Skip Navigation LinksASIS International / Membership / Member Center / Security Spotlight / Information Security and Privacy

Information Security and Privacy

In a security context, information and privacy could be considered the opposite sides of the same coin. On the one hand, security professionals are tasked with protecting an organization’s information, including its technical, organizational, financial, proprietary, and planning documents. When the collection of an organization’s information includes personal data on employees and customers, on the other hand, the organization has an additional responsibility for the privacy of that information.

A range of resources available through ASIS International can help pinpoint the concerns inherent in a security department’s ability to maintain the integrity of an organization’s information while adhering to privacy laws.

» View Past Security Spotlight Topics

 Free Resources

      Content requires free account.

 Members-Only Resources

      Content requires ASIS Membership.

Free Resources

Social Media & Cloud Computing Threats to Privacy, Security, and Liberty

A 2013 Webinar lead by Raj Goel, chief technology officer, Brainlink International, Inc., sponsored by ASIS International.

In today’s interconnected world, everyone—including corporate CEOs, trusted managers, and new hires—engages in and consumes social media on a daily basis. Both active users and those tagged by someone else find their profiles in Facebook, LinkedIn, Google Docs, and the cloud. By examining case studies from around the world, a clear picture develops on how users, companies, and governments collect, use, and misuse personal information that affects personal privacy. The following points are among those emphasized:

  • Information posted on social media is archived forever, and erroneous information cannot be corrected.
  • Geotags imbedded in photos cannot be removed, meaning photos posted while on vacation alert thieves that a CEO’s house is empty and where the family is staying.
  • Companies have rarely completed a risk analysis from a social, legal, and financial perspective on how posted information might be used years from now.
  • Governments and banks, for example, urge people to share private information through social media in ways that can be detrimental to employment, financial stability, and personal interactions.
  • On social media sites, whether paid or free, users are not the customer, they are the product.

Safeguarding Intangible Assets

by Michael D. Moberly (Waltham, MA: Elsevier/Butterworth-Heinemann, 2014) Contents, plus Chapter 10: “Insider Risks and Threats to Intangible Assets.”

A review of this book’s Contents gives an overview of the depth of information presented by the author. His premise is that a company’s intangible assets—such as reputation, trade secrets, patents, business decisions, intellectual property, new product launches, and competitive advantage—are undervalued but require regular management and monitoring by risk and security specialists. He outlines a strategy for training management teams to recognize the importance of these hidden assets and accept the responsibility for overseeing and funding their protection. Chapter 10 looks into the risks to intangible assets from insiders. The following points are among the findings:

  • Situational factors, rather than psychological factors, influence a perpetrator’s decision to engage in espionage, spying, and information theft.
  • The Internet creates an efficient global marketplace for bringing together sellers and buyers of information assets in relative anonymity.
  • Employees engaged in multinational transactions can view the unauthorized transfer of technology as a business matter not an act of betrayal or treason.
  • Facts about incidents themselves are considered to be proprietary as well as embarrassing by the victim company.

Tackling the Insider Threat

by Nick Catrantzos, CPP, a Research Council CRISP Report (Alexandria, VA: ASIS Foundation, Inc., 2010)

This report combines a review of insider threat literature with the findings of a Delphi study. The resulting analysis leads to a new approach to defeating a trusted betrayer intent on carrying out an attack that is fatal to an organization. The research reveals that a reasonably prepared infiltrator poses a greater threat than a disgruntled career employee, at least if the intent is to bring an institution to its knees rather than exact revenge. A new approach suggested by the research focuses on engaging co-workers on the team level to take a hand in their own protection. The proposal brings these individuals off the sidelines and into the front lines, making them the first line of defense. Conclusions reached by the Delphi experts include the following:

  • Infiltrators are the better choice for a terrorist seeking an insider for a devastating attack.
  • Standard defenses in specialized environments (such as nuclear security) pose few insurmountable obstacles to an infiltrator.
  • In a relatively short period of time, an infiltrator can accumulate enough details to enable an attack without spending years posing as an innocuous employee.
  • U.S. laws limit a company’s ability to expand the scope of a background investigation in any way that is not related to a job vacancy.

