As all these challenges pervaded not only ChoicePoint but all the companies comprising the industry, privacy advocates began to dissect the processes, systems and approaches that data providers were using to collect, analyze and sell information. What they found quickly became the foundation for congressional attention and focus on imposing heavy regulations on an industry that was suffering from a lack of process integration and no oversight or governance in place within any of the organizations. ChoicePoint had in effect become the poster child of the entire personal data industry due to their many lapses it has experienced in protecting consumers' data. The many scenarios mentioned in the case study of criminals posing as small businesses to gain access to their databases is a pervasive problem across the entire industry, and a further catalyst of legal and regulatory oversight of the industry.
Dissecting the processes, systems and techniques of American personal data industry, privacy advocates argue that this country's providers are left unchecked and have policies of convenience on privacy vs. looking out for the consumers' welfare (Iacovino, Todd, 2007), arguing that European Union standards need to be applied to American providers. These standards are rigorous with strict compliance to British Standard 7799, ISO 17799 and ISO 27001, all world-known standards for data security (Korba, Song, Yee, 2007). Privacy advocates have gone so far as to hire it experts to evaluate the security and stability of databases and Web infrastructures of the personal data providers, with the conclusion being that the well-known PDCA Model (Tang, 2008) defined by Charles Deming, so prevalent in other industries as a means of defining governance strategies to ensure system security, was unknown in every personal data systems company. Further, there was a complete lack of consistency across middleware applications and their level of compliance to ISMS initiatives including the stated BS and ISO standards (Lioudakis, et.al. 2007). Also discovered during the privacy advocates' analysis of the it infrastructures of personal data providers was a complete lack of data security on their databases, with comparable database implementations at consumer packaged goods companies having higher levels of data security and verification processes in place (Esponda, Ackley, Helman, Jia, Forrest, 2007). Privacy advocates had gone to a more rational approach of analyzing the industry vs. relying purely on emotional pleas to congress for control, and the result was the most damaging finding of all: many of the personal data providers' data warehouses were open and easy to gain access to even from outside the company (Radcliff, 1996).
ChoicePoint's Response to Congress
Derek Smith has no choice but to completely re-order his company as an example for the industry to follow. Mr. Smith will need to also document these changes and provide a roadmap to the industry of how to attain higher levels of data privacy through more effective Business Process Management (BPM) and Business Process Re-engineering (BPR) (Merrifield, Calhoun, Stevens, 2008). He can't just redefine process however (Hammer, et.al, 2007) he needs to completely re-order the systems that support them as well. This will require he first define a Corporate-level position for governance and risk management. It would be feasible that a Chief Governance Officer (CGO) position be created, who has the authority to implement internal audit programs, schedules and standards. Further, a thorough ISMS initiative is required immediately. These first steps are in fact a "mea culpa" or admission of guilt and lack of oversight to the U.S. congress, telling them he plans to completely re-order the privacy aspects of his industry.
He further must define a strategic plan for GRC going...
These foundational elements of Availability, Confidentiality and Integrity form the foundation of the ISMS strategic plans and implementation strategies. All of these points need to be explained both to privacy advocates and congress if Mr. Smith is to gain credibility over the long-term.
Figure 1 provides a graphic that illustrates the interrelationship of availability, confidentiality and integrity within the concept of an ISMS implementation. This is made possible through the use of the ISMS to safeguard critical customer data. Information architectures are typically defined in the second stage of the MSIS implementation methodology, kept in that specific step due to the need to align them with GRC initiatives within organizations, and this is critical for the personal data industry to retain its credibility of protecting data. What is happening increasingly with the development of Governance, Risk & Compliance (GRC) frameworks. As a result, Availability, Confidentiality, and Integrity are design objectives of ISMS implementations much more pervasive than they had been in the past and have proven to be effective in resolving the security lapses which had become common during the time period of the case study.
Figure 1: The Building Blocks of a Successful ISMS Implementation
Sources: Taken from an analysis of the following: (Tang, 2008)
The implementation of ISMS requires intensive integration from a financial, customer, internal process, and learning and growth perspective if it is to be successful. This point of integration is further accentuated by the eleven domains that comprise the ISO/IEC 27001 standard (Bodin, Gordon, Loeb, 2008). These eleven domains include defining a security policy, organizing information security, defining Asset Management strategic plans and programs, integrating to personal data security and system components, and also planning for enterprise-wide Communications and Operations Management, defining more precise approaches to data and facility Access Control, and the development of more strategic and integrated approaches to Information Systems acquisition, development and maintenance strategic plans, systems, and underlying supporting processes. There is also the need for defining an alert-based approach to Information Security Incident Management, which needs to be electronically enabled across all of an organizations; facilities globally. The three remaining domains of the ISO/IEC 27001 standard include defining business continuity management strategic plans, defining governance frameworks that can ensure continued compliance to federal and global requirements, and the development and continual development of physical & environmental security at both the strategic level. From the eleven domains of the ISO/IEC 27001 standard, the need for a high degree of integration is critical for any ISMS implementation to be successful. One of the factors that is the most critical for all eleven factors to be successful is defining a stable and sustainable change management strategy that is consistent with the organizations' culture, a point that Mr. Smith will have to contend with over the long-term.
