Tuesday, July 24, 2007

Information Security Policy 101 – Privacy Policy

Part 14 in the Information Security Policy 101 Series

Writing an organization's privacy policy is not as clear-cut as it may seem. An entire book could easily be written around privacy in the workplace. What an organization states, what it actually does, and what an employee reasonably expects are all critical to privacy/employment matters. To make things worse, privacy rights are not entirely clear under the law.

Two rules of privacy rights (although you could probably come up with more):

One, Write a policy that is focused. Do NOT write “you have no expectation of privacy” as a blanket statement. Privacy is not “all or nothing”.

Two, Do what you say you are going to do consistently. Do NOT follow your policy only when there is an enforcement action. As the US Supreme Court has noted, "[W]hile police, and even administrative enforcement personnel, conduct searches for the primary purpose of obtaining evidence for use in criminal or other enforcement proceedings, employers most frequently need to enter the offices and desks of their employees for legitimate work-related reasons wholly unrelated to illegal conduct."

TIP: Privacy policy should be reviewed by a legal counselor that is familiar with privacy rights and law. Many corporate counselors are not experts in this area.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

The purpose of the %ORGANIZATION% Privacy Policy is to clearly communicate
the %ORGANIZATION% privacy expectations to Information Resource users.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Privacy Policy should apply to all personnel, and in some cases (depending on your organization) contractors, vendors, and other third-parties.

The %ORGANIZATION% Privacy Policy applies equally to all individuals who use
any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Privacy Policy
Privacy policy is a critical policy in most organizations and needs to clearly communicate what amount of privacy a user should expect when using the organization information assets.

NOTE: A very good article written by Mark Rasch; Employee Privacy, Employer Policy.


- Electronic files created, sent, received, or stored on Information Resources owned, leased, administered, or otherwise under the custody and control of %ORGANIZATION% are not private and may be accessed by %ORGANIZATION% Information Security employees at any time, under the direction of %ORGANIZATION% executive management and/or Human Resources, without knowledge of the Information Resource user or owner.
- To manage systems and enforce security, %ORGANIZATION% may log, review, and otherwise utilize any information stored on or passing through its Information Resource systems in accordance with the provisions and safeguards provided in %ORGANIZATION% Information Resource standards. For these same purposes, %ORGANIZATION% may also capture user activity such as telephone numbers dialed and web sites visited.

Be careful in using a sample Privacy Policy. Be sure that it fits your organization and internal processes. A poorly written or implemented Privacy Policy can leave your organization open to a legal quagmire. Most of the investigation and forensic work I have done in the past has been governed by what the organization’s Privacy Policy stated.


Next in the series: “Information Security Policy 101 – Security Training and Awareness Policy”

Previous: “Information Security Policy 101 – “Mobile Computing Policy”

No comments: