INDEX
A
acceptable risk as strategy constraint, 30
acceptance of risk, 268, 301–302
access administrators, 46
access control lists (ACLs) for remote access, 174
access controls
business process owner responsibilities, 38
concepts, 167
minimizing access, 96
processing centers, 148
threats, 168
types, 166–167
vulnerabilities, 168–169
access history for Internet, 124–125
accountability in RACI charts, 33
accuracy
for continuous improvement, 258
data, 100–101
data classification, 281
ACLs (access control lists) for remote access, 174
acquisitions
considerations, 151–152
integrating into organization processes, 152, 199
activity reviews for remote access controls, 175
administrative audits, 230
administrative safeguards
guidelines, 196
security policies, 193–195
standards, 195–196
advanced persistent threats (APTs), 287–288
advertising, tracking, 117, 119
advisories
actions from, 223–224
communicating, 28
risk management process, 267
aggregation of data, 103
ALE (annualized loss expectancy) in quantitative risk analysis, 297–298
analysis of risk
considerations, 295
controls, 304
costs and benefits, 304–305
incident response, 253
information gathering, 295–296
miscellaneous, 299
OCTAVE, 298–299
qualitative, 296
quantitative, 296–298
risk evaluation and ranking, 299–300
risk identification, 267
risk ownership, 300
risk treatment, 300–303
annualized loss expectancy (ALE) in quantitative risk analysis, 297–298
annualized rate of occurrence (ARO) in quantitative risk analysis, 297
anomaly phase in detection, 180
anonymization of data
auditing, 237
overview, 100
application vulnerabilities, 157, 169
approvals in change management, 183
APTs (advanced persistent threats), 287–288
architectures in privacy programs, 17
archiving
e-mail, 125
overview, 206
ARO (annualized rate of occurrence) in quantitative risk analysis, 297
assessment practice, 137–138
baselines, 138–140
controls, 84
data governance models, 7
assessment practice (cont.)
mergers, acquisitions, and divestitures, 151–152
physical assessments, 147–150
PIAs and DPIAs, 152–158
questions, 160–164
review, 159–160
risk identification, 266
third-party risk management, 140–147
assets and asset value (AV), 281
business alignment, 3
classifying, 280–281
managing, 190–193
privacy programs, 18
qualitative valuation, 282
quantitative valuation, 282–283, 297
risk identification process, 292
risk management process, 266
assurance process integration, 14
audiences
security policies, 193–194
training, 50–52
audits
baselines, 140
controls, 84
data governance models, 10
description, 16
evidence, 232–234
integrating into organization processes, 201
objectives, 229
planning, 230–232
responsibilities, 224
risk identification, 267
Sarbanes–Oxley Act, 35
scope, 228
specific practices, 234–238
standards, 238
team positions, 46–47
third parties, 144
types, 229–230
authentication
multifactor, 173
remote access, 169–172
authorities, working with, 110–111, 249
authorization
input, 223
remote access, 171–172
automated profiling opt-out requests, 247
automation in data loss prevention, 88–92
AV. See assets and asset value (AV)
availability
managing, 189–190
minimizing, 97
awareness
baselines, 139
privacy programs, 28
programs for, 53
roadmap development, 27
B
baselines
process maturity, 138
program elements, 139–140
BCDR. See business continuity and disaster recovery (BCDR) planning
BEC (business e-mail compromise), 179
behavioral profiling. See tracking
benchmarking
costs, 209
responsibilities, 224
BIA (business impact analysis)
description, 19
overview, 294
big data architects, 43
binding corporate rules in GDPR, 69
blended costs, 208
boards of directors
meetings, 28
overview, 35–36
book value in asset valuation, 282
Brazil, LGPD law in, 72
breach notifications
data governance model, 11
GDPR, 68
budgets as strategy constraint, 30
bulletins for communications, 53
business alignment, 3–4
business cases, 27–28
business continuity and disaster recovery (BCDR) planning
baselines, 140
incident response, 256
integrating into organization processes, 199
service continuity, 189
business development, integrating into organization processes, 202
business e-mail compromise (BEC), 179
business impact analysis (BIA)
description, 19
overview, 294
business processes
monitoring, 218
owners, 38–39
weaknesses, 289
business system owners, 38–39
C
CABs (change advisory boards), 184
California Consumer Privacy Act (CCPA)
consent, 110
event monitoring, 219
provisions, 70–71
removal requests, 248
right to be forgotten, 206
third parties, 142–143
California Privacy Rights Act (CPRA), 70–71
event monitoring, 219
cameras, 121
CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing Act), 72
Capability Maturity Model Integration (CMMI), 22–24
