CHAPTER 1

Developing a Privacy Program

In this chapter, you will learn about

•   Developing a privacy vision

•   Ensuring business alignment

•   Developing a privacy and security strategy

•   Resources needed to develop and execute a privacy and security strategy

•   Obstacles to strategy development and execution

•   Privacy program communications

This chapter covers Certified Information Privacy Manager job practice I, “Developing a Privacy Program.” The domain represents approximately 22 percent of the CIPM examination.

The genesis of a privacy program is a vision in the mind of a privacy leader. The privacy leader imagines the existence of a privacy program complete with policy, governance, and operations that together ensure the proper collection, use, handling, protection, and disposal of personal information.

The Privacy Vision

Organizations, including private companies, nonprofits, nongovernment organizations (NGOs), and governments, collect and store personal information about customers, citizens, employees, volunteers, and others. Privacy in the context of personal information includes two main components: the proper collection, handling, management, and use of personal information, and the protection of personal information.

The first component, proper collection, handling, management, and use of personal information, is often implemented in the form of data governance. This is a field in itself that includes policies and processes to ensure that all important data, including personal information, is used in accordance with policy and with management oversight and approval. The next component, proper protection of personal information, is generally implemented in the form of cybersecurity. As a practice, cