, as they were reported in the Tech Daily article. Mr. Reeder is apparently a long-time government employee who, it appears, is selling his consulting services back to the government through his business, The Reeder Group. He was quoted in the article as bemoaning evils of "Beltway bandits"... those businesses, chock full of former government employees, who sell services back to the government. Nice work if you can get it... and don't let the revolving door hit you in the ass. :-D