capability maturity models, 22–24
capacity management, 188–189
CASBs (cloud access security brokers), 91
cashiers, training, 50
CCBs (change control boards), 184
CCPA. See California Consumer Privacy Act (CCPA)
CCSL (Chinese Cybersecurity Law), 71
Center for Internet Security Critical Security Controls (CIS CSC), 82
centralized log management, 220
CEOs (chief executive officers)
accountability, 35
fraud, 179
certifications
GDPR, 68
remote access controls, 175
change
ITSM, 182–184
PIAs, 155
resistance to, 29
change advisory boards (CABs), 184
change control boards (CCBs), 184
characteristics, database matches for, 101
chief executive officers (CEOs)
accountability, 35
fraud, 179
chief information officers (CIOs) in incident response plans, 256
chief information risk officers (CIROs), 41, 43
chief information security officers (CISOs)
overview, 41–42
risk appetite, 4
chief privacy officers (CPOs), 40–41, 43
chief risk officers (CROs), 43
responsibilities, 41
risk appetite, 4
chief security officers (CSOs), 41, 43
Children’s Online Privacy Protection Act (COPPA), 72
Chinese Cybersecurity Law (CCSL), 71
CIOs (chief information officers) in incident response plans, 256
CIROs (chief information risk officers), 41, 43
CIS CSC (Center for Internet Security Critical Security Controls), 82
CISOs (chief information security officers)
overview, 41–42
risk appetite, 4
classification
assets, 280–281
third parties, 145
Clayton Antitrust Act, 73
clean desks in processing centers, 148
clipboards, 122
closure phase in incident response, 253
cloud access security brokers (CASBs), 91
cloud-based information assets, 279
cloud server storage control, 91
cloud service providers, 141–142
CM (configuration management), 185
CMDBs (configuration management databases), 185
CMMI (Capability Maturity Model Integration), 22–24
Code of Ethics, 249
comingling of data, 98
Common Vulnerability Scoring System (CVSS), 157, 178
communications, 48
audits, 231
awareness, 53
establishing, 28–29
risk, 268
techniques, 53
training, 49–53
compensating controls for remote access, 169
competency, 48
compliance
audits, 230
baselines, 139
fines and penalties, 305
integrating into organization processes, 201
legal and contract issues, 204
computer crime investigations, auditing, 237
confidential classification level, 86–87
configuration faults, 289
configuration management (CM), 185
configuration management databases (CMDBs), 185
configurations
business process owner responsibilities, 38
standards, 66
conflicts of interest in RACI charts, 34
consent
collecting, 110
data governance models, 9
consequences of internal policies, 64
consequential financial cost in asset valuation, 282
consulting in RACI charts, 33
contact tracing, 123–124
containment phase in incident response, 253
content filters in DLP, 91
continuous improvement, 258
continuous log reviews, 220
contracts, integrating into organization processes, 203–204
control self-assessment (CSA), 225–226
advantages and disadvantages, 226
description, 84
internal audits, 228
life cycle, 226–227
objectives, 227–228
risk identification, 267
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), 72
controls, 75
administrative safeguards, 194
CIS CSC, 82
data governance models, 6–7, 10
HIPAA, 80
input, 223
mapping, 82
NIST, 79–82
objectives, 75–76
overview, 17
PCI DSS, 82
processing centers, 148
remote access, 175–176
risk treatment, 304
roadmap development, 26
standards, 66
technical. See technical security controls
working with, 83–84
controls analysts, 45
convergence metrics, 115
cookies
preventing, 126–127
tracking, 119
copiers, 150
COPPA (Children’s Online Privacy Protection Act), 72
corporate rules in GDPR, 69
corporate workers, training, 50
corrections, requests for, 109, 247
costs
analysis, 304–305
events, 297
strategy constraint, 30
technical controls, 208–209
countermeasures in PIAs, 158
CPOs (chief privacy officers), 40–41, 43
CPRA (California Privacy Rights Act), 70–71
event monitoring, 219
creation cost in asset valuation, 282
critical data and systems, 18
Critical Security Controls framework, 193
criticality
asset classification, 280
data classification, 281
CROs (chief risk officers), 43
responsibilities, 41
risk appetite, 4
cross-border data transfers in GDPR, 69
CSA. See control self-assessment (CSA)
CSOs (chief security officers), 41, 43
culture
business alignment, 3
data handling, 88
importance, 19
mergers, acquisitions, and divestitures, 151
privacy operations, 105
strategy constraint, 30
custodial responsibilities, 39
CVSS (Common Vulnerability Scoring System), 157, 178
Cyber-Risk Oversight, 36
cybersecurity
CCSL, 71
GDPR, 68
cybersecurity officers, 256
D
data
aggregation of, 103
analytic techniques, 103
archiving, 206
destruction, 207
