Research Proposal on "Information Security Policy"

Research Proposal 10 pages (3320 words) Sources: 10 Style: APA

[EXCERPT] . . . .

systemic challenges that ChoicePoint is facing must be dealt with at a fundamental level, with major restructurings of processes, strategies, and systems to accomplish this change. Compounding these internal challenges are the need for staying aligned with and influencing as much as possible the legislation regarding personal data privacy. The many data breaches the company has experienced both internally and from fraudulent activity makes it a focal point of the U.S. Congress' efforts to reduce the risk of identity theft and violation of personal data access.

In analyzing this case the legitimacy of the industry critic's concerns will be discussed, in addition to an assessment of existing processes and their impact on individual's privacy. Recommendations are also made with regard to legislative changes needed to protect individual privacy yet also allow enough latitude for the personal data industry to still respond to the needs of corporate and government customers.

ChoicePoint's Systemic Challenges

Having been formed as a spin-off from Equifax, ChoicePoint rapidly filled the unmet data needs of the insurance industry, concentrating on the data needs of the automobile and homeowner segments, two of the largest insurance segments in the U.S. Having initially developed credit reporting products for these segments at Equifax, ChoicePoint began as a company with a full suite of reports and data analysis services for the property and casualty (P&C) industry. Included in these services and data analysis products were risk assessment profiles, statistical analysis of claims reporting for financial forecasting and fraud prevention, and the continual refining of their Comprehensive Loss Underwriting Exchange (CLUE) report. This specific data service had been so successful that 95% of auto insurers used the CLUE report and its accompanying data services. One of the key competitive advantages of the CLUE Report was its ability to draw on a database of 175 million claims over the years of 1998 to 2005, creating the most thorough data mart in the P&C industry. From this, ChoicePoint was able to apply both descriptive and predictive analytics to align their data services to the risk assessments its customers required. It is common industry knowledge that the company has extensive software licenses with Fair-Isaac, a credit scoring and reporting technology that relies on a constraint-based technology for defining risk levels. The use of Fair-Isaac technology could in fact aid the company in assessing the risk of its own business strategies as well, a point that will be discussed later in this paper.

In addition to its successful spin-off from Equifax, ChoicePoint has also been successful with the many processes required to completed mergers & acquisitions (M&a). With 50 total acquisitions as of the timeframe of this case study, many of which include Web 2.0-based technologies, ChoicePoint is well positioned to gain significant market share in all segments of its business as companies rely more on the Internet for interactive services. Templar and iMap are two examples of this type of acquisition on the part of ChoicePoint. Following these, the company acquired VitalCheck, which was based on an Internet platform that allow for birth, marriage, divorce and death certificates to be ordered online. Despite the ability to execute exceptionally well in M&a activities, the company still struggled with the integration of their expanding lines of business into a single platform of services that could be effectively governed. In this disconnect of services, databases, methodologies of data collection and analysis, the catalyst of ChoicePoints' many problems began to surface. In fact the entire personal data industry was suffering from a lack of integration across business units and also across data collection, analysis and representation methodologies as well. This was exacerbated in ChoicePoint due to the speed of acquisitions and the lack of governance at the corporate level. Further, there was no consistent data protection policy at ChoicePoint. Worse, ChoicePoint had not defined how it would be able to internally manage, audit and report on its own Information Security Management Systems Initiative (ISMS). This was a strategic liability not only ChoicePoint had but their competitors as well; leaving the entire industry prone to over-regulation by Congress. The essence of a scalable and security ISMS is illustrated in its ability to stay agile enough to respond to external factors influencing an organization yet strong enough to protect critical information assets (Bellone, Basquiat, Rodriguez, 2008). In effect the entire industry had invited criticism by not managing to audit and enforce ethical standards on its own. As the case study show, there is a very high certainty the U.S. Congress will enforce stricter and difficult-to-implement standards of ethical and privacy performance relative to the performance of companies in this industry than a comparable set as defined by the industry itself. That's because the industry has a much greater appreciation of its unique systems, standards, processes and requirements than the U.S. Congress. To ignore the need for self-regulation and more active ISMS initiatives including audits, the entire industry risked regulatory burdens that might force it to consolidate due to increased costs. Clearly Derek Smith needs to take the lead for the industry and provide a model for corporate governance including the development of ISMS initiatives that encompass audits. To just define audits however are not enough; Derek Smith needs to become the evangelist of the ISO 17799 standard for security management. He must also stress the fact that the successful implementation of an ISMS is also validated through a series of audit processes that are based on British Standard 7799 (BS7799) which serves as the basis for Information Security Management Standard (ISO17799) directly based on the British Standard, and ISO 27001, the International Standards Organization standard for ISMS installation and operations. Underscoring compliance to these standards (Brenner, 2007) is the need for defining a strategic governance, risk and compliance (GRC) plan. Of the many aspects of this plan, the critical component is the need for periodic internal audits to ensure an organization stays in compliance with the ISO standards (Da Veiga, Eloff, 2007). To avert the over-regulation of the industry, Derek Smith must become the catalyst of change not only in his company but across the entire industry. To date there is no compliance in place to either standards within ChoicePoint or the industry, in addition to little if any self-regulation or auditing. Due to these factors, the privacy of individuals is seriously in jeopardy online and the industry critics are for the most part correct. There is a significant gap in the systems and processes needed for managing ISMS initiatives, plus the fact they need to tie into a broader and more strategic plan for governance, risk and compliance (GRC). What is in fact needed is a governance framework (Da Veiga, Eloff, 2007) in conjunction with ISMS initiatives so that lapses in security are far less likely to happen.

