MANAGEMENT OF INFORMATION SECURITY
Abstract
All organizations need to have security policies because of the need to protect tangible and intangible assets. Different types of security policies that organizations should develop include acceptable use, clean desk and internet usage policies. However, the privacy policy makes the top list of among the most important security policies that organizations should have. Privacy policies are important because they relate to customers’ private information, which an organization needs to protect from unauthorized use. The increased use of the internet by different users has increased the risk of unwanted access of private information. Therefore, many organizations have developed privacy policies to describe what information a user should provide and how an organization will use that information. Privacy is a constitutional right and organizations should institute privacy policies to protect users’ rights. Furthermore, it is important for organizations to develop privacy policies in accordance to the law and needs of users. The presence of a privacy policy will build trust between an organization and a user.
Management of Information Security
Introduction
All organizations need to have a set of security policies because they are integral in the protection of an organization’s tangible and intangible assets (Dhillon 2002). Failure to have strong security policies puts an organization at risk of facing financial losses through the loss of physical and intangible assets. A security policy is majorly a document in writing that stipulates the directions that an organization uses to protect assets. A security policy document is never conclusive but is continuously changing depending on changing business circumstances. A security policy, for example, narrates how employees and other officials will oversee the implementation of security measures. Also, a security policy outlines steps that the organization will take in cases of policy breaches (Dhillon 2002). Therefore, the main importance of a security policy is to protect an organization from asset loss. There are different types of security policies, for example, privacy, acceptable use, clean desk, internet usage, and bring your device policy. This paper will discuss the privacy policy, its importance within an organization and how organizations can implement the policy. According to (Dhillon 2002) a privacy policy is a declaratory statement that describes how an organization collects private information from customers. The policy defines the type of information that an organization can collect. Additionally, it describes the steps that the company will take to prevent the access of private information by third parties and malicious hackers (Dhillon 2002).
Literature review
According to Holt and Malcic (2015), the use of remote data storage has increased exponentially resulting in citizen and consumer awareness. Industry, education, cultural and governments sectors are continuously storing remote data from citizens and consumers through the use of the internet. Digital content distribution relies on cloud storage infrastructure, access to big data and streaming platforms. Many of these sites store personal information making citizens and customers wary of their privacy concerns. Furthermore, the access of digital data by governmental and private companies has increased raising concerns and anxiety among unsuspecting people (Cranor 2003). Therefore, protectionist movements have increased to protect citizens and consumers from unwanted privacy intrusions by big companies and governmental organizations through their websites. Furthermore, many citizens are raising concerns about government intrusion and monitoring of internet communications and phone calls. Holt and Malcic (2015) argue that managing and securing privacy protection rights is a complex process that is affected by clear laws in global trade, health care, and intellectual property. However, Holt and Malcic (2015) argue that it is the responsibility of government organizations and companies to develop privacy policies that allow users to know what type of information that the websites collect and also how they will use the information.
According to Paterson (2014) when an individual uses a smart phone or a tablet device, the main purpose is to fend for information. Content companies and networks provide the selected information to users by tracking their activities. While Edward Snowden revealed how the government and companies get information from users when they access the internet, people still have little knowledge about how the websites track individuals. Companies and governments do not inform users about the information they store. Therefore, privacy concerns arise because users are misinformed about what data is collected. Also, privacy and public interest groups do not understand how network operators collect information and how they use the information. However, Paterson (2014) confirms that network operators have privacy policies that are very detailed. Most users fail to read the privacy policy during the initial phases of application. Paterson (2014) encourages end users to read the privacy policies of the websites that they visit. The privacy policies stipulate what information the websites will take and how they will use the information. Paterson (2014) ascertains that end-user awareness is important because it will enable the public to understand how their private information will be used.
When people use the internet, they entrust a lot of sensitive information about the daily activities when using the internet to internet carriers (Clement and Obar 2017). Internet service providers transmit a lot of private information about people when they visit their popular sites over the internet. For example, people spend a lot of time on social media sites, websites and emails. The personal information that internet service providers carry are susceptible and can reveal a person’s nature and habits. Therefore, it is clear that a person’s privacy is affected because of personal information stored in websites. While the use of the internet to communicate and do business has increased in the last decade, privacy concerns have also increased. Major companies that run private websites, social media sites and government sites have developed privacy policies that stipulate how they collect, use and disseminate the information collected from users. According to Clement and Obar (2017), data privacy transparency is the act of being open about in regards to data privacy protection. Also, the privacy policies developed by companies and governments indicate how they manage, store, retain, disclose and distribute sensitive information about users. Clement and Obar (2017) argue that it is important for people to choose reliable internet service providers based on privacy concerns because they can hold them responsible when third parties access users’ private information. Transparency is important; companies, organizations and governments sites that do not safeguard transparency should re-evaluate their privacy policies to protect users’ right to privacy.
According to Han (2017), information technology has helped shaped means of communication around the world. However, information technology has developed a growing concern over privacy concerns because it threatens the social and political lives of individuals. Cranor (2003) argues that the growing concern of privacy is the ability of technology-based systems to track people and analyze their information. Furthermore, technology based systems can disseminate the information, therefore, inhibiting people’s right to privacy. People should have a right to privacy, which should not be equated to the right to secrecy or control, but a right to determine the flow of information about a person. Therefore, privacy policies are important because they protect an individual’s right to privacy (Cranor 2003). Through privacy policies, an individual is convinced that a particular website will not transmit sensitive information to third parties.