flow diagrams, 101–102
handling standards, 87–88
inventory, 84–85
masking, 96
minimization. See minimization, data
movement monitoring, 107–108
operations monitoring, 106–108
protection operations, 106
quality and accuracy, 100–101
retention laws, 205–207
tagging, 90
data collection, auditing, 235–236
data controllers in GDPR, 68
data discovery scanning, 106–107
data entry errors, 101
data entry operators, 45
data governance model, 5–6
drivers, 12–13
influences, 11
metrics, 114
overview, 7–10
personal data and information, 11–12
data loss prevention (DLP) systems
automation, 88–92
dynamic, 90–92
static, 89–90
tools, 221–222
data management
auditing, 235
baselines, 139
privacy programs, 18
risk likelihood, 293
team structure, 43–44
data privacy officers (DPOs), 43
risk appetite, 4
data processors in GDPR, 68
data protection impact assessments (DPIAs)
GDPR, 68
PIAs. See privacy impact assessments (PIAs)
risk identification, 266
data scientists, 44
data sharing
controls, 207–208
international agreements, 73
data sources for assets, 191–193
data sprawl, 103
data subject engagement
metrics, 113
PIAs, 154
data subject requests (DSRs)
auditing, 236
privacy rights, 246–248
data subjects
access control types, 166–167
working with, 108–109
data usage inquiries, 108, 246
data use governance, 93
data aggregation, 103
data analytics, 103
data flow and usage diagrams, 101–102
data quality and accuracy, 100–101
limitations, 93–94
minimization, 94–100
database administrators (DBAs), 44
database referential integrity, 98
DBAs (database administrators), 44
de-identification, 99–100
decision-making processes, opting out of, 247
decryption in SSL, 125
default system settings, 168
Delphi method, 299
deprovisioning remote access controls, 175
design
controls, 83
faults in, 289
incident response, 257–258
release management, 186
desktop computers, 150
destruction
assessment, 149
data, 207
detection phase in incident response, 251–252
development step in release management, 186
devices
identifiers, 118
security assessment, 150
tracking, 120
dial-up for remote access, 169–170
disaster recovery planning, 189
discarding data, 96
disclosures
controls, 207–208
third party, 144
divestitures
considerations, 152
integrating into organization processes, 199
Do-Not-Call Implementation Act, 72
Do Not Track web browser setting, 126
DPIAs (data protection impact assessments)
GDPR, 68
PIAs. See privacy impact assessments (PIAs)
risk identification, 266
DPOs (data privacy officers), 43
risk appetite, 4
drivers in data governance model, 12–13
DSRs (data subject requests)
auditing, 236
privacy rights, 246–248
due diligence by third parties, 144
dynamic DLP, 90–92
E
archiving, 125
communicating by, 53
movement monitoring, 107
retention practices, 98
eavesdropping, tracking, 120–121
education, baselining, 139
EF (exposure factor) in quantitative risk analysis, 297
efficiency in continuous improvement, 258
emergency changes, 184
emergency services, integrating into organization processes, 204
emerging threats, 225, 288–289
employment data, 200
encryption for remote access, 169–170
end user behavior analytics (EUBA), 223
endpoint storage in movement monitoring, 107
environmental controls, 148
eradication phase in incident response, 253
ETA (event tree analysis), 299
ethics, 201
EUBA (end user behavior analytics), 223
evaluation, risk, 299–300
event tree analysis (ETA), 299
events
costs, 297
monitoring, 180
probability, 296
security-related, 219–224
evidence
gap analysis, 21
privacy audits, 232–234
retention, 254
third parties, 145–146
executive management
overview, 36–37
sponsorship, 2–3
exposure factor (EF) in quantitative risk analysis, 297
external audits for controls, 84
external monitoring, 225
external policies, 64–65
external reviews in incident response plans, 257
external threats, identifying, 286–287
F
facial recognition, 123
facilitators, risk appetite of, 4
Factor Analysis of Information Risk (FAIR), 277–278
fail closed access controls, 167
fail open access controls, 167
Fair Credit Reporting Act (FCRA), 73
FAIR (Factor Analysis of Information Risk), 277–278
Faraday bags, 127
fault tree analysis (FTA), 299
FCRA (Fair Credit Reporting Act), 73
feasibility studies, 186
Federal Trade Commission Act, 72
Federal Trade Commission (FTC), 72–73
feedback, responsibilities for, 224
fiduciary duties of boards of directors, 35
file server storage control in DLP, 90
filters in DLP, 91
financial management
integrating into organization processes, 204–205
ITSM, 188
financial system asset inventories, 191
fines for compliance, 305
firewalls for DLP, 91
forensics
device, 150
FTA (fault tree analysis), 299
FTC (Federal Trade Commission), 72–73
functions, business process owner responsibilities for, 38
G
