A conceptual framework for integrated information privacy protection

Successful organizations strive to achieve a high degree of corporate governance, effective techniques for risk management, and an assurance regarding the fulfilment of compliance requirements. This effort bears the Governance, Risk and Compliance (GRC) label, which entails integrating these three disparate disciplines to achieve effectiveness and efficiency in meeting the organization's strategic objectives. An interesting development has been the integration of privacy within a GRC context. Privacy has a number of elements, including governance, management, legal, technical aspects, compliance, risk management, information security, business processes and organizational issues which fall into the GRC processes. A large number of privacy breaches and a growing number of privacy regulations will steer organizations in the realm of managing privacy protection within a GRC context. There are a number of privacy facets but the focus of this paper is specifically on information privacy protection. This paper seeks to develop a formalized and repeatable conceptual framework to address information privacy protection within a GRC frame of reference.

[1]  R. Solms,et al.  IT oversight: an important function of corporate governance , 2005 .

[2]  C. Raab The Governance of Global Issues: Protecting Privacy in Personal Information , 2006 .

[3]  Hazel Grant Data protection 1998-2008 , 2009, Comput. Law Secur. Rev..

[4]  Nick Robinson,et al.  IT excellence starts with governance , 2005 .

[5]  Carlos Flavián,et al.  The role of security, privacy, usability and reputation in the development of online banking , 2007, Online Inf. Rev..

[6]  Omer Tene,et al.  Privacy: The New Generations , 2011 .

[7]  R. Rowlingson Marrying privacy law to information security , 2006 .

[8]  Robert E. Crossler,et al.  Privacy in the Digital Age: A Review of Information Privacy Research in Information Systems , 2011, MIS Q..

[9]  Rebecca Herold Building an Effective Privacy Program , 2006, Inf. Secur. J. A Glob. Perspect..

[10]  Georg Disterer,et al.  ISO/IEC 27000, 27001 and 27002 for Information Security Management , 2013 .

[11]  Sebastiaan H. von Solms,et al.  Corporate Governance and Information Security , 2001, Comput. Secur..

[12]  Charles A. Snyder,et al.  Personal information privacy: implications for MIS managers , 1999, Inf. Manag..

[13]  Willis H. Ware,et al.  Privacy and Security Issues in Information Systems , 1976, IEEE Transactions on Computers.

[14]  L. Diamond IT Governance : How Top Performers Manage IT Decision Rights for Superior Results , 2005 .

[15]  Andrzej Bialas,et al.  Information Security Systems vs. Critical Information Infrastructure Protection Systems - Similarities and Differences , 2006, 2006 International Conference on Dependability of Computer Systems.

[16]  J. Eloff,et al.  Information security management: a new paradigm , 2003 .

[17]  Kamil Reddy,et al.  USING OBJECT-ORIENTED CONCEPTS TO DEVELOP A CONCEPTUAL MODEL FOR THE MANAGEMENT OF INFORMATION PRIVACY RISK IN LARGE ORGANISATIONS , 2008 .

[18]  Edgar R. Weippl,et al.  A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC) , 2010, Communications and Multimedia Security.

[19]  Wendy Hui,et al.  How is risk assessment performed in international technology projects , 2010 .

[20]  Bassil Mohammad,et al.  Addressing Information Security Risks by Adopting Standards , 2013 .

[21]  K. Krasnow Waterman,et al.  Data Tagging for New Information Governance Models , 2010, IEEE Security & Privacy.

[22]  Paul Dourish,et al.  Collective Information Practice: Exploring Privacy and Security as Social and Cultural Phenomena , 2006, Hum. Comput. Interact..

[23]  Lara Khansa,et al.  How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management , 2009, Computers & security.

[24]  Gurpreet Dhillon,et al.  Information Security and Privacy - Rethinking Governance Models , 2010, Commun. Assoc. Inf. Syst..

[25]  Rik Maes,et al.  International Journal of Information Management on the Governance of Information: Introducing a New Concept of Governance to Support the Management of Information , 2022 .

[26]  Gary Hardy,et al.  Using IT governance and COBIT to deliver value with IT and respond to legal, regulatory and compliance challenges , 2006, Inf. Secur. Tech. Rep..

[27]  Matthew B. Miles,et al.  Qualitative Data Analysis: An Expanded Sourcebook , 1994 .

[28]  Heng Xu,et al.  Information Privacy Research: An Interdisciplinary Review , 2011, MIS Q..

[29]  Marco Casassa Mont,et al.  Privacy Enforcement for IT Governance in Enterprises: Doing It for Real , 2005, TrustBus.

[30]  William H. Friedman Privacy-Dangers and Protections , 2005, Encyclopedia of Information Science and Technology.

[31]  R. Solms,et al.  The board and IT governance : the what, who and how , 2010 .

[32]  Hein S. Venter,et al.  Information Privacy in Two Dimensions - Towards a Classification Scheme for Information Privacy Research , 2010, 2010 IEEE Second International Conference on Social Computing.

[33]  Grega Vrhovec Beating the privacy challenge , 2011 .

[34]  R. Mason Four ethical issues of the information age , 1986 .

[35]  Bel G. Raggad Information Security Management: Concepts and Practice , 2010 .