Article

1980 Organization for Economic Cooperation and Development (OECD) Guidelines focus on area:
1. Data collection limitations
2. The quality of data
3. Specifications of the purpose for data collection
4. Limitations of data use
5. Participation by the individual on whom the data is being collected
6. Accountability of the data controller

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, adopted on 23 September 1980, continue to represent international consensus on general guidance concerning the collection and management of personal information. By setting out core principles, the guidelines play a major role in assisting governments, business and consumer representatives in their efforts to protect privacy and personal data, and in obviating unnecessary restrictions to transborder data flows, both on and off line. The reflection of twenty-one years of expertise and experience shared among representatives of OECD governments, business and industry, and civil society, this publication contains the instruments that serve as the foundation for privacy protection at the global level: the 1980 OECD Privacy Guidelines, the 1985 Declaration on Transborder Data Flows and the 1998 Ministerial Declaration on the Protection of Privacy on Global Networks.

Download Page

1. Aligning risk appetite and strategy.Management considers the entityfs risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.

2. Enhancing risk response decisions.Enterprise risk management provides the rigor to identify and select among alternative risk responses.risk avoidance, reduction, sharing, and acceptance.

3. Reducing operational surprises and losses.Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.

The Family Educational Right to Privacy Act (FERPA) prohibits educational agencies and programs, at risk of losing federal funds, from having a policy or practice of “permitting the release of ” specified educational records. FERPA does not state whether or not the prohibition places affirmative requirements on educational institutions to protect against unauthorized access to these records through the use of information security measures. It is certainly possible that a court could conclude in the future that an educational institution which fails to take reasonable information security measures to prevent unauthorized access to protected information is liable under FERPA for “permitting the release” of such information.

The recent case of a Vermont college system employee having such data on a laptop that was later stolen (see Chapter 1 sidebar “The Real Cost of Remediation”) might test this very statute.The 2002 Technology, Education, and Copyright Harmonization Act (the “TEACH Act”) explicitly requires educational institutions to take “technologically feasible” measures to prevent unauthorized sharing of copyrighted information beyond the students specifically requiring the information for their studies, and, thus, may create newly

The Federal Information Security and Management Act of 2002, as amended, (FISMA) does not directly create liability for private sector IT security professionals or their companies. However, IT security professionals should be aware of this law, because it:
- Legally mandates the process by which information security requirements for federal government departments and agencies must be developed and implemented
- Directs the federal government to look to the private sector for applicable gbest practicesh and to provide assistance to the private sector (if requested) with regard to information security
- Contributes to the developing gstandard of careh for information security by mandating a number of specific procedures and policies

What Is Identrus
Identrus was formed in 1999 through a partnership of leading financial institutions, including ABN AMRO, Bank of America, Bankers Trust (since acquired by Deutsche Bank), Barclays, Chase Manhattan, Citigroup, Deutsche Bank, and Hypo Vereinsbank. The main purpose was to enable a trusted business-tobusiness (B2B) ecommerce marketplace with financial institutions as the key trust providers. The organization leverages financial institutions with a global reach that can still provide local presences. The organization provides identity validation and warranty protection for global B2B ecommerce. Identrus provides a vendor-neutral environment that has the legal backing of all that PKI brings. Need for Identrus

The two biggest benefactors of Identrus are the trading partners that require nonrepudiatable identities of their counterparts and financial institutions that want to extend their banking online. These benefactors, among others, can also leverage a global standard, which would be difficult to do on their own. In addition, through a common standard, more banks are willing to use PKIbased technology because the cost of deployment is decreased with an increasing number of applications and trading partners.

Some recent examples (in the last few years) of usage of Identrus-enabled applications have included the following

Cisco Systems Capital group used Bank of America as its provider for Identrus-enabled applications so that Cisco could process leasing transactions online. Costs savings were seen in the reduction of paperwork and increased speed with which leasing arrangements could be accomplished.

Allianz AG, one of the largest insurance companies in Europe, created an application to offer life insurance contracts for the employees of its corporate customers.

Other applications could include these
• Corporate purchasing
• Letters of credit
• Financial statement delivery
• Online auction markets
• Electronic content delivery