Recently, Larry Clinton of the Internet Security Alliance presented information to Congress regarding security and protecting privacy in cyberspace. First of all, it is encouraging to hear that these kinds of discussions are being presented. Thanks to Larry Clinton and his team for representing these very important issues.

I agree with Larry’s suggestions that compliance cannot resolve our concerns, and more practical means must be established to achieve the needful. If this is so, I would recommend ongoing monitoring as the key. And if monitoring is the key, how does this affect businesses, individuals, and personal privacy? And what role does government play, if any? Can we balance good monitoring and security with privacy?

My laptop is monitored constantly by security software. In return for the service, I voluntarily give up some information. However, this information is about my system and not about my credit card data. Do you think a similar solution could be implemented to keep businesses free from harmful attacks? Perhaps compliance, in such a case, would be gained by agreeing to opt in to the monitoring system.

Going along with one of Larry’s future objectives – information sharing – threats exposed in such a system could become immediately beneficial to other businesses that are hooked in. Some companies are already attempting this strategy. The general concept is to create a sort of “reputation” around the data elements of the transaction.

The more unique the data elements and the more clients use the reputation, the more valuable the reputation becomes. Reputation can be tied to elements such as an IP address, a client device ID, or a credit card number.

Ostensibly, the most unique and valuable data element would be the client device ID. It provides a much more concrete identification mechanism than the other, dynamic and changeable elements such as email address, shipping/billing address, name, phone number, etc. Thus, gathering these – and especially sharing them – would provide an excellent foundation for a monitoring system.

Ideally, both government and private sectors would contribute to the system, which would provide real-time updates and warnings concerning devices that were previously known to be used in fraudulent activities. But what of privacy concerns? An intrinsic benefit of CDI is that it does not hold Personally Identifiable Information (PII) within it.

You’re just looking at the device – and ideally the reputation surrounding it – rather than the person or private information behind the device. Granted, any client looking at the transaction has private information on their end (a retailer looking at the invoice, for example), and they could easily connect the PII and CDI together for their own purposes, but the PII portion would not be shared within the overarching monitoring system.

Moving full circle to the role of government, were they to adopt such a monitoring system and expect businesses to take part in it as a requirement for a new kind of security compliance, we might see a positive shift from the paper-based compliance of the past.

Michael O’Connor is President of IronClad Consulting. This article is published with prior permission from www.information-security-resources.com