New Privacy Guidance for Security TechFramework Offers Best Practices for Security Vendors, End Users
The Security Industry Association has released an updated version of its privacy framework, outlining best practices to use when deploying evolving electronic security technologies.
"We needed to update the framework to reflect the fact that a lot of security systems are IP-based now and connected online," says Jake Parker, director of government relations at the SIA, a trade association for electronic and physical security solution providers with more than 450 member companies. The original framework was released in 2010.
"There's now a link between physical and logical security, like online access to the security system," Parker says. "That's something that wasn't prevalent back in 2010."
The collection and use of information by security-related technologies can indeed have privacy implications, says security and privacy attorney Harriet Pearson, partner at Hogan Lovells and former chief privacy officer at IBM. "Having a thoughtful plan to address such implications, if you are a security solution vendor or a user, can mitigate legal and reputation risk," she says.
SIA's framework highlights several privacy principles. For example, it recommends electronic security systems companies should:
- Incorporate privacy solutions during the design phase of security products, services or systems;
- Conduct an impact assessment to help integrators, system owners and managers analyze how personally identifiable information is collected, stored, protected, shared and managed;
- Perform an assessment of all applicable legal or regulatory requirements, including Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA and HITECH;
- Ensure access to PII captured by a physical or online security system is limited to authorized individuals for authorized purposes;
- Make certain the database where any PII is collected and stored is protected;
- Ensure data transmitted between systems or components is protected from unauthorized disclosure;
- Notify individuals whose PII may be collected of the reason for collection and how the data may be used.
For users of electronic security systems, the framework recommends adopting a breach notification plan that includes guidelines for determining when notification is required, identifies responsive action if a breach occurs and outlines mitigation procedures. It also recommends establishing a policy on the retention and disposal of PII.
The framework also calls for collaboration among service providers and end users to help ensure compliance with best practices for privacy protections.
A Communication Tool
Dwayne Melancon, chief technology officer at information security company Tripwire, says the SIA privacy framework "serves as a good communication tool to help establish a common, high level of understanding of the importance and role of privacy. Using the framework to engage with non-technical business stakeholders helps to communicate the principles required in protecting PII, such as risk evaluation, data classification and developing an understanding of the threat environment."
Melancon describes the framework as a summary of control objectives, and not a step-by-step guide. "It doesn't go into enough implementation detail to serve as a 'punch list' for the organization," he says. "But each one of the points in the framework can be used to establish ownership and accountability in the organization, as well as providing a good litmus test to validate whether the appropriate results are being achieved."