Late last week the news broke that NSA has been working with US Information giants like Google, Verizon and others to monitor and analyze communications under the Protect America Act. The news set off a wave of responses, from privacy concerns to humorous posts on twitter. The PRISM program can be viewed on the positive side as a big data solution for finding and tracking threats to US security; on the negative side, it could be seen as an invasion of privacy. Whatever one’s view on the issues involved, the news may have people in your organization asking questions about IT security.
CIOs should be prepared to respond to questions from the CEO, Board, and business peers about how data security is handled in their companies. Now is a good time to have a discussion with whoever owns data security – whether that’s a Chief Information Security Officer on your team or someone else in the organization. If you don’t have a single owner for data security, then it’s you. When were your data security policies last reviewed? Does your website give customers information on how their data will be protected? Have you had third party security experts review your data security in the last year? Know the answers, because this could be a time where someone asks them and expects you to know.
With help from my teammate and fellow former CIO Rob McIsaac, I have published a CIO Checklist for IT Security planning. This executive brief provides an overview of IT security areas that CIOs need to consider as part of an overall IT risk management framework in their organization. While not intended to be a comprehensive planning guide or to give specific IT security advice, this guide will help CIOs gain traction on developing and reviewing their organization’s IT security plan.
Data security, privacy and how we communicate them is important in establishing trust. For the insurance CIO, maybe PRISM should stand for “Priority: Review Information Security Measures”, so that you are better prepared to answer questions and build the trust of those who use our data systems.