- Cool Yule Tools: 2008 Holiday Gift Guide
- 10 kitchen gadgets for the geek gourmet
- Google admits to violating iPhone development terms
- Smartphone smackdown: Storm vs. iPhone
- Google layoffs: 10,000 jobs being cut
Mich Kabay takes a high-level view of security issues and provides resources to help safeguard your corporate and personal security.
Many organizations strive to protect the confidentiality of prospects and clients. In this column and the next three, I want to explore issues relating to privacy policies and the sometimes problematic relations between legitimate, well-meaning institutions and the commercial organizations with which they do business - and the criminal organizations which abuse their good names and reputations.
Norwich University’s Privacy Policy stands as an excellent example of a clear, well-written and comprehensive document - an example that could usefully be considered by readers of this column who may need a sample policy for their own organization’s use.
Links to the policy are available where visitors may enter personally identifiable information (PII); for example, the admissions-related pages have links at the bottom of every page with a data-entry form. Specifically, the policy makes the following essential points (quoting with added commentary in square brackets):
• “Norwich University requests a certain amount of information from our clients in order to provide the online experience.” [A privacy policy should begin with a statement of the purpose of data collection.]
• “Although we gather names, e-mail addresses, locations and other personal information (dependent on the platform being used), all information is kept confidential.” [The introduction makes the intent of the policy clear.]
• “Information is used for course registration, billing purposes, providing knowledge about our client base, managing our services and to assist us in making the online experience the best possible.” [These are useful clarifications of the intended applications for the collected data.]
• “Information about who may log in from time to time is analyzed in order to allow us to monitor and maintain our network. Information about our clients may also be used to provide feedback to our institutional clients; at no time do we share this information with an outside source. We may, from time to time, examine a platform for statistical purposes, but we will not identify any individual in doing so.” [These are specific constraints on how the data are to be used.]
• “Information placed on our systems may be available to others on our various platforms, depending on the platform chosen. This information is used strictly to allow a client to participate in their individual course(s) and is kept confidential. We will not divulge private information to any unauthorized person.” [These sentences add some more well-defined constraints.]
M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (2)
many security obligationsBy Anonymous on August 28, 2008, 10:58 amI disagree with the commenter who complains that Norwich's policy "does not give any information as to HOW the PII information is stored." The commenter implies...
Reply | Read entire comment
Not a model policy at allBy Anonymous on August 26, 2008, 3:18 pmFWIW, Norwiches policy is hardly a model policy. It does not give any information as to HOW the PII information is stored, and for how long. That alone demonstrates...
Reply | Read entire comment
View all comments