In business transactions, information is usually exchanged among partners, customers, employees, and other stakeholders. The technological abilities of the internet facilitate a wealth of information to be gathered, disseminated, and combined, with relative simplicity. Consumers continue to be bothered about the security of personal information used by companies, in spite of government supervision. Consumer concerns bring about the need for corporations to administer information security. Businesses have a duty to guard organizational proprietary and consumer information while guaranteeing conformity with regulations and laws. In most organizations, the Chief Information Officer undertakes the role of ensuring customers privacy. This paper will seek to analyze the active role of the CIO in implementing this function.
Generally, customers are not secure with organizations in relation to protecting their private and sensitive information. Consumers are anxious on the fact that they do not know what corporations know about them. Currently, organizations continue to distribute information about their customers, extending across numerous industries. This sharing raises the risk of legal action to an organization and reduces customer trust in areas for instance shopping on the Internet (Pacocha, 2002). The Chief Information Officer is charged with employing business systems that correspond with privacy guidelines. Chief Information Officers are most verbal about necessitating technology to assist implement privacy regulations. They are most alert to the difficulty in their computing communications and the least expected to believe that present privacy facilitating technology can work out the size of their problems (Nickel, 2008).
Ideally, the primary step in protecting anything is striving to comprehend it. This involves understanding what information is available, where it can be found, and in what form in case of aggregated data. Establishing a substantial level of protection also entails recognizing the owners and keepers of this information, probable risks and impacts and security needs (US-CERT, 2005). The CIO must first understand what entails privacy policies before communicating to consumers concerning his company's privacy policies and practices. In line with this, businesses should undertake an internal audit to establish: what data they are collecting, how that data is being utilized, with who they are sharing that information, how that information is being protected and related issues (Klosek, 2009).
Auditing is the main control that should be used by CIO's to hold persons answerable for their actions. When auditing is successfully completed, there are the two probable occurrences which will emanate: successful and failed accesses. When a subject tries to access a file or information for which they are not permitted is when a failed access arises. This information is very significant for the CIO. This is because it might provide evidence into insider misuse of access or even the existence of spiteful software trying to compromise a system. On the other hand, there are audits which signify successful access to a file or a record. These offer a record of approved access to the confined data and the necessary evidence that a person got access to the privacy information. However, the disadvantage of auditing successful access to privacy data is that it can produce a huge volume of audit information (Price, 2008). After the audit is done, the next step would be to break down the large volume of audit information can then be broken into lesser units and profiled. Profiling is the procedure of describing, sorting and bounding information which makes it easy to understand the exclusive features and protection needs of information. In this case, a smaller and more convenient set of collective data is used for profiling (US-CERT, 2005).
The chief information officer can endorse new tools on the market to protect the privacy of customer for instance the Platform for Privacy Preferences (P3P) framework. This tool is fairly new and is an initiation to increased communication between customers and web site operators. Under this framework, the customers are given a chance to communicate their view points on how they want their information handled. It follows that, when the customer approaches a web site, the web site reads and conforms by the customer predilections outlined. However, the company's web site has to be equipped to operate P3P and the customer preferences should be outlined. The objective of this approach is to give the customer the chance to select their own level of privacy (Pacocha, 2002).
Moreover, the CIO should work closely with the manager of the company to eliminate those employees who do not conform to standard rules for handling privacy information. This should be done after successful employee and subcontractor performance assessments have been carried out. The assessments should incorporate infringements of policies and processes connected with the handling of privacy information. Assessments can also be used as a means to recompense those workers who have taken extra steps, made improvements, or noted loopholes in controls that impact the protection of privacy information (Price, 2008).
Other tools the chief information officer can use are the tools that permit expression and transition of privacy inclinations and strategies between companies. They permit swapping of information between institutions, in order that the receiving institution can more simply establish the suitable privacy strategies for information handling (Nickel. et al, 2008).
According to Price (2008), privacy information might sometime be conveyed deliberately or unintentionally into information repositories which are not allowed for its storage. In regard to this, the CIO should set up possible strategies and processes to perceive unsuitable flows of privacy data. Moreover, tools which can assess write actions which may have privacy information ought to be executed. For instance, dirty word explores of email contents might be used to ascertain privacy information unsuitably conveyed through email. Likewise, intermittent assessment of files on shared drives ought to be investigated. This can be done by the scripting of operating system controls for example grep on UNIX and Search on Windows to search for keywords in shared files.
It's a significant practice for the CIO to execute a web checking program that automatically operates privacy scans to make certain that the site hasn't been interfered with and that privacy strategies remain integral (Klosek, 2009). The CIO can also implement firewall method as a privacy protection technology. This technique controls which types of ports can be used to access files or records on servers having privacy information. Likewise, protocol forms which can be used to access the information should be limited. (Price, 2008).
Another tool that the CIO can use for information protection is the encryption tool for data storage, in conjunction with basic encryption key management. This encryption operates well when the program is a dependent tool, and makes use of Trusted Computing Platform components. Email filters for outgoing email ought to be applied for preventing privacy-responsive information outgoing from the company. There should also be Scanning techniques that permit the uncovering of privacy-responsive information on systems or PCs. This will help a company to establish whether privacy- sensitive data is being there against the policy, and permit the taking of the suitable action. (Nickel. et al, 2008). Moreover, cryptographic protocols for example safe socket layer or web protocol security should be used to guard user access to privacy data over the system from interception. Privacy data stored in files ought to be encrypted in order to protect the data in the occasion that the media having the data becomes lost. The cryptographic keys should be well managed against loss or publicity which might permit a stranger the capability to decrypt the protected data (Price, 2008).
Another core function of the CIO is to analyze and scrutinize the insiders who occasionally access privacy information. They should be obliged to admit the legality of their access to such information. For example, insiders must be required to give reasons for accessing a certain record which may be outside the extent of their work. A dropdown box on an electronic form which permits the worker to select the basis for the access can be used to institute this. This additional step offers a restriction and a form of auditing for an insider who may be browsing out of interest (Price, 2008).
Another core function of the CIO is to get prior permission from his clients about possible private data transfers that could be subpoenaed by the authority. Similarly this will include other kinds of transfers, incorporating transfers to service providers and business partners (Klosek, 2009). Nickel. et al (2008) adds that in numerous rules, every citizen ought to be offered the chance to access and revise or amend their stored private information. It can be challenging when customers' information is extended across many data stores, databases and spreadsheets.
The Chief Information officer should also enforce strong verification systems such as smartcard or tokens which offer an additional layer of protection for persons accessing privacy information. This control should be applied in conjunction with access to privacy information as well as using it for system logon. This can also stop direct access to privacy information by malevolent substance executing mistakenly in the context of the user (Price, 2008).
Generally, Organizational leaders are liable for giving efficient oversight of information privacy and security, including ascertaining effective implementation of the developed protection policies and accountability of the same. Management accountability and responsibility for cumulative data security are evident to all stakeholders. However, the chief information officer is the main actor in ensuring leadership and accountability actions on protection of the privacy of the customers (US-CERT, 2005).