Security and Legislative Implications for ITSM

Troy DuMoulin, VP Research & Development | October 21, 2011 | 1 comments

All Data Is Not Equal In The Eyes of the Powers That Be! Ever notice how some days seem to have themes? Well for me today's theme is related to data management or more precisely the legislated data security, privacy, clearance and compliance requirements that apply to data management. I believe the readers of this article would agree that while the business unit is responsible for data accuracy the IT group and their integrated partners and suppliers are the caretakers and guardians of the digital life blood of any business, government or non-profit organization. What made this a theme for me today was the fact that three separate conversations caused me to think about the importance of business data and its relevance to IT Management responsibilities. Conversation #1: The spark for this article came from a conversation I had with my fellow Pinker George Spalding. George and I were talking this morning about a webinar he is co-presenting with Axios. The subject of this particular webinar is very focused in respect to the implications of IT Management for the Health Care industry. George and I discussed his research into the security and privacy implications of online medical records and client data as it is being shared across state and federal boundaries. Legislation such as Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act required serious privacy requirements in system design and data management. Conversation #2: Pink Elephant like many other companies today is exploring the benefits of Bring Your Own Device (BYOD) strategies when equipping our staff with automation. In the face of the growing consumerization of IT and the rampant growth of personal mobile computing platforms a "if you can't beat them join and influence them" strategy makes a lot of sense. So with this practice in place several of us were tackling some of the finer points of policy related to making this work. Of course the challenge now becomes the reality of corporate data now being spread across devices that do not belong to the company. This was further enforced for me when I read the following baseline article later in the day "Undead Data Haunt the Enterprise" which talks about on-boarding and off-boarding new employees and being accountable for "Burning or Scrubbing" their personal devices when they leave. The reality is that the Network Perimeter is way beyond the corporate firewall's. Whether we like it or not corporate and legislatively protected data is on on mobile devices, loaded into personal cloud storage services etc. The worst thing about this is that even though the business does not own this device they still have have legal obligation to keep the data safe and secure. Conversation #3: The final conversation that promoted this article was a discussion I recently had with David Ratcliffe the President of Pink Elephant. We were discussing the dramatic evolution of personal storage. David remarked to me during our conversation that it was amazing that we can walk around with devices in our pocket with enough storage capacity to hold every byte of digital content we create during our working lifetime. That statement gave me serious pause. With these three conversations in mind I invite you to consider the following observations: 1) Ignorance Is Not A Defensible Excuse I often speak on IT Governance and as part of this subject matter I try to keep on top of a high level list of legislation that pertains to information systems which house sensitive business data. I refer to this list as the Hair Ball of legislation in that there is no integration and sometimes contradiction of the compliance requirements. As a sample but by no means comprehensive list consider the following

  • Canadian Personal Information Protection Electronic Document Act (PIPEDA)
  • US Patriot Act \ Homeland Security (Critical Infrastructure)
  • Personal Health Information Protection Act (PHIPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • SEC Rules 17a-3 & 17a-4 re: Securities Transaction Retention
  • Gramm-Leach Bliley Act (GLBA) privacy of financial information
  • Children's Online Privacy Protection Act
  • Clinger-Cohen Act (US Gov.)
  • Federal Information Security Mgmt. Act (FISMA)
  • Freedom of Information & Protection of Privacy (FOIPOP) Canadian BC Gov
  • FDA Regulated IT Systems
  • Freedom Of Information Act
  • Family Education Rights & Privacy Act (FERPA) (Higher Education)
  • Medical Information System Development (Medis-DC) (Japan)
  • Authority for IT in the Public Administration (AIPA) (Italy)
  • European Privacy Directive (Safe Harbor Framework)
  • Sarbanes Oxley (SOX)

The challenge is that we face is that legistaltors assume that the people who manage private and confidential information are aware of and compliant with the laws. In my experience this is not a safe assumption, if fact several of the laws counteract the others. For example, the Canadian PIPEDA privacy act is countermanded by the US Patriot act when Canadian data finds itself on servers within the US. Our challenge is that ignorance is not a satisfactory defense in a court of law. 2) Service Management Processes Must Be Designed & Managed To Account For Security & Privacy Requirements When the Information Security Book first came out under ITIL®️ version 2 one of the things I remember as striking were the intwined security requirements in all other processes. In fact I like to think of the Security Process as more of a DNA grafting or gene splicing into ITIL rather than a seperate process. Service Strategy:is responsible for ensuring that business requirements are reiceved via Demand and Business Relationship Management. These inputs have a bearing on Portfolio Management in that it is necessary to understand both the Utility and Warrenty requirements. In this perspective Warrenty will also inlude understanding the security and in some cases the clearance level required for the proposed services and their supporting systems and data architectures. Of course the question here is who holds the accountablity to determin which legistlation applies to the proposed service? While the customer will perhaps have a high level understanding of the compliance requirements it falls to the Service Designer to ferret out the details and how they apply to the Service blueprint or in ITIL terms the Service Package and this brings us to Service Design. Service Design: is now responsible to ensure that the service design has considered and covered the controls that pertain to (people, process, product and partner). Legal will need to be consulted for input into the legislation requirements relative to access rights, storage policies, IT Service Continuity requirements, Financial Reporting and Data Segregation. Service Design is also responsible for developing the transition and operations procedures required to comply with legistlative requirements. Service Transition: All Services/systems and technologies are vulnerable when they are undering going change. Several legistlation such as HIPAA and FDA specifically require special consideration, approval and due diligence when changing systems and data under their purview. Transition Processes such as Release & Deployment, Testing & Validation, Change Evaluation will need to have specific security related criteria developed, tested and validated before changes are approved for promotion into production. Service Operation: Once live special process considerations need to be applied to highly secured or legislatively applicaple services. For example: If an incident occurs on a critical business service with a secret clearance level it will take on a very high priority and be handled only by govermentally cleared staff. Or if it is determined that an Incident is related to a security viloation a special Security Incident Process and team takes over. I have worked in environments where due to data segregation requirements an agency must maintain seperate CMDB's. In Summary, while very few people enjoy this subject it still remains that we are accountable to the business and the powers that be to design, build and deliver IT Services which protect sensitive data and are compliant with the powers that be! Troy's Thoughts What Are Yours? But then, so far as I know, I am the only performer who ever pledged his assistants to secrecy, honor and allegiance under a notarial oath. ~Harry Houdini

 

ITIL® is a registered trademark of Axelos Limited. All rights reserved.

Like this article? Like

View Comments (1)

Comments

Troy,

More research led me to discover that “ignorance is not an excuse” is now codified in the Health Care legislation.  You are right on the money, my friend.

GS

George Spalding | October 24, 2011 at 8:44am

Post a comment