The U.S. Department of Homeland Security’s (DHS) top privacy official said today that a “clear mandate” from top management is the foundation of an organization’s ability to establish and implement an effective data security and privacy plan.

“I report directly to the Secretary of Homeland Security,” said Karen Neuman, Chief Privacy Officer of the DHS.  “The same should be said of any organization.”

Neuman’s comments came during a symposium hosted by the International Association of Privacy Professionals/Federal Communications Bar Association at EverBank Center in Jacksonville, Florida.

In her brief remarks, Neuman offered “unsolicited advice” to organizations faced with developing data security plans, which she stressed must engender both transparency and trust.  She outlined seven key areas of overarching concern:

  • Leadership Commitment – Neuman said that the tone set at the top percolates throughout an organization and that buy-in from senior leaders is needed to create an effective organization-wide plan;
  • Data Framework – the development of a framework for the collection and handling of data is critical that not only complies with legal requirements but considers the particular needs of an organization including restricting access to the most sensitive information by using “data tags” or identifiers to ensure that only those with a need to know can access particular information;
  • Robust Compliance – an essential element of any data security plan is compliance and a process by which the plan can be monitored and evolved to keep pace with the “machine like” changes in technology;
  • “A seat at the table” – she advised privacy professionals to “grab” a seat at the risk management table so that privacy and data security concerns are treated as another risk factor facing an organization;
  • Privacy “foot soldiers” – in each part of an organization, Neuman said there should be “privacy foot soldiers” or “boots on the ground” so that someone within each business unit is the contact person for data security issues. There must also be a process for escalation of more serious data privacy issues;
  • Ongoing employee education and training – she likened regular employee education and training to the lynchpin in protecting an organization’s sensitive information. “Training is a living function.”  It isn’t static and changes as quickly as technology; and
  • Whistle blower process – Neuman also advised implementing an internal process so that privacy concerns can be reported to an organization’s management “without fear of reprisal.”

The symposium included four separate panels addressing different aspects of cybersecurity preparedness, risk mitigation and compliance/enforcement issues.