Only by completely re-ordering the company's approach to managing data privacy at the process and system level and also making GRC a corporate strategic priority by creating a Chief Governance Officer will ChoicePoint be able to overcome the risk of being massively regulated by congress. Derek Smith needs to get out of the business of selling data to small and medium businesses as well; these transactions are not scalable in a GRC framework as proposed in this paper and the incremental revenue is not worth the risk. Ultimately ChoicePoint will be able to work with congress only by disclosing how errant their processes and systems have become and how they welcome periodic audits of their GRC strategic plans and ISMS initiatives. To be anything less than accountable and willing to disclose is to risk intensive regulation.
A. Baldwin, Y. Beres, S. Shiu. (2007). Using assurance models to aid the risk and governance life cycle. BT Technology Journal, 25(1), 128-140. Retrieved August 5, 2008, from ABI/INFORM Global database. (Document ID: 1238704541).
Jason Bellone, Segolene de Basquiat, Juan Rodriguez. 2008. Reaching escape velocity: A practiced approach to information security management system implementation. Information Management & Computer Security 16, no. 1
January 1): 49-57 www.proquest.com (Accessed August 7, 2008).
Joel Brenner 2007. ISO 27001: RISK Management and COMPLIANCE. Risk Management 54, no. 1 (January 1): 24-26,28-29. www.proquest.com. (Accessed August 7, 2008).
Lawrence D. Bodin, Lawrence a Gordon, Martin P. Loeb. 2008. Information Security and Risk Management. Association for Computing Machinery. Communications of the ACM 51, no. 4 (April 1): 64. www.proquest.com (Accessed August 4, 2008).
Steve Cocheo (2004). FCRA package, a big win wrapped with new strings. American Bankers Association. ABA Banking Journal, 96(1), 7-10. Retrieved August 6, 2008, from ABI/INFORM Global database. (Document ID: 536921151).
Chris Cole (2004, May). Dealing with Data. Independent Banker, 54(5), 86-87. Retrieved August 6, 2008, from ABI/INFORM Trade & Industry database. (Document ID: 784742331).
Daniel P. Cooper (2005). Investigations: Understanding Data Privacy. Journal of Financial Crime, 12(4), 352-359. Retrieved August 5, 2008, from ABI/INFORM Global database. (Document ID: 891344491).
Da Veiga, JHP Eloff. (2007). An Information Security Governance Framework.…
Business Continuity Plan (U.S. VISIT-DHS) Internal Key Personnel and Backups The aim of this business continuity is to guarantee continuous business operations of the US_VISIT (DHS) whenever disasters strike. Through this business continuity plan, the company has higher chances of prevailing during the disasters or financial crisis. In times of crisis or emergency within operations, the following key personnel would retain their positions within the company. This indicates that they are extensive
Protection for employees If employees adhere to the rules of the acceptable use policy, there are less liable to questionable issues. This also prevents them from engaging in hazardous internet issues, for instance, they are less likely to disclose their contacts to crackers using social engineering approaches. Moreover, ABBA should settle on using universal guidelines and principles with respect to network security, it risk assessment, risk analysis, and risk management. In
Business Auditing and Testing Business Auditing Testing and auditing is an essential of a business plan. Business plan is a blueprint followed in the successful launch or re launch an operation. It conveys the business prospects, growth and describes the product market. Business and auditing plan helps in preparedness of emergencies as a safety precaution for the continuity of a business. This planning ensures that services of a business continue when there
This approach to creating cyclically-based strategies has helped to alleviate the time constraints on companies over time when it comes to managing the process of education and gaining senior management commitment. The smaller incremental gains made in these smaller organizations have actually proven to be more effective at deterring potential threats as knowledge is accumulated over time and change is gradual (Botha, Von Solms, 2004). The studies that are
Business Continuity Interview Analysis This report presents the results of an interview conducted on February 24, 2012 with a medical office manager. More specifically, the office is a small joint practice of two Ear, Nose, and Throat (ENT) otolaryngologists. The interviewer inquired into the types of preparations, contingencies, and planning necessary for business continuity in the event of a major catastrophe that destroyed the office or that rendered it completely unusable
A consistent method of communication must alert employees to any variations to the existing plan during the emergency that may need to take place, as every emergency is different. The absence of cellular phone or computer communication during some emergencies means that emergency communications equipment such as radio systems, public address systems, or portable radio may be necessary to notify employees of the emergency, to keep them informed, and for