Privacy Council outlines ten guidelines for managing cyber risk

May 27, 2002—At a recent Federal Trade Commission workshop on consumer information security, Dr. Larry Ponemon, CEO of Privacy Council, outlined a series of cyber security challenges facing corporate America.

“Managers are finding that weaknesses in information security can threaten an organization’s very existence,” said Dr. Ponemon. “Hackers, software viruses and lawsuits from privacy lapses can as easily disrupt an organization as a fire or a burglary. Privacy and Security management have become the pillars of core business and consumer protection practices with sound privacy principles being the lynchpin to an airtight security plan.”

The guidelines, said Ponemon, are a ten-point action plan for information officers and security managers trying to understand and manage these complex and evolving issues.

The guidelines for managing cyber risk are:

1. Recognize that security vigilance is the first step to managing cyber risk.
2. Regularly review and manage your organization’s network security policies, Web site privacy policies, and internal data policies.
3. Conduct regular e-risk assessments on computer security vulnerabilities, potential privacy exposures and Internet liability exposures.
4. Deploy commercially reasonable safeguard standards to protect the confidentiality, integrity and availability of your network-based assets.
5. Conduct employee background checks and change management processes when employees are terminated.
6. Review or filter Web site content through your internal legal department to screen for copyright and trademark infringements.
7. Have a plan in place to address the inevitable ‘bad’ event, such as a hacking event, network outage, etc.
8. Have a secondary ‘hot site’ available to back up your primary site in case it is hacked or brought down.
9. Recognize the fact that security and planning can never provide 100% protection.
10. Investigate specialty ‘hacker policies’ or Internet liability insurance coverage to address any potential ‘gaps’ in your insurance portfolio.

For more information, contact the Privacy Council.