Benchmarks and Standards

Panelists discussed the extent to which benchmarks and standards can help provide guidance to industry on the effective management of privacy issues. In particular, such standards have been valuable in providing guidance on how to develop effective security programs.

Several industry groups outlined policy initiatives or programs to promote better information security. For example, the Visa Card holder Information Security Program (CISP) requires Internet merchants and processors that are authorized to handle Visa payments to meet 12 different security criteria. The criteria include the installation and maintenance of firewalls, security patching, and encryption. Visa audits companies to ensure compliance and has fined one major processor $500,000 for non-compliance. One of the criteria for the CISP is based on the benchmarks produced by the Center for Internet Security (CIS), which produces security benchmarks for a variety of technologies, including operating systems, routers, and databases.

The benchmarks, which are freely available at the CIS Web site, provide technically detailed guidance on how to configure technologies for increased security. Standardized professional training programs in information protection also are gaining acceptance. The Certified Information System Security Professional (CISSP) and the Global Information Assurance Certification (GIAC) from the SANS Institute are two examples of formalized training programs for aspiring information protection professionals. Internet service providers also are coordinating their responses to network security threats, such as worms and denial-of-service attacks. Additional security guidance may come from the courts, as recent negligence actions include claims that hasty software development has led to flawed software design.

In addition, recently-enacted laws – the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) – apply security requirements to entities that maintain financial and health information, respectively. Federal agencies are implementing these laws through rules and guidelines that allow flexibility, depending on the needs of particular businesses. Although flexible, these rules and guidelines contain requirements that depend on the effective deployment of technology – for example, requiring appropriate security for a network and proper encryption – and are likely to influence the market for technological products and services.

Sources : Federal Trade Commision – Staff Workshop Report: Technologies for Protecting Personal Information, 2003