For security practitioners tasked with protecting corporate resources from occupational abuse and misuse, challenges arise as to how much monitoring is justifiable.
This is according to Mai Moodley, divisional head for financial systems and processes at the State Information Technology Agency (SITA). Moodley will speak at ITWeb Security Summit 2015, which takes place from 26 to 28 May at Vodacom World, in Midrand. His topic is: "The privacy paradox: implications for security practitioners."
Moodley says privacy relates to the individual and involves protecting the individual from any unwarranted intrusion, whereas confidentiality is an extension of privacy, and relates to the safeguarding of information relating to the individual.
"At what point does monitoring become intrusive and violate the individual's expectations of privacy? While it may be useful to submit that monitoring corporate resources for preventing abuse is easily understood, how does this work in practice, when an individual receives his work e-mail on his private mobile device? Does the corporate organisation have the right to monitor the individual's private mobile device?"
In Moodley's opinion, the challenge which security practitioners have to deal with is the blurring of the boundary that separates people's corporate and personal lives. "With this blurring, security practitioners have to identify what is the accepted practice, which varies across organisations and jurisdictions."
He says, as a starting point, companies should undertake a risk assessment, which qualifies their specific privacy exposure. "Based on understanding what the level of exposure is, a suitable blend of processes and technology, combined with training, can be implemented."
Where this relates to legal obligations, the requisite legal agreements can then be reviewed with a view to limiting exposure, he adds. "Ultimately, the most effective way to deal with privacy and security is to clarify expectations with both internal and external stakeholders. From employees to suppliers, communicating clearly what information will be kept confidential and the privacy expectations the various parties have, will ensure a transparent dialogue.
"The danger arises when there is the assumption that the recipient of any communication or engagement shares the same view of privacy/confidentiality that the sending/initiating party has," he explains.
As to whether companies should build in privacy and security at the foundational level, Moodley says the challenge may lie with how to integrate these responsibilities, as opposed to creating separate functions.
"This can best be illustrated by considering quality. If quality was perceived as being the sole ambit of a particular function, how would the organisation ensure that quality underpinned all of its deliverables? There is often a knee-jerk response to create a capacity or function for each new dimension of security, as opposed to looking at how to implement an integrated response."
To gain access to Moodley's presentation, along with over 30 other talks from subject matter experts at ITWeb Security Summit 2015, click here to find out more and to register.
Share