E&Y on Foreign Outsourcing Risks

CSO Magazine has a recent post regarding "... third-party relationships, particularly with the use of customer data by customer service outsourcing companies in rapidly developing economies." This comes from a recently completed information security survey performed by Ernst & Young.

Foreign Outsourcing Risks Only Now Being Recognized
Security Feed - Blog - CSO Magazine

Nov 17, 2006
Foreign Outsourcing Risks Only Now Being Recognized

...
Respondents indicated that many companies are beginning to recognize the potential risks "of third-party relationships, particularly with the use of customer data by customer service outsourcing companies in rapidly developing economies," Ernst & Young said in a statement.

...
The survey also reported that CSOs will continue to face the challenges of regulatory compliance and privacy issues.

Privacy issues are a key priority for future success, said Ernst & Young. Privacy "has become a high-stakes business issue, catapulted up the board agenda by consumer concerns caused by well publicized lapses of security and the growing response of government and legislative activism," said (Paul van Kessel, global leader of Ernst & Young’s Technology and Security Risk Services). "Understandably it is the area where companies are being most active, with privacy and data protection practices becoming increasingly more formalized."

Companies know all too well that the problem of privacy and personal data protection is broader and deeper than what is in the headlines," he added. "Our survey reports that this will continue to be a top business issue, requiring vigilant oversight on the part of organizations and even more formalization of measures to mitigate the risks.

Technorati Tags: Data Protection, Security

Flipside: A few minutes with Jeff Jonas

More from Jeff Jonas about analytic processing of anonymized data.

Flipside: A few minutes with Jeff Jonas

...

The technique we are using allows us to anonymize identity  information, like names and addresses, and after the data is  anonymized to compare and determine when two people are the same  person despite all the variability in identity data. Usually one encrypts data to send to somebody else who has to decrypt  it to use it.

Ours is a technique that allows you to encrypt the data  and do the analysis while it is encrypted. That's what is unique  about it. Many people in the privacy community feel that this is  better than some other ways of sharing sensitive data.

...

The subtle and not-so-obvious nature of PII

The threat of personally identifying information (PII) getting out into "the wild" is always a concern. A more subtle and less obvious problem, as this article implies, is the use of information which, while not containing the obvious PII -- social security numbers, drivers license numbers, credit card numbers, ... -- can contain information which, in combination with other data available, can lead to the re-identification of individuals.

Stolen laptop leaves Nationwide red-faced
Security Strategy - Breaking Business and Technology News at silicon.com

... The building society is willing to say what has not been stolen. No PINs, passwords or information about financial transactions were contained on the computer, and no account details such as customer names, account numbers or sort codes were compromised, according to Oliver.

However, there is a chance the limited customer data stolen could be linked to other information about individuals and used for identity fraud.

The building society would not say how many customers' details were contained on the stolen laptop. It is in the process of writing to all of its 11 million UK customers to outline the security measures they need to take as a result of the theft.
...

Technorati Tags: Data Protection, Personal Identifying Information, PII

SOA after the hype

A nicely done compilation of well crafted quotables from analysts and vendors on SOA's entry into what Gartner sometimes refers to as the "trough of disillusionment".

SOA after the hype

By now most software vendors who could possibly justify fitting their products into the service-oriented architecture space have become at least buzz word compliant with SOA. The initial hype phase, characterized by a certain "irrational exuberance" has past and developers and architects are actually implementing SOA. To get an idea of where SOA is after the hype phase, we asked a group of analysts and thought leaders where they see it now.
...

The Limited Liability Persona

Again, at the Burton Group's Identity Blog, an introduction of a concept that, while not entirely new, does a nice job of setting out a concept of the Limited Liability Persona, a construct which provides all necessary and sufficient properties as part of a transaction, but no more.

Burton Group Identity Blog: The Limited Liability Persona

...The basic idea is that an LLP would be a legally sanctioned and recognized virtual person in which you could "invest" some of your financial or identity resources, while holding the rest of your resources back so that they're not exposed to online risk. Once you created an LLP, you'd have the legal right to use it as an online "alter ego", even in commercial transactions. You can't really do this today; if you use an identity other than your own in a transaction, it's usually called "fraud" (but not always; people in the witness protection program, for example, are given government-sanctioned alter egos which they can use to avoid various privacy and safety risks).

What are the details? Well, since LLPs don't really exist yet, it's hard to be too specific. But in principle an LLP is a legal entity with a name:

1. Created by an action of a court
2. Owned by one or more individuals
3. With its own resources distinct from those of its owners
4. In which owners can invest new resources
5. With its own "identity attributes" distinct from those of its owners
6. Whose actions are legally distinct from those of the owners
(though the owners may be held accountable for those actions)
7. Whose resources may be transferred to its owners
8. Which can be sold by the owners to new owners
9. Whose existence can be terminated by its owners

...

As you might expect, this notion of revealing or making use of only those properties necessary for the job, while retaining (protecting) that property which is privileged and unnecessary, has a warm spot in my heart. It tracks completely with the notion on which Safe Data Sharing (SDSi), my new preoccupation, is built.

Technorati Tags: Personal Identifying Information, Security Incentives

Value in the relationships of identities

In an "op-ed" post regarding the initiation of the Identity THeft Prevention and Identity Management Standards Panel (IDSP), a joint ANSI and Better Business Bureau effort to establish guidelines and standards to prevent identity theft , Kevin Kampman of the Burton Group has done a very nice job of setting out an aspect of the problem.

Burton Group Identity Blog: In America, who’s watching the watchers?

...
Today, the strength of control over information is not in the hands of the individual, it is in the hands of the aggregator. What constitutes value in the relationships of identities with business and government is in their interaction. A secondary, fairly invisible market exists in the management, analysis, exchange and sale of identity information. Privacy policies have been highlighted to protect consumers in web-based transactions, but this is the tip of the iceberg in terms of the overall identity information market, which falls under the auspices of a patchwork of regulations, if at all.

The issue to individuals is the unintended and unapproved use of PII. The pendulum of control needs to swing in their direction. The challenge is organization. There are few (if any) advocates for individuals with the power or funds to affect change. Even with the Health Insurance Portability and Accountability Act (HIPAA), the real benefits are to the health care and insurance providers, not necessarily the patients it nominally protects. Individuals also don’t see the lack of control as something to lose sleep over, until something annoying or catastrophic occurs, at which point the burden of recovery lands squarely in their lap. It is then that they realize that the treatment and handling of identity information, like weapons, needs to be controlled, and that they need to be an active participant, if not the key controller in the process.
...

Technorati Tags: Data Protection, Personal Identifying Information

Point of View and Point of Illumination

As a break from the predictable madhouse that comes along with a startup, I've been taking part of this morning to catch up on 'blog surfing.

What I've noticed (besides the impossibility of keeping current) is that my mental filters have definitely established a point of view by which to interpret and consider the posts that deal with personally identifiable information (PII). In addition the point of view, I've also acquired a "point of illumination", by which I mean that the "stage lighting" is adding or removing emphasis, illuminating in order to distinguish something from the background, or (at times) lighting the object so as to emphasize or de-emphasize dimensionality... depth.

I've always considered that when using a simile like point of view, it's been impoverished, limited. I'm enjoying the notion of viewing, observing and editorializing based not only on point of view, but also as a function of point of illumination. I'm not altogether certain as to where I can go with this concept, but it seems to me that as a factor in the visualization of information search, it could be VERY useful.

Technorati Tags: Personal Identifying Information, Point of Illumination