Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 09/23/02 issue

Security, privacy a delicate mix

By William Jackson, GCN Staff

John Sabo, Computer Associates International Inc.’s business manager for security, privacy and trust initiatives, came to the private sector from the Social Security Administration, where he was director of the electronic services staff.

At SSA, he helped develop the Social Security Online Web site and other e-government services. Sabo also was on the team that dealt with the 1997 controversy around Web-based Personal Earnings and Benefit Estimate Statements. Concern about authenticating requests forced SSA to withdraw PEBES.

Sabo was SSA’s representative to the Federal Public-Key Infrastructure Steering Committee and on a number of advisory boards for IT standards and policies. Now, he is Computer Associates’ representative to the International Security, Trust and Privacy Alliance and is on the Computer System Security and Privacy Advisory Board. He also has been on the membership committee of the industry’s IT Information Sharing and Analysis Center.

Sabo holds degrees from King’s College and the University of Notre Dame. He speaks frequently about security, privacy and trust in e-government and e-business.

GCN senior editor William Jackson interviewed Sabo by telephone.

GCN: Your job at Computer Associates International Inc. involves both security and privacy—what do you see as the difference?

SABO: There tends to be a lot of confusion and imprecision about these terms. Most people view privacy as security, when in fact information privacy encompasses a much broader set of requirements.

There are multiple parties involved in information privacy: a data subject such as a citizen, and a data processor such as an agency. Privacy practices deal with things such as notice, choice, constraints on collection and use, and access to data.

Privacy is applicable to both parties. Security is only one of a set of privacy principles.

Security covers such things as data confidentiality, identification, authentication, access authorization and data integrity. To protect integrity and allow for review and correction of information, which are privacy requirements, you must have a number of security services to ensure that only an authenticated person can have access.