As all these challenges pervaded not only ChoicePoint but all the companies comprising the industry, privacy advocates began to dissect the processes, systems and approaches that data providers were using to collect, analyze and sell information. What they found quickly became the foundation for congressional attention and focus on imposing heavy regulations on an industry that was suffering from a lack of process integration and no oversight or governance in place within any of the organizations. ChoicePoint had in effect become the poster child of the entire personal data industry due to their many lapses it has experienced in protecting consumers' data. The many scenarios mentioned in the case study of criminals posing as small businesses to gain access to their databases is a pervasive problem across the entire industry, and a further catalyst of legal and regulatory oversight of the industry.
Dissecting the processes, systems and techniques of American personal data industry, privacy advocates argue that this country's providers are left unchecked and have policies of convenience on privacy vs. looking out for the consumers' welfare (Iacovino, Todd, 2007), arguing that European Union standards need to be applied to American providers. These standards are rigorous with strict compliance to British Standard 7799, ISO 17799 and ISO 27001, all world-known standards for data security (Korba, Song, Yee, 2007). Privacy advocates have gone so far as to hire it experts to evaluate the security and stability of databases and Web infrastructures of the personal data providers, with the conclusion being that the well-known PDCA Model (Tang, 2008) defined by Charles Deming, so prevalent in other industries as a means of defining governance strategies to ensure system security, was unknown in every personal data systems company. Further, there was a complete lack of consistency across middleware applications and their level of compliance to ISMS initiatives including the stated BS and ISO standards (Lioudakis, et.al. 2007). Also discovered during the privacy advocates' analysis of the it infrastructures of personal data providers was a complete lack of data security on their databases, with comparable database implementations at consumer packaged goods companies having higher levels of data security and verification processes in place (Esponda, Ackley, Helman, Jia, Forrest, 2007). Privacy advocates had gone to a more rational approach of analyzing the industry vs. relying purely on emotional pleas to congress for control, and the result was the most damaging finding of all: many of the personal data providers' data warehouses were open and easy to gain access to even from outside the company (Radcliff, 1996).
ChoicePoint's Response to Congress
Derek Smith has no choice but to completely re-order his company as an example for the industry to follow. Mr. Smith will need to also document these changes and provide a roadmap to the industry of how to attain higher levels of data privacy through more effective Business Process Management (BPM) and Business Process Re-engineering (BPR) (Merrifield, Calhoun, Stevens, 2008). He can't just redefine process however (Hammer, et.al, 2007) he needs to completely re-order the systems that support them as well. This will require he first define a Corporate-level position for governance and risk management. It would be feasible that a Chief Governance Officer (CGO) position be created, who has the authority to implement internal audit programs, schedules and standards. Further, a thorough ISMS initiative is required immediately. These first steps are in fact a "mea culpa" or admission of guilt and lack of oversight to the U.S. congress, telling them he plans to completely re-order the privacy aspects of his industry.
He further must define a strategic plan for GRC going forward for his organization, complete with an assessment of how to successfully complete an ISMS implementation company-wide.
He needs to specifically state that the foundational elements of any ISMS implementation of Availability, Confidentiality and Integrity must be aligned with each other and part of the governance framework. These foundational elements of Availability, Confidentiality and Integrity form the foundation of the ISMS strategic plans and implementation strategies. All of these points need to be explained both to privacy advocates and congress if Mr. Smith is to gain credibility over the long-term.
Figure 1 provides a graphic that illustrates the interrelationship of availability, confidentiality and integrity within the concept of an ISMS implementation. This is made possible through the use of the ISMS to safeguard critical customer data. Information architectures are typically defined in the second stage of the MSIS implementation methodology, kept in that specific step due to the need to align them with GRC initiatives within organizations, and this is critical for the personal data industry to retain its credibility of protecting data. What is happening increasingly with the development of Governance, Risk & Compliance (GRC) frameworks. As a result, Availability, Confidentiality, and Integrity are design objectives of ISMS implementations much more pervasive than they had been in the past and have proven to be effective in resolving the security lapses which had become common during the time period of the case study.
