Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Security Incidents Inundating the News Today | Main | ANSI and CBBB Announce Plans to Create Standards for ID Theft Prevention & ID Management »

Microsoft Making Their Internal Privacy Standards Public in August

Yesterday a ZDNet published a story, "Microsoft to publish its privacy rules."

"Microsoft plans in August to publicly release the privacy rules its employees have to follow when developing products.  The move, which offers a look behind the scenes at Microsoft, is meant to give the industry an example of what the software giant sees as best practices in customer privacy, said Peter Cullen, the chief privacy strategist at Microsoft."

Indeed most organizations need help with creating privacy standards.  Privacy is a relatively new concept within organizations, and most still view it solely as a legal issue.  It is so much more. 

Privacy, in addition to information security, must be built into all business processes, from the beginning of the planning stage all the way through to the retirement of a process.  Privacy policies, procedures and standards must be created to ensure consistent privacy implementation throughout all levels and areas of the enterprise.  Most organizations do not have privacy policies (beyond just their posted website privacy statement), let alone privacy procedures and standards.  If Microsoft has good standards to use as a model, then I applaud their efforts.

"This is designed for an IT pro or a developer, in terms of: 'If you're building an application that does X, this is what we think should be built,'" he said. "The public document will use a lot of 'shoulds.' Inside Microsoft, those are 'musts.'"

This could be a fantastic document to help CISOs and CPOs partner to provide guidance to IT areas in creating standards for programmers and developers.  It would also be a good start in leading the privacy standards development efforts for the rest of any enterprise.  So many areas have access to personally identifiable information (PII) and communicate directly with customers, consumers and employees, that it is critical they know the ways in which the PII must be protected, and the ways in which communications must occur to be consistent with how they release PII and not end up being social engineered into revealing PII.  This requires more than just high-level policy statements (which are certainly necessary), but also requires detailed procedures specific to business services and products, and standards to ensure consistent application across enterprises.

This is also a good example to set for other vendors who need to be addressing privacy within their own products.  Perhaps Microsoft should challenge the other technology giants to also make their privacy standards public...I wonder how many of them actually even have such documents?

I'm not saying that Microsoft is perfect in their information security and privacy practices...no company is...they can definitely improve in places.  However, it is admirable that they are willing to open themselves up to such scrutiny; will others follow suit?

Technorati Tags









 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on June 26, 2006 6:20 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/113

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.