Do you know the cookie monster? If not, read yesterday’s article first.The European Commission’s new geo-location cookie law is about defining a security posture around classification of information, data collection practices, etc., that can identify a person’s present location-and equally important, past and future locations. Organisations must clearly indicate the methods of collection, the retention policies, and when-and how-the information will be destroyed.
Failure to comply is not an optionA failure to comply with the new EU cookie directive will certainly have ramifications for a business in terms of costs, as well as the obvious legal and reputational consequences. And, whilst the financial implications can leave a big impact, it should be clear that the cost of reputational damage is likely to be far greater. ISACA believes that the concept of privacy – when dealing with personal information – centres on the individual’s trust in an organisation and its information systems. It is this trust that allows us – as individuals – to make a judgement call on whether we are happy to release the kind of information that we do to that organisation. Unfortunately, we have seen several examples recently with recognised brands suffering data/information breaches. Based on the fallout from these breaches, it should be clear to any manager that companies must communicate the technical and organisational mechanisms they have in place to protect user information, such as encryption, processes and procedures.
How to comply with the directiveIt should now be clear that businesses using geo-location applications and methods of data collection have a responsibility to behave ethically and protect consumers’ information and rights. And – whilst there are clear differences in how the US, Europe and other regions of the world treat the explicit consent of their Internet user – businesses around the world should provide opportunities to opt-in. Not by default, but with an explicit consent from the user. Businesses also need to include geo-location data as one of the priorities within their audit governance strategy. The definition of governance, by the way, is “setting strategic direction, and achieving corporate goals, working out that risks are managed and that resources are used responsibly.” ISACA, which believes that the governance of geo-location data should be addressed using these facets of the definition, can offer a lot of assistance in developing the planning progress that form a central plank of an company’s governance strategy. Now available as a free download, COBIT 5 is created for business and IT professionals alike. Its guidance helps enterprises to bridge the gap between IT control requirements, technical issues and business risks. Recently, ISACA published COBIT 5 for Information Security, which provides additional guidance on the enablers within the COBIT framework and equips security professionals with the knowledge they need to use COBIT for more effective delivery of business value. The bottom line is that, when it is properly governed, geo-location technology is a tool that can be very effective for both consumers and businesses, and the EU cookie directive will, in the end, protect both of these parties. Ramsés Gallego is international vice president of ISACA and also is a member of ISACA’s Guidance and Practices Committee, the CISM Certification Committee and the CGEIT Certification Committee.
Share this story