gap analysis, 21–22
gate processes in release management, 187
General Data Protection Regulation (GDPR)
consent, 110
data flow and usage diagrams, 102
data use limitations, 93–94
DPOs, 40–41
event monitoring, 219
legal basis for processing, 74
privacy by design, 39–40
provisions, 67–69
removal requests, 248
right to be forgotten, 206
third parties, 142–143
general staff responsibilities, 48
geography and assets, 192
GLBA (Gramm–Leach–Bliley Act), 72
goals, 3–4
governance meetings, 28
Gramm–Leach–Bliley Act (GLBA), 72
guidelines, 16
H
hardware assets, 278–279
hazards in processing centers, 148
HCM (human capital management) systems, 199
Health Information Technology for Economic and Clinical Health Act (HITECH), 70, 72
Health Insurance Portability and Accountability Act (HIPAA)
requirements, 80
rules, 69–70
third parties, 143
HITECH (Health Information Technology for Economic and Clinical Health Act), 70, 72
HRISs (human resources information systems), 199
human capital management (HCM) systems, 199
human resources, integrating into organization processes, 199–201
human resources information systems (HRISs), 199
hygiene in risk likelihood, 293
I
identification in remote access, 171
identifying
devices, 118
privacy requirements, 104–105
threats, 283–289
vulnerabilities, 156, 179, 289–291
identity and access management, 166
access controls, 166–169
remote access, 169–177
Identity Theft and Assumption Deterrence Act, 72
IDS/IPS (intrusion detection/prevention system), 91, 253
impact
PIAs. See privacy impact assessments (PIAs)
risk analysis, 267
risk assessment, 294–295
risk identification, 292
incident commanders in incident response plans, 255–256
incident management
auditing, 237–238
incident response, 250
baselines, 139
description, 180
evidence, 254
legal and contract issues, 204
phases, 250–254
plan development, 254–257
playbooks, 257
regulations, 250
reporting, 254
third parties, 144
incidents
communicating, 28
logs, 19
reviews, 38
risk identification, 267
inertia, organizational, 31
information assets, 279–280
information gathering, 295–296
information security
human resources, 200
integrating into organization processes, 198
practices, 165
information security management system (ISMS), 165–177
information systems audits, 229
Information Technology Assurance Framework, 238
information workers, training, 51
informed people in RACI charts, 34
initiation phase in incident response, 252
input controls, 223
inquiries
business process owner responsibilities, 38
data usage, 108
insider threats, 283–286
insurance
legal and contracts, 204
privacy programs, 18
third parties, 144
integrated audits, 229
integrating privacy into organization processes
audits, 201
BCDR planning, 199
business development, 202
compliance and ethics, 201
finance, 204–205
human resources, 199–201
information security, 198
IT development and operations, 198–199
legal and contracts, 203–204
MAD, 199
procurement and sourcing, 203
public relations, 203
security and emergency services, 204
integration
mergers, acquisitions, and divestitures, 152
PIAs, 155
integrity data classification, 281
intellectual property, 280
internal audits
controls, 84
CSA, 228
internal policies, 63–64
internal threats, identifying, 283–286
international data-sharing agreements, 73
Internet
access history, 124–125
movement monitoring, 107
intrusion detection/prevention system (IDS/IPS), 91, 253
inventory, data, 84–85
IP address tracking, 117–118
ISMS (information security management system), 165–177
ISO/IEC standards
27005, 274–277
IT development and operations, integrating into organization processes, 198–199
IT general controls (ITGC), 76
IT Infrastructure Library (ITIL), 180, 182
IT service management (ITSM), 180–181
asset management, 190–193
availability management, 189–190
baselines, 140
capacity management, 188–189
change management, 182–184
configuration management, 185
financial management, 188
incident management, 182
problem management, 182
release management, 185–186
service continuity management, 189
service desks, 181
service-level management, 187–188
ITAF: A Professional Practices Framework for IS Audit, 238
ITGC (IT general controls), 76
ITIL (IT Infrastructure Library), 180, 182
ITSM. See IT service management (ITSM)
J
jurisdiction in data governance model, 11
K
key goal indicators (KGIs), 112
key performance indicators (KPIs), 112, 218
key risk indicators (KRIs), 112, 218
knowledge in privacy programs, 17
L
laptop computers, 150
law enforcement in privacy, 4
laws
CCPA, 70–71
CCSL, 71
external monitoring, 225
FTC, 72–73
GDPR, 67–69
HIPAA, 69–70
international data-sharing agreements, 73
LGPD, 72
PIPEDA, 70
privacy and security steering committees, 37
privacy program framework, 67–73
works councils, 73
