31 August 2014

HSI Governance: Equilibrium of Privacy and Security...

When people are faced with increasing Operational Risk Management (ORM) uncertainty in their organization, our inherent DNA makes us gravitate towards avoiding new risk at all costs. What any new bold policy shift requires to succeed for the masses is to face risk squarely in the eye and to manage it effectively. This is exactly how many private sector intelligence organizations have evolved and continue to thrive in a vast universe of "Open Source" and Electronically Stored Information (ESI).

The U.S. government "Homeland Security Intelligence" (HSI) enterprise has the same opportunity to embrace risk and simultaneously manage it more efficiently and effectively. Over the course of the past decade the U.S. Patriot Act has several controversial provisions that have been implemented, tested and refined. Several of these include Sec. 203(b) and (d) that allow information from criminal probes to be shared with intelligence agencies and other parts of the U.S. government. Another is Sec. 206 that allows one wiretap authorization to cover multiple devices, eliminating the need for separate court authorizations for a suspect's cell phone, PC and Blackberry, for example. The civil liberties debate on Sec. 215 known as the "libraries provision" allows access to records such as what books were checked out at the library or purchased from a bookstore, as long as the records are sought "in connection with" a terror investigation.

The governance of information by the private sector may have either accelerated or detained HSI enterprises in terrorism investigations. One example are the policies private sector Internet Service Providers utilize for records management and "Electronically Stored Information" (ESI) readiness. Electronic discovery amendments to the Federal Rules of Civil Procedure (FRCP) have created the requirement for private sector companies to be more prudent in "Achieving a Defensible Standard of Care."

The risk associated with non-compliance of the Federal Rules of Civil Procedure (FRCP) is a major facet of Operational Risk Management. The fusion of the Corporate Governance Strategy Execution comes together with a dedicated internal "Task Force" inside the enterprise. Comprised of the General Counsel, CIO, CISO and VP of Human Resources, this team provides the mechanism for effective policy implementation and operations accountability. The mission is to carry out the fiduciary duty to create a culture of legal compliance within the organization.

The evidence obtained for Homeland Security Intelligence (HSI) investigations may only be as accessible and obtainable as the effectiveness of a private sector companies ESI policies. How often do they purge their e-mail from databases? How much data storage does the enterprise allow for each person's mailbox? Are there people circumventing the information governance policies in the private or public workplace in order to get their daily business accomplished?

The collection of information for HSI has a parallel path with the collection of evidence and it must be done according to the civil liberties and privacy laws of the United States. It is this balance and equilibrium between the governance of information and the legality of obtaining it for the purpose of a terrorism related investigation that brings us to a potential digital paradox.

Where action against a person or organization involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. This shall include compliance with any published standard or code of practice for the production of admissible evidence.
In Joshua Cooper Ramo's book "The Age of the Unthinkable","Why the New World Disorder Constantly Surprises Us and What We Can Do About It" the author discusses the concept of Deep Security. His analogy of how to think about "Deep Security" is the biological immune system. "A reactive instinct for identifying dangers, adapting to deal with them, and then moving to control and contain the risk they present."
The key word in Ramo's writing is "Adapt". Being Adaptive. However, prior to this there are two other very vital words that we feel are even more imperative. Instinct. Identifying. In other words, Proactive Intuition.

Ask any savvy law enforcement investigator or intelligence analyst on how she solved the case and you may hear just that, "I had a hunch." Talk with a Chief Privacy Officer in any Global 500 company and you might get them to admit they have a sense that their organization will be the target of a data breach incident in the coming year or two. The complexity of IT systems, data networks and the hundreds of laptops circling the globe with company executives is enough to predict that a major breach will occur.

Being adaptive and having proactive intuition in the modern Homeland Security Intelligence enterprise or private sector company does not come natural. You have to work at it and it requires a substantial investment in time and resources to make it work effectively. Once you realize that all of the legal controls, technology and physical security are not going to keep you out of harms way, you are well on your way to reaching the clairvoyance of "The Age of the Unthinkable."

No comments:

Post a Comment