Electronic privacy integral to identity management standards, says DHS

By Alexander B. Howard, Associate Editor 08 Oct 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

More privacy resources HITECH moves electronic health records forward; standards to come Healthcare, cybersecurity policy and privacy on legislative agenda Top regulatory compliance trends that will affect IT in 2009

Electronic privacy was an overarching theme of the OASIS Identity Management 2009 conference, held at the National Institutes for Standards and Technology in Gaithersburg, Md.

Rapid growth in key technologies deeply entwined with identity are driving this focus on privacy, including social networking, handheld devices, health care IT, smart grid, homeland security and cloud computing.

As regulatory guidance is updated at the federal level to accommodate the security and privacy in the changed digital landscape, effective management of customer, user and citizen identity is critical to consumer privacy, business success and civic engagement.

"The important thing about identity management is that it can create more trust," said Mary Ellen Callahan, chief privacy officer of the Department for Homeland Security, during the conference keynote. "It can also create more accountability."

Also speaking was Ari Schwartz, vice president and chief operating officer for the Center for Democracy and Technology, who pointed out the continued importance of the Privacy Act of 1974 to government identity management systems and electronic privacy. The Privacy Act governs federal use of personally identifiable information (PII) maintained by agencies under a code of fair information practices.

Callahan said she's concerned about more than making government identity management systems understandable: she's also focused on the consequences of errors. "What happens if something goes wrong?" she asked. "We all know about data breaches. But that's state law, a compliance element. Privacy as a procedural element is given short shrift."

The need for care with agency data was made clear by a recent Wired story on the potential data breach of more than 70 million veterans' records. That's in addition to the breach that put the PII of 26.5 million veterans at risk in 2006 after the theft of a laptop from the U.S. Department of Veterans Affairs.

"Harm-based analysis is a way privacy professionals talk about redress," Callahan said. "Even without the harm, you should think about redress from a policy perspective. There's obviously reputational harm; there could be financial harm. There's still the additional way you can be exposed because the [identity thieves] have information on you." Callahan said she sees the issue as composed of both "public safety and public interest elements."

Schwartz outlined the importance of the Identity, Credential and Access Management Subcommittee (ICAM) to identity management in government. ICAM is a subcommittee of the Information Security & Identity Management Committee and is co-chaired by the Government Services Agency and Department of Defense. There are six working groups associated with ICAM, including the Federal Public Key Infrastructure Policy Authority.

Principles of privacy, opt-in and choice make sense from identity management and technical perspective, she said, but they're "really important for relationship of the individual to government."

"Baking privacy protections into a government identity management system benefits the identity management providers and private-sector providers using that information," said Callahan.

Baking privacy protections into a government identity management system benefits the identity management providers and private sector providers using that information. Mary Ellen Callahan chief privacy officer, Department of Homeland Security

Security professionals are concerned about electronic privacy in this context. "As a CISSP who is concerned about the civil liberties that are being violated in lawful access legislation around the world, all we end up doing by implementing state-run IDM [identity management] infrastructure is providing an easier and unethical mechanism for tracking everyone," said Peter Hillier, an Ottawa-based information security practitioner. "It used to be the case that spying on your own was against the law, and we didn't do it."

Don Schmidt, principal program manager for the federated identity team at Microsoft, posed Schwartz and Callahan a tough question: "We see attributes falling into two buckets: Information about a user and data about access control, used for authentication. As a layman, I think of the term collection referring to first function. Does the term apply to latter?"

Schwartz said attributes presented during authentication are "collected," and thus trigger federal information processing standards. "If it's an attribute authentication, they can toss it," said Schwartz. "If it's Mary Ellen, that's different. If you're not storing it, it's not a collection."

Callahan added, "DHS was created post-9/11. There was an inability to connect the dots. There is now a statutory mandate on the information-sharing environment. Threat-related information must be shared. That said, data minimalization must be part of the dialogue." Insuring data flows in compliance with the Fair Information Practice Principles is "one of biggest challenges of my job," said Callahan.

Let us know what you think about the story; email: ahoward@techtarget.com or @reply to @digiphile on Twitter. Follow @ITCompliance for compliance news throughout the week.

Tags: ID and access management for compliance,  Industry-specific requirements for compliance,  Automating compliance processes,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT ID and access management for compliance Data loss prevention technology matures but is still no cure-all Healthcare, cybersecurity policy and privacy on legislative agenda OpenID federated identity framework set for .gov authentication pilot D.C. CTO sees compliance, cost savings benefits to cloud computing Social media platforms demand a clear employee Internet use policy Pietrylo case a cautionary Web 2.0 communications compliance failure Compliance concerns dog enterprise 2.0 collaboration platforms Twitter security risks, popularity spark regulatory concerns What's in the White House Cyberspace Policy Review you need to know? Why it may not be ideal for your lawyer to be your compliance officer Industry-specific requirements for compliance Poor application security creates supply chain risk, security threat Business Model for Information Security: Security right the first time Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more NERC CSO warns of cybersecurity threats, risk to electric grid FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing McCain answers new FCC net neutrality rules with Internet Freedom Act SAP sees green in sustainability software for carbon compliance Automating compliance processes Poor application security creates supply chain risk, security threat Business Model for Information Security: Security right the first time Enterprise document management FAQ: IT operations and compliance NERC CSO warns of cybersecurity threats, risk to electric grid FAQ: What is the impact of a compliance audit on IT operations? SAP sees green in sustainability software for carbon compliance HITECH moves electronic health records forward; standards to come Be ready for electronic discovery with a records retention policy Social media platforms demand a clear employee Internet use policy Pietrylo case a cautionary Web 2.0 communications compliance failure

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI compliance  (SearchCompliance.com) XBRL  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary