Giovanni Iachello
Georgia Institute of Technology
USA
Compelled to improve information security by the introduction of personal data protection legislation, organizations worldwide are adopting standardized security management guidelines to inform their internal processes. This paper analyzes whether existing security management standards support process requirements for personal data management, drawing from experience with security policies in private organizations and through an analysis of current European and US legislation. Various aspects of personal data management not commonly addressed by security standards are identified, and a number of generally applicable enhancements are proposed to one common standard, IS17799. The appropriateness of including data protection guidelines in security standards is discussed, showing how these enhancements could simplify the definition of personal data management procedures in organizations.
Keywords: personal data protection, privacy, security management, IS17799, multilateral security, HIPAA