Methodology
A privacy policy should provide a detailed overview of the means of collection, utilization, sharing, and protection of private information. The privacy policy should follow the law to be deemed as valid and ready for use by a company or organization. First, Barth (2008) recommends that the privacy policy should indicate the scope of its use. It should indicate whether it is to be used for online collection of data or offline collection. Secondly, the privacy policy should be available for users to read. For example, websites should contain a section detailing the company’s privacy policy in the homepage. Thirdly, it is important for the texts to be legible. Companies should use plain English, short sentences, key titles and a good format. Also, a website can offer readers language options (Barth 2008). The policy should indicate how the company will collect the personally identifiable information. For example, it should indicate if it collects the information from users or if it does so through the use of cookies and beacons. Furthermore, before collecting data, the company should indicate what types of data it will collect from the public. For example, the website should indicate personal information it will collect such as name, address, and credit card number, email address, and telephone number.
Key Recommendations
Dreyer and Ziebarth (2017) assert that consumer and privacy laws contain guidelines of how social media providers can develop privacy policies and terms of service. Therefore, the company should assess consumer and privacy laws to develop a sound privacy policy. The purpose of privacy policies is to inform the public about what information a company will collect from users. Furthermore, the privacy policy will indicate how the company will use the information collected and safety measures that it will apply to protect users’ private information. As a key recommendation, it is important that the policy should consider the legal implications of collecting and storage of personally identifiable information (Barth 2008). Many different laws exist to regulate the privacy of data depending on the industry in question. For example, different laws safeguard the right to privacy in the health sector, financial sector, telecommunications sector and educational sector. Furthermore, the policy should be easy for the users to understand.
In regards to privacy policy comprehension, Sumeeth, Singh and Miller (2010) argue that many social media sites and popular websites draft the information contained in privacy policies and terms of service in legal terms that users cannot comprehend. Therefore, it is a key recommendation for the company to draft the privacy policy texts in simple words rather than using complex legal jargons that customers cannot understand. Furthermore, an organization should use participatory transparency to improve transparency between the organization and customers. It is important for an organization to discuss the terms and policies with users; it should illustrate the meaning of the legal jargons found in the privacy policies to enable customers to understand their meaning. Sumeeth, Singh, and Miller (2010) assert that participatory transparency can influence users’ interest in reading the terms of service stipulated in the privacy policies.
Users should know what information the website will collect and how it will be used. Also, different laws suggest how companies should collect data from users who are below 13 years of age. Therefore, when developing the policy, key stakeholders should take the legal implications of privacy breach into consideration. It is ethical for a company to ensure that it meets the stipulated legal requirements when developing privacy policies. Also, companies and organizations should refrain from using a lot of legal jargons when developing the policies because it reduces the interest of users to read the policy. Furthermore, it puts users at risk because they will not understand how the company/organization will use their data (Barth 2008).
Privacy policies stipulate the actions that the law will take against companies that disseminate private information to third parties. The websites contain a lot of personal information, such as full names, places of residence, credit and social security numbers. The ability of third parties to access such information means that an individual is liable to suffer from fraudulent activities by malicious hackers and criminals. Therefore, an organization wishing to develop privacy policies should stipulate the type of information that it will take. The guideline will enable a user to refrain from submitting information that is not indicated under the privacy policy. Furthermore, it is a key recommendation for organizations to share information about the level of security of the websites. The information on security will strengthen the trust between the organization and users. In the event that the organization faces a breach of security, the privacy policy should indicate the steps that it will take to mitigate the risks.
Conclusion
Technological advancements have changed how people communicate and do business. The use of the internet has become widespread in both developed and developing countries. As a result, many companies and organizations that run public websites contain a lot of sensitive information about their users. Furthermore, many citizens have accused the government of monitoring their calls and internet activity. The Constitution protects the right to privacy; therefore, many companies have developed privacy policies that indicate the type of information collected and how the information will be used. Privacy policies are a necessity because they assure the public that third parties will not access the personally identifiable information.
References
Barth, A, 2008, Design and analysis of privacy policies. Stanford University.
Clement, A and Obar, J, 2016, Keeping Internet Users in the Know or in the Dark. Journal of Information Policy, 6, p.294.
Cranor, L, 2003, P3P: making privacy policies more useful. IEEE Security & Privacy Magazine, 1(6), pp.50-55.
Dhillon, G, 2002, Social responsibility in the information age: issues and controversies. Hershey, PA, IRM Press.
Dreyer, S and Ziebarth, L, 2014, Participatory Transparency in Social Media Governance: Combining Two Good Practices. Journal of Information Policy, 4, pp.529-546.
Goldberg, I and Atallah, MJ, 2009, Privacy enhancing technologies: 9th international symposium, PETS 2009, Seattle, WA, USA, August 5-7, 2009: proceedings. Berlin, Springer.
Holt, J and Malcic, S, 2015, The Privacy Ecosystem: Regulating Digital Identity in the United States and European Union. Journal of Information Policy, 5, p.155.
Paterson, N, 2014, End User Privacy and Policy-Based Networking. Journal of Information Policy, 4, pp.28-43.
Sumeeth, M, Singh, R, and Miller, J, 2010, Are Online Privacy Policies Readable?. International Journal of Information Security and Privacy, 4(1), pp.93-116.
Zhu, L, 2011, Privacy in Context: Technology, Policy, and the Integrity of Social Life. Journal of Information Privacy and Security, 7(3), pp.67-71.