Steal This Data

ISO, the International Organization for Standardization, is the world’s leading developer of International Standards, ensuring product and information interoperability. One of their most widely adopted standards is ISO/IEC 17799:2005, which establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. This is especially important in the increasingly interconnected business environment, where information is now exposed to a growing number and a wider variety of threats and vulnerabilities.

Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. It is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organization are met. This should be done in conjunction with other business management processes.

The objectives outlined in ISO/IEC 17799:2005 provide general guidance on the commonly accepted goals of information security management and contain best practices controls in the following areas of information security management:

• information security policy
• asset management
• human resources security
• physical and environmental security
• communications and operations management
• access control
• information systems acquisition, development and maintenance
• information security incident management
• business continuity management
• compliance

The control objectives and controls in ISO/IEC 17799:2005 can be used by an organization to assess the risk of doing business with partners, customers and suppliers and are a good indicator or an another organization’s IT and business process maturity. 

A 1998 study by the Federal Trade Commission (FTC) showed that 85 percent of online retailers collected personal information from consumers, but fewer than 15 percent posted a privacy policy explaining their information practices. What a difference a decade makes. These days privacy policies are standard for any Internet marketer. But as recent FTC law enforcement actions make clear, having a privacy policy is just the first step. It’s critical that companies live up to the promises they make about how they use and secure the information they collect.

So what does this mean for savvy marketers? Here are some tips on making your privacy policy have some teeth.

• Design your privacy policy with your customers in mind. Just like the rest of your website, your privacy policy should be clear, direct, and easy to understand. Keep technical jargon and legal terminology to a minimum.
• Some online retailers lace their privacy policies with lofty language about how careful they are with customers’ personal information, but don’t back their words up with tough security measures. Statements in your privacy policy are no different from any other advertising claim you make. You’ve got to back them up with solid proof.
• For security-minded consumers, your company’s information security practices are a key factor in their decision to do business with you. So if you decide to modify how you use personal information, it’s important to call customers’ attention to that change in policy. Just editing what you say on your website won’t alert them to your new procedures.
• A company’s privacy policy is only as strong as the staff that implements it. That’s why it’s important to train all employees — including your IT professionals, sales representatives, human resources specialists, and support staff — on how to protect sensitive data.