leadership from executive management, 37
learn mode in DLP, 92
least privilege access controls, 167
legal agreements in third-party risk management, 143–144
legal basis
data governance models, 9
for processing, 74
legal counsels in incident response plans, 256
legal department, integrating into organization processes, 203–204
legal interpretation in privacy operations, 105
legal obligations
business alignment, 3
strategy constraint, 30
legitimate interest, establishing, 74–75
Lei Geral de Proteção de Dados (LGPD), 72
life cycle
CSA, 226–227
risk. See risk management life cycle
third parties, 143–145
likelihood, risk, 293
limitations, data use, 93–94
local file storage control in DLP, 90
location tracking, 120
logs
privacy programs, 19
security-related events, 220
M
MAD (mergers, acquisitions, and divestitures)
considerations, 151–152
integrating into organization processes, 199
management
commitment by, 29
data governance models, 10
mapping control frameworks, 82
market conditions, 4
masking data, 96
maturity
assessments, 16
privacy programs, 19
measurements
internal policies, 64
responsibilities, 224
media destruction, 149
media managers, 45
mergers, acquisitions, and divestitures (MAD)
considerations, 151–152
integrating into organization processes, 199
metadata tagging, 90
metrics
audiences, 116
baselines, 140
communicating, 28
convergence, 115
data subject engagement, 113
performance, 114–115
privacy programs, 111–112
program and process maturity, 114
resilience, 115
resource management, 115
responsibilities, 224
risk management, 113
SMART, 112
strategic, 17
third parties, 147
MFA (multifactor authentication), 173
microphones, 121
minimization, data, 94
access, 96
auditing, 236
availability, 97
de-identification, 99–100
discarding data, 96
required data items collection, 94–95
retention practices, 97–99
storage, 96–97
mission, 3
mitigation of risk, 147, 267–268, 302
mobile devices, 150
monetary value in data classification, 281
monitoring
business processes, 218
controls, 84
developing and running, 106–108
events, 180
external, 225
privacy programs, 217–224
remote access, 176–177
security-related events, 219–224
monitors for communications, 53
Monte Carlo analysis, 299
motivation in risk likelihood, 293
multifactor authentication (MFA), 173
N
names, database matches for, 101
National Association of Corporate Directors (NACD), 36
National Institute of Standards and Technology (NIST)
APTs, 288
Cybersecurity Framework, 80–81
metrics, 112
Privacy Framework, 79
RMF, 273–274
SP 800-30, 270–273
SP 800-39, 269–270
SP 800-53 and SP 800-53A, 81–82
SP 800-122, 79
negotiations in procurement and sourcing, 203
net present value (NPV) in asset valuation, 282
NetFlow, 91
network DLP, 91
network management, 44
new hires, training, 52
NIST. See National Institute of Standards and Technology (NIST)
notifications of breaches
data governance model, 11
GDPR, 68
NPV (net present value) in asset valuation, 282
O
objectives
auditing privacy programs, 229
business alignment, 4
controls, 75–76
CSA, 227–228
data governance models, 9
privacy program development, 2, 13–14
training, 49
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), 298–299
online content, 307–309
online tracking. See tracking
Open Web Application Security Project (OWASP), 51
operational audits, 229
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), 298–299
operations positions, 45
opportunities in SWOT analysis, 22
opt-out requests, 247
orchestration, 220–221
organizational inertia, 31
organizational structure as strategy constraint, 30
outsourced services, 19
OWASP (Open Web Application Security Project), 51
owners
responsibilities, 38–39
risk, 300
P
passwords
default, 168
remote access, 172–173
paste buffers, 122
patch management vulnerabilities, 179–180
PCI DSS framework, 82
penalties
compliance, 305
GDPR, 69
penetration tests, 179
performance metrics, 14, 114–115
permissions, incorrect, 169
personal data and information
business alignment, 3
classification, 281
data governance model, 11–12
Personal Information Protection and Electronic Documents Act (PIPEDA), 70
photos, 121
physical assessment, 147–150
PIAs. See privacy impact assessments (PIAs)
PIOs (public information officers) in incident response plans, 256
PIPEDA (Personal Information Protection and Electronic Documents Act), 70
planning phase in incident response, 251
plans and planning
BCDR. See business continuity and disaster recovery (BCDR) planning
incident response, 254–257
privacy program audits, 230–232
policies
administrative safeguards, 193–195
compliance baselines, 139
developing, 63
executive management involvement, 37
external, 64–65
internal, 63–64
legal and contracts, 203
privacy operations, 105
policies (cont.)