The Personal Data Industry Needs to Change

The Fair Credit Reporting Act (FCRA) revolutionized the credit and personal data industry, opening up credit for middle- and lower-income consumers, who became the greatest beneficiaries from this act (Streeter, 2003). In conjunction with the FCRA acting as a catalyst of growth in the industry, there was also the need for better and more accurate monitoring of activity as fraud escalated when greater availability of credit data occurred (Moye, 2006). Despite the growth of the personal data industry there was a complete lack of oversight in place, no industry-wide ISMS best practices or standards, and worst of all, now strategic planning for GRC at the chief executive or board of directors of level in any company in the industry. Not a single company had gone through an ISMS Implementation Cycle as a result of the lack of strategic governance in every company in the industry. As a result of these factors, sales of illegally obtained personal information flourished (Warren, 2007) leaving victims having to fend for themselves in many cases. Further, there had been discussions across the industry of using Generally Accepted Accounting Principles (GAAP) to counter the lack of process efficiency and lack of control monitoring (Prosch, 2008). The aggregate effect of the credit reporting laws becoming more attuned to allowing for credit to be granted to lower- and middle-income families had been embraced as a catalyst for industry growth yet had not served as an equally critical motivation for changing the governance, auditing and ISMS initiatives in the industry (Moye, 2006).

ChoicePoint's challenges also showed how the entire personal data industry value chain was in need of a complete re-vamping of processes and systems to ensure a higher level of data privacy was achieved. When considering the value chain, from the data providers, through the many agents and bankers who often re-sold bundles of ChoicePoint data through their own channels, it's clear that the entire industry had a complete lack of understanding regarding individual data privacy (Cole, 2004). The value chain for personal data has conflicting methodologies and analysis as well which further added to the potential of personal data being compromised as it was collected, analyzed, sold and re-sold (Cocheo, 2004).… READ MORE

How to Reference "Information Security Policy" Research Proposal in a Bibliography

Related Research Proposals:

Security Policy Term Paper

Security Policy

IT Security Policy

The following security policy defines how strategic it resources and technologies are aligned to supporting organizational objectives and goals. Implicit in this security policy is… read more

Term Paper 4 pages (1080 words) Sources: 4 Topic: Computers / IT / Internet

---

Security Policy Term Paper

Computers and the Internet

Security Policies

Even though the significance of information security for businesses is more and more recognized, the difficulty of issues involved means that the size and… read more

Term Paper 4 pages (1313 words) Sources: 4 Topic: Business / Corporations / E-commerce

---

Security Policies Given the Highly Sensitive Nature Essay

Security Policies

Given the highly sensitive nature of the work at the company, what other actions might you add to this policy?

There are a number of different procedures that… read more

Essay 2 pages (749 words) Sources: 2 Topic: Computers / IT / Internet

---

Access Control in Information Security Research Paper

Access Control in Information Security

In the contemporary business environment, sensitive and confidential information have become the intangible assets that organizations use to achieve competitive advantages. Typically, accurate information and… read more

Research Paper 8 pages (2594 words) Sources: 10 Topic: Computers / IT / Internet

---

Security Policy Dr. Fossett's Dental Office Term Paper

Security Policy of a Dental Office

Information Technology Security for XYZ's Dental Office will be achieved by implementing these controls, policies, procedures and standards. This approved Security policy reflects the… read more

Term Paper 3 pages (1254 words) Sources: 0 Topic: Computers / IT / Internet

---

View 100+ more related papers  >>