Figure 1: The Building Blocks of a Successful ISMS Implementation
Sources: Taken from an analysis of the following: (Tang, 2008)
The implementation of ISMS requires intensive integration from a financial, customer, internal process, and learning and growth perspective if it is to be successful. This point of integration is further accentuated by the eleven domains that comprise the ISO/IEC 27001 standard (Bodin, Gordon, Loeb, 2008). These eleven domains include defining a security policy, organizing information security, defining Asset Management strategic plans and programs, integrating to personal data security and system components, and also planning for enterprise-wide Communications and Operations Management, defining more precise approaches to data and facility Access Control, and the development of more strategic and integrated approaches to Information Systems acquisition, development and maintenance strategic plans, systems, and underlying supporting processes. There is also the need for defining an alert-based approach to Information Security Incident Management, which needs to be electronically enabled across all of an organizations; facilities globally. The three remaining domains of the ISO/IEC 27001 standard include defining business continuity management strategic plans, defining governance frameworks that can ensure continued compliance to federal and global requirements, and the development and continual development of physical & environmental security at both the strategic level. From the eleven domains of the ISO/IEC 27001 standard, the need for a high degree of integration is critical for any ISMS implementation to be successful. One of the factors that is the most critical for all eleven factors to be successful is defining a stable and sustainable change management strategy that is consistent with the organizations' culture, a point that Mr. Smith will have to contend with over the long-term.
Only by completely re-ordering the company's approach to managing data privacy at the process and system level and also making GRC a corporate strategic priority by creating a Chief Governance Officer will ChoicePoint be able to overcome the risk of being massively regulated by congress. Derek Smith needs to get out of the business of selling data to small and medium businesses as well; these transactions are not scalable in a GRC framework as proposed in this paper and the incremental revenue is not worth the risk. Ultimately ChoicePoint will be able to work with congress only by disclosing how errant their processes and systems have become and how they welcome periodic audits of their GRC strategic plans and ISMS initiatives. To be anything less than accountable and willing to disclose is to risk intensive regulation.
A. Baldwin, Y. Beres, S. Shiu. (2007). Using assurance models to aid the risk and governance life cycle. BT Technology Journal, 25(1), 128-140. Retrieved August 5, 2008, from ABI/INFORM Global database. (Document ID: 1238704541).
Jason Bellone, Segolene de Basquiat, Juan Rodriguez. 2008. Reaching escape velocity: A practiced approach to information security management system implementation. Information Management & Computer Security 16, no. 1
January 1): 49-57 www.proquest.com (Accessed August 7, 2008).
Joel Brenner 2007. ISO 27001: RISK Management and COMPLIANCE. Risk Management 54, no. 1 (January 1): 24-26,28-29. www.proquest.com. (Accessed August 7, 2008).
Lawrence D. Bodin, Lawrence a Gordon, Martin P. Loeb. 2008. Information Security and Risk Management. Association for Computing Machinery. Communications of the ACM 51, no. 4 (April 1): 64. www.proquest.com (Accessed August 4, 2008).
Steve Cocheo (2004). FCRA package, a big win wrapped with new strings. American Bankers Association. ABA Banking Journal, 96(1), 7-10. Retrieved August 6, 2008, from ABI/INFORM Global database. (Document ID: 536921151).
Chris Cole (2004, May). Dealing with Data. Independent Banker, 54(5), 86-87. Retrieved August 6, 2008, from ABI/INFORM Trade & Industry database. (Document ID: 784742331).
Daniel P. Cooper (2005). Investigations: Understanding Data Privacy. Journal of Financial Crime, 12(4), 352-359. Retrieved August 5, 2008, from ABI/INFORM Global database. (Document ID: 891344491).
Da Veiga, JHP Eloff. (2007). An Information Security Governance Framework.…