privacy program audits, 234–235
roadmap development, 24–26
strategies, 16
politics in gap analysis, 21
post-incident phase in incident response, 253–254
posters for communications, 53
preventing tracking, 125–127
priorities
data governance models, 10
project, 37
privacy
audit responsibilities, 46
by design, 39–40
lexicon, 12
privacy impact assessments (PIAs), 152–153
case study, 158
conducting, 153–154
countermeasures, 158
data subject engagement, 154
integrating, 155
need for, 154
privacy threats, 157–158
PTAs, 153
recordkeeping and reporting, 155
risk identification, 266
vulnerabilities, 156–157
privacy mode browsing, 126
privacy operations
building, 104–105
team structure, 45–46
privacy program development, 1
approaches, 2
business alignment, 3–4
business cases, 27–28
capability maturity models, 22–24
competency, 48
data governance model, 5–13
executive sponsorship, 2–3
gap analysis, 21–22
objectives, 2
questions, 56–60
reporting, 28–29
review, 53–56
risk objectives, 14
roadmap development, 24–27
strategy constraints, 29–30
strategy development, 20–29
strategy objectives, 13–14
strategy resources, 14–15
SWOT analysis, 22
team structure. See team structure
vision, 1–4
privacy program framework, 61
authorities, 110–111
charters, 62
consent, 110
controls, 75–84
data classification, 86–87
data handling, 87–88
data inventory, 84–85
data loss prevention, 88–92
data monitoring operations, 106–108
data protection operations, 106
data subjects, 108–109
data use governance, 93–103
laws, 67–73
legal basis for processing, 74
legitimate interest, 74–75
metrics, 111–116
online tracking and behavioral profiling, 116–127
policies, 63–65
privacy operations, 104–105
questions, 131–135
review, 128–131
standards, 65–66
privacy rule in HIPAA, 69
privacy steering committees, 37–38
privacy threshold analysis (PTA), 153
privileged account reviews, 176
probability of events, 296
problem management in ITSM, 182
processes
business alignment, 3
data governance models, 10
internal policies, 64
metrics, 114
monitoring, 218
owners, 38–39
privacy programs, 17
risk management life cycle, 266–268
roadmap development, 26
weaknesses, 289
processing centers, 148
procurement, integrating into organization processes, 203
profiling opt-out requests, 247
program charters, 15
program elements, baselines, 139–140
program managers, 48
programming language standards, 66
project managers, 48
proposals for change management, 183
protection practice, 165
access controls, 166–169
administrative safeguards, 193–196
costs, 208–209
data archiving, 206
data destruction, 207
data retention, 205–207
data sharing and disclosure, 207–208
design, 196–197
information security practices, 165
integrating privacy into organization processes, 198–209
questions, 211–215
remote access, 169–177
review, 210–211
technical security controls. See technical security controls
protocol standards, 66
provisioning
remote access, 175
user accounts, 172–173
pseudonymization
auditing, 237
overview, 99
PTA (privacy threshold analysis), 153
public classification level, 86–87
public information officers (PIOs) in incident response plans, 256
public relations, integrating into organization processes, 203
Q
qualitative asset valuation, 282
qualitative risk analysis, 296
quality, data, 100–101
quality assurance responsibilities, 47
quantitative asset valuation, 282–283
quantitative risk analysis, 296–298
questionnaires for third parties, 145–146
R
RACI (Responsible-Accountable-Consulted-Informed) charts, 33–34
ranks and ranking
privacy attitudes reflected by, 43
risk, 299–300
team roles, 32
reacquisition costs in asset valuation, 282
real-time event monitoring, 219
recommendations in risk analysis, 267
recordkeeping in PIAs, 155
recovery phase in incident response, 253
redeployment costs in asset valuation, 282
reduced sign-on, 174
referential integrity in databases, 98
registered classification level, 86–87
regulations
assets, 193
baselines, 139
external monitoring, 225
gap analysis, 22
incident response, 250
internal policies, 64
legal and contracts department, 204
mergers, acquisitions, and divestitures, 151
privacy and security steering committees, 37
privacy operations, 105
risk identification, 267
as strategy constraint, 30
third parties, 142–143
release management, 185–186
remediation of vulnerabilities, 178
remediation phase in incident response, 253
remote access
access control lists, 174
authentication, 171
authorization, 171–172
remote access (cont.)
