If you don’t live in the world of security and privacy all the time, and most people don’t, then it is natural not to have a good understanding of the difference between security and privacy. There are some clear differences and there is a little bit of overlap between the two.
What is Security?
In the NIST framework, Information security is about
- Identifying – What assets you are trying to protect, what threatens those assets, what vulnerabilities exist, what safeguards help to protect the assets.
- Protecting – What policies, standards and procedures have been put in place to ensure that bad things don’t happen to the assets you are trying to protect. Protections are often technical solutions like anti-malware, anti-phishing, firewalls, network or micro-segmentation. solutions But policies like prohibiting the connection of un-managed smartphones or laptops to a network are also about protecting. Doing regular backups to storage that is not directly connected to the information you are trying to protect is also included in this category. Employee training also fits into the category of protecting.
- Detecting – Technology and procedures that alert you or help you know that something bad has happened fall into the detection phase of security. Endpoint Detection and Response (EDR) and Data Loss Prevention tools in conjunction with a Security Information and Event Management (SIEM) solution monitored by a security operations center are common approaches to detection.
- Responding – People taking action and following an Incident Response Plan and sometimes automated responses using technology like a Security, Orchestration, Automation and Response (SOAR) solution are standards approaches responding.
- Recovering – Restoring data from backup, communicating internally and externally, fall into the category of recovering.
What is Privacy?
Privacy is a statutory (legal) requirement to implement security practices and procedures in a “reasonable” way to protect personal information. Personal information is becoming more broadly defined over time. It includes data like social security numbers, drivers license numbers, telephone numbers, and credit card numbers that can be used to identify like those above to identify an individual. It is now more broadly defined as groups of information that by themselves couldn’t identify an individual but together they do. And more recently, biometric data like pictures, iris scans, finger prints are being defined as personal information. Privacy laws are giving rights to individuals to their own personal information. These rights often include:
- The right to know what personal information businesses have collected about an individual
- The right to tell a business not to sell that personal information
- The right to tell a business to correct personal information
- The right to tell a business to delete an individual’s personal information
In summary, privacy always depends on security, but it is defined by law and gives rights to individuals and by doing so, requires businesses to implement some specific procedures and notices. In a separate document, I will talk about the 10 actions that businesses need to take. But some of the most obvious include:
- Identifying what personal information has been collected and where it is stored
- Creating a process, sometimes called a Data Subject Request or DSR process to accept, manage and respond to people who exercise their legal rights.