Balancing Issues in World of Telepresence
By Tom Cross
Bipolar Disorder – Privacy-Security Lifecycle Management
New Roles for Authors – Actualizers – Auditors – Analyzers
There is an increasing amount of information available on the “bipolar” disorder of security and privacy. It seems bipolar for a number of reasons: most people are fiercely protective of their privacy but don’t want to have to deal with security roadblocks; management wants and needs to protect customer privacy but not at an exorbitant cost; and the line must be drawn between where security for company information ends and security for customer information begins. So this is one of those issues where there are no “right answers,” just practical uses based on organizational needs and management commitment. Many of the “people issues” are driven by policy and by the needs of management, with the results (good or bad) blamed on them.
With that in mind, here is a policy presentation rather than a definitive security-privacy plan. We have found that, from an extensive review of the current writings on SOX, HIPAA and other regulatory/judicial findings as well as interviews with leading security experts, there should be four key players “holding the stool up,” in any good security arrangement: authors, actualizers, auditors, and analyzers.
The animated tutorial is available at: http://blog.tmcnet.com/cross-talk/
Before anyone does anything the issues need to be laid out. In this animated tutorial, let’s start with the technical ingredients of any secure data depository. First, data needs to be captured or collected. Here are some basic types of data – in person or via people, media types – audio, paper, video, machines – ATM, POS (point of sale), POP (point of purpose), game, manufacturing, remote diagnostics, outside sources such as databases, research and other studies and online – via search engines, e-mail, IM and other retrieval or interactive sources.
Second, what type of container or storage media would the data be placed in. Examples of storage would be on paper, online, SANs (storage area networks) and real-time archive.
Third, how and by whom is the information going to be used? Examples would be users, customers — including channel partners and mashed up. Mashed information is a new category not mentioned by most sources today as it’s a relatively new phenomenon. The concept of SAAS (software as a service) more commonly known as Web/hosted applications is more than a single application used by itself. More and more applications offer the customer integration with other applications. CRM (customer relationship management) is merged with VoIP/SIP, video is merged with geographic mapping and presence is included with meetings to name a few simple ones. Mashed applications are more problematic in that other providers may likely not agree to your security/privacy requirements or you to their capabilities. Compliance and certification such as ISO and ITIL take on a whole new dimension.
Fourth, disposition has three major types; archive for compliance, uncertain and pending/destroyed. We have reviewed other approaches and you should certainly have your own lifecycle specific to your enterprise but this is included as a start. Next comes the people part of the equation. Concepts relating to the technology can be easily explained, but sometimes it is the human interface that may not be so easily understood or resolved.
First, Authors are the senior/executive management leaders providing strategic direction in the form of all-encompassing ideology. Second, Actualizers include anyone and everyone who touches data, applications, systems, managers, archivists and anyone else. Third, Auditors may have the simplest role, that of checking on how well actualizers follow authors’ policies. Fourth, the Analyzer reviews and checks the auditors to determine if the auditors are practicing their processes and documentation uniformly and universally across the enterprise. In addition, given increasing levels of compliance and regulatory oversight, the Analyzers provide an additional independent layer of review and analysis. This additional layer of review is becoming more and more necessary because the processing of balancing security and privacy is getting more, not less complex.
As with any bipolar disorder security experts and privacy advocates need to find a common ground for discussion especially as voice (VoIP/SIP), video and presence (a/k/a telepresence) is becoming mainstream. However, like in the last scene of the great sci-fi movie “The Day the Earth Stood Still, “the test of any such higher authority (security) is, of course, the police force that supports it.” It’s great to have policies but if there is no police force to enforce them and evaluate that enforcement there is no true security or privacy for all, at all.
If you want to know more, this information is part of OCS-101 and SIP Essentials 2.0c courses available onsite and online. The online version is $299 for SIP 2.0c and $499 for OCS-101 Office Communications Server per person (volume and site license discounts available). For more information go to http://www.techtionary.com or please call Tom Cross (News - Alert) at 303-594-1694 or [email protected]. Discounts are also available to members of the SIP Forum and MS Partners for $99 per student during May.
Courses are free to channel partners – see terms and conditions at http://www.techtionary.com/techu/
Tom Cross is a technology columnist and a regular blogger for TMCnet. To read more of his articles, please visit his blog.