biometrics, 174
control processes, 175–176
identification, 171
monitoring, 176–177
multifactor authentication, 173
overview, 169–170
reduced sign-on, 174
single sign-on, 174
user IDs and passwords, 172–173
removal, requests for, 109, 248
replacement costs in asset valuation, 282
reporting
baselines, 140
incident response, 254
PIAs, 155
privacy programs, 28–29
responsibilities, 224
third parties, 147
requests
for corrections, 109
request for information (RFI), 143, 203
request for proposal (RFP), 143, 203
required data items, collecting, 94–95
required records, collecting, 95
requirements
identifying, 104–105
procurement and sourcing, 203
regulations, 142–143
release management, 186
residual risk, 303
resilience metrics, 115
resistance to change, 29
resource management metrics, 116
resources
incident response plans, 255
optimization, 14
respond practice, 245
continuous improvement, 258
data subject requests, 246–248
incident response, 250–258
overview, 245–246
questions, 260–264
review, 258–260
response and exception procedures in DLP, 92
responsibilities
access controls, 38
data governance models, 6
executive management, 37
incident response plans, 255–256
internal policies, 63–64
roadmap development, 26
security-related events, 224
team roles. See team structure
Responsible-Accountable-Consulted-Informed (RACI) charts, 33–34
restricted classification level, 86–87
retail workers, training, 50
retention practices
evidence, 254
minimization through, 97–99
reviews
change management, 183–184
data governance models, 10
incidents, 38
logs, 220
remote access, 175–176
RFI (request for information), 143, 203
RFP (request for proposal), 143, 203
right to be forgotten, 206, 248
rights in GDPR, 67–68
risk
analysis. See analysis of risk
continuous improvement, 258
control frameworks, 83
PIAs, 155–157
privacy and security steering committees, 37
strategy constraints, 30
risk appetite
business alignment, 4
privacy programs, 20
risk management process, 266
risk capacity, 4
risk identification
risk management life cycle, 292
risk management process, 266–267
risk ledgers, 18
risk management
metrics, 113
privacy programs, 13
Risk Management Framework (RMF), 273–274
risk management life cycle
analysis, 295–305
asset classification, 280–281
asset identification, 278–280
asset valuation, 281–283
data classification, 281
FAIR, 277–278
ISO/IEC standards, 274–277
methodologies, 269–278
NIST standards, 269–274
overview, 265–266
process, 266–268
risk identification, 292
risk impact, 294–295
risk likelihood, 293
threat identification, 283–289
vulnerability identification, 289–291
risk mitigation, 147, 267–268, 302
risk registers, 268
risk tolerance, 3
risk treatment
overview, 300–303
privacy programs, 18
risk analysis, 268
RMF (Risk Management Framework), 273–274
roadmap development, 24–27
roles
data governance models, 6
incident response plans, 255–256
internal policies, 63–64
roadmap development, 26
team structure, 31–33
S
sampling audit evidence, 233–234
SAQ (Self-Assessment Questionnaire), 226
Sarbanes–Oxley Act audit requirements, 35, 225
scanners, 150
scanning
data discovery, 106–107
data loss prevention, 221
vulnerabilities, 177–179
schedules, training, 52–53
scope
auditing, 228
gap analysis, 21
risk management process, 266
scribes in incident response plans, 256
Secure Sockets Layer (SSL), 125
security advisories
privacy programs, 28
security-related events, 223–224
security and privacy, 10
security information and event management (SIEM), 220–222
security-related events
data loss prevention, 221
input controls, 223
log reviews, 220
monitoring, 219–224
orchestration, 220–221
responsibilities, 224
security advisories, 223–224
SIEM, 220
threat hunting, 222–223
threat intelligence, 222
UBA, 223
security rule in HIPAA, 69
security steering committees, 37–38
segregation of duties (SOD)
access controls, 167
matrix reviews, 176
RACI charts, 34
Self-Assessment Questionnaire (SAQ), 226
semiqualitative risk analysis, 296
sensitive employment data, 200
sensitive information classification, 281
service access controls, 166–167
service account reviews, 176
service continuity management, 189
service desks
IT, 181
team positions, 47
service-level ITSM management, 187–188
service provider audits, 230
session integrity, tracking, 118
severity of vulnerabilities, 156–157
sharing data, 207–208
SIEM (security information and event management), 220–222
single loss expectancy (SLE) in quantitative risk analysis, 297
single sign-on (SSO), 174
skills
privacy programs, 17
RACI charts, 34
risk likelihood, 293
SLE (single loss expectancy) in quantitative risk analysis, 297
SMART metrics, 112
social engineering
assessing, 179
attack success through, 168
social media accounts, 121
societal norms, 225
SOD (segregation of duties)
access controls, 167
matrix reviews, 176
RACI charts, 34
software assets, 279
software developers
team structure, 42
training, 51
sourcing, integrating into organization processes, 203
split custody access controls, 167