Like What You See?​

Join ASIS International and gain access to members-only resources including timely, relevant information specific to your industry sector and free downloads of industry-leading standards and guidelines.

Members-Only Content

The Case for a Comprehensive Privacy Program

An (ISC)2 session featuring speaker Jeff Northorp, CISSP, IAPP Information Technology (Held in conjunction with the ASIS International 59th Annual Seminar and Exhibits, Chicago, 2013).

Organizations that handle personal data must design and implement a separate comprehensive privacy program, and this session offers insights on how such a program can be developed. Topics covered include the public’s perception and expectations of corporate privacy protections, the future of privacy regulations and legislation, and how forward-thinking businesses are responding. The number of regulations affecting how companies worldwide must deal with private information is exploding, with no evidence that that trend will slow down. At the same time, corporate compliance, privacy, and information security officers can be seen as road blocks to productivity. The following points are included in the presentation:

  • The general public fears a loss of control of their private information. Conversely, because the public over-shares their information intentionally and freely, they lose privacy.
  • Data is the new oil. It provides companies with predictive analytics that improve customer service, innovation, and quality of life.
  • The European Union privacy regulations include the “right to be forgotten,” meaning that if individuals no longer do business with a company, their data will go away.
  • An information security program needs a single point of accountability, a champion, and the C-suite needs to buy into the program.

POA: Information Security

Michael E. Knoke, Editor (ASIS International, 2011)

Long considered an essential component of any security professional’s library, the POA provides the strategic solutions needed to meet the security demands of the 21st century. The Contents to the Information Security volume show the range of subjects in its first chapter, including definitions of asset protection, risk mitigation approaches, legal protections, and response and recovery after an information loss. Subsequent chapters focus on the importance of information systems security, a review of the information systems security body of knowledge, and the security challenges posed by risks to the convergence of physical and IT security. An overview of the following three Appendices adds substantive guidance on implementing an effective information security program.

Appendix A: Sample Policy on Information Asset Protection (IAP)

  • Protecting information assets consists of identifying, valuing, classifying, and labeling them in an effort to guard against unauthorized access, use, disclosure, modification, destruction, or denial.
  • Controls should represent cost effective, risk-based measures consistent with other policies and the strategic goals of the organization.
  • IAP integrates traditional security, information technology security, and legal and administrative functions.
  • Travel security training should focus on the vulnerability of information assets while away on business, to include materials packaging or forwarding and the preparation of storage media.
  • The privacy of personnel records must be assured, and employees have the right to know what information is being collected and how it may be used.

Appendix B: Quick Reference Guide for Information Asset Protection

  • Information assets should be classified into four categories: highly restricted, restricted, internal use, and unrestricted.
  • Five charts define the four classifications, explain how they should be used to classify whether a competitor could have access to specific information and what would happen if the information is compromised, show types of information assets that fall under each category, and give guidance on the sharing of paper and electronic documents.

Appendix C: Sample Nondisclosure Agreements

  • Sample 1 is a Nondisclosure Agreement Governing One Party’s Information. Its four points include obligations of the recipient to keep confidential all proprietary information that is shared in any manner for five years from the date of the agreement.
  • Sample 2 is a Nondisclosure Agreement Governing Both Parties’ Information. Its eleven points include the provision that the confidential information will be used only to evaluate potential business, employment, or investment relationships.
  • Online links to both forms are included in the Appendix.

Sources of Information on Information Security and Privacy

ASIS IRC Reference Guide

A comprehensive review of the many resources, research findings, council papers and presentations, seminar session recordings, and books available through ASIS International—as well as in Security Management—that touch on information security and privacy.