Under lock and key
Rather than undertaking major infrastructure projects so late in the game, it may be better for technical staff to spend their efforts ensuring that customer data is properly secured; and that doesn't just mean using a firewall to restrict access from the Web.
-Amongst other things, the Act is requiring people to ensure that any customer data they store is stored in an encrypted and secure fashion," says Florian. -That's difficult to achieve if the environment the data sits in is not secure yet. Our surveys of customers show that a lot of effort and money has been spent on [security] equipment, but perhaps the degree of comfort people are taking is not justified. The whole discussion is a lot more complex than simply throwing in a firewall and saying 'we're done'."
Although it grants wide latitude regarding just how data is secured, National Privacy Principle 4 requires you to protect data against -misuse and loss from unauthorised access, modification or disclosure."
That's a tall order given that few companies have yet bothered to address ways to monitor how employees use information. Given that your company could potentially be held liable for the compromising of customer data stored on a network, you'll want to establish a way that all access to that data is logged. Paired with this is the need to effectively authorise employee access so you know who's doing what at any given time.
Given its susceptibility to compromise, a simple user ID and password system may be inadequate for providing this kind of access.
Consider installing a token-based authentication system that requires both a password and a physical device issued to every employee. This allows for much strong authentication that can then be used to track employees' access to customer information.
The issue of secure data access becomes somewhat more complex when you're considering how to provide customers with access to their own information, something that's also mandated by the new legislation.
You'll need an authentication system linked to a self-service interfaceâ€"either via encrypted virtual private networks or more conventional means like SSL (secure sockets layer).
Such an approach might help ensure outsiders don't access customer information, but your responsibility extends inside your company as well. So how can you make sure data integrity hasn't been compromised?
-If you've got information sitting on a server inside your organisation, not only do you need to control access to that, but you probably need to be able to show who did access it and what did they do," says Pete Sandilands, regional director of security vendor Check Point Software Technologies.
-User names and passwords won't be enough unless you can say for certain who's sitting at the keyboard. This is really going to highlight the need for strong encryption: all staff will have to be properly identified, and access control will need to come down to a very fine level of control. Security technology is one of the few things that's going to help companies do this."
This may mean it's time to consider an outsourced digital certificate service from the likes of KeyTrust or beTRUSTed, which offer digital certificate-based remote authentication services. You'll probably want to combine these with a strong directory service such as Novell eDirectory or Microsoft Active Directory, which may already be built into your environment depending on the servers you're using.
Of course, there's a cost for all this technology; ultimately you'll have to weigh up the cost effectiveness of using digital certificates compared with keeping customer access to their information offline and delivering it over more conventional means like phone or fax.
The law doesn't mandate how customers can access their information, so it's up to you to identify the most cost-effective strategy. Time and experience will ultimately provide the best indication as to just how much of an investment is necessary, says RSA Security regional manager Scott McKinnel.
-We've got the legislation, and now we need the education before we can do the implementation," he explains. -[Authorities] will have to be reasonable before they can expect people to make a full 180-degree turn in the way they do their information systems. The order of magnitude for the resources to make them 100 percent compliant could be astronomical, but the risk might not warrant the reward. Until a few legal test cases get sorted out, we won't know the magnitude. You want to find what's pragmatic and sensible and in line with the intention of the legislation."
When thinking technology, don't forget to address the many complexities that so often trip up otherwise well-intentioned companies. For example, make sure you've got policies about the removal of employees from all systems when they leave the company. Such ancillary policies aren't directly mandated by the new privacy legislation, but they're critical to making sure your business processes address its other requirements.
-A lot of effort can be spent focusing on a piece of data while still leaving open a number of potential areas of breach because of the way the network is designed," says Dimension Data's Florian. -At the end of the day, we're trying to provide network and data and security, and the Privacy Act is helping raise awareness of that need."