SSE-CMM (Systems Security Engineering Capability Maturity Model), 23
SSL (Secure Sockets Layer), 125
SSO (single sign-on), 174
staff
compensation costs, 209
competency baselines, 140
strategy constraints, 30
standards
administrative safeguards, 195–196
audit, 238
data handling, 87–88
NIST, 269–274
policies, 65–66
privacy program development, 16
roadmap development, 26
statements of work for audits, 231
static DLP, 89–90
statistics, tracking, 118
status updates phase in incident response, 252–253
steering committees
meetings, 28
responsibilities, 37–38
storage
assessing, 149
minimizing, 96–97
PIAs, 157
storage engineers, 45
strategies
business alignment, 3
capacity management, 189
constraints, 29–30
data governance models, 9
development, 20–29
objectives, 13–14
resources, 14–15
strengths, weaknesses, opportunities, and threats (SWOT) analysis, 22
subjects. See data subjects
subsystem assets, 279
supervisory authority in GDPR, 69
surveillance in processing centers, 148
sustain practice, 217
auditing, 228–238
CSA, 225–228
external monitoring, 225
privacy program monitoring, 217–224
questions, 240–243
review, 238–239
SWOT (strengths, weaknesses, opportunities, and threats) analysis, 22
systems analysts, 42
systems architects, 42
systems management, 44–45
systems operators, 45
Systems Security Engineering Capability Maturity Model (SSE-CMM), 23
T
tabletop tests in incident response plans, 257
TCO (total cost of ownership), 304–305
team structure, 31
boards of directors, 35–36
business process owners, 38–39
CISOs, 41–42
CPOs, 40–41
custodial responsibilities, 39
data management, 43–44
executive management, 36–37
general staff, 48
network management, 44
operations, 45
privacy and security steering committees, 37–38
privacy audits, 46
privacy operations, 45–46
quality assurance, 47
RACI charts, 33–34
roles, 31–33
security audits, 47
security operations, 46
service desks, 47
software development, 42
systems management, 44–45
technical security controls, 177
costs, 208–209
event monitoring and anomaly detection, 180
incident response, 180
IT service management. See IT service management (ITSM)
vulnerabilities, 177–180
technical support analysts, 47
technical workers, training, 51
telecom engineers, 44
temporary workers
records, 201
reviews, 176
testing
incident response plans, 257
release management, 186
third parties
consent through, 110
privacy program audits, 234
retention practices, 98
training, 52
vulnerability identification, 290–291
third-party risk management (TPRM), 140–141
assessment factors, 146–147
classifying, 145
cloud service providers, 141–142
life cycle, 143–145
managers, 47
metrics and reporting, 147
questionnaires, 145–146
regulation requirements, 142–143
risk mitigation, 147
threat identification
APTs, 287–288
emerging threats, 288–289
external threats, 286–287
internal threats, 283–286
overview, 283
threat intelligence in SIEM, 222
threats
access controls, 168
assessments, 15
hunting, 222–223
PIAs, 157–158
risk identification, 267
SWOT analysis, 22
timelines as strategy constraint, 30
timeliness in continuous improvement, 258
titles for team roles, 32
Tor browsers, 126
total cost of ownership (TCO), 304–305
TPRM. See third-party risk management (TPRM)
tracking, 116–117
cookies, 119
IP addresses, 117–118
preventing, 126–127
techniques and technologies, 117–124
workplace, 124–125
training
audiences, 50–52
content, 49–50
objectives, 49
training (cont.)
roadmap development, 27
schedules, 52–53
transfer requests, 247–248
treatment, risk
overview, 300–303
privacy programs, 18
risk analysis, 268
U
UAT (user acceptance testing), 186
UBA (user behavior analytics), 223
unit testing, 186
unstructured data, retention practices for, 98
update requests, 247
usage diagrams, 101–102
usage statistics, tracking, 118
USB storage
DLP, 90
movement monitoring, 107
user acceptance testing (UAT), 186
user accounts, provisioning, 172–173
user behavior analytics (UBA), 223
user IDs in remote access, 172–173
V
valuation of assets, 281–283
value delivery, 13
vCISOs (virtual CISOs), 42–43
velocity in risk likelihood, 293
vendors
managers, 48
standards, 66
verification in change management, 183–184
vice presidents, 43
video monitors for communications, 53
virtual assets, 279
virtual CISOs (vCISOs), 42–43
virtual private networks (VPNs)
overview, 127
remote access, 169–170
visibility in risk likelihood, 293
vision in privacy, 1–4
visitors, tracking, 118
voice assistants, 121
VPNs (virtual private networks)
overview, 127
remote access, 169–170
vulnerabilities
access controls, 168–169
assessing, 15
defined, 283
identifying, 156, 179, 289–291
managing, 177–178
patch management, 179–180
PIAs, 156–157
severity, 156–157
third parties, 290–291
W
watermarking, 90
weaknesses
known and undiscovered, 290
SWOT analysis, 22
web, tracking, 118–119
web beacons, tracking, 120
web content filters for DLP, 91
web sites for communications, 53
wire transfer fraud, 179
work centers assessment, 148
workplace, tracking in, 124–125
works councils, 73
wrap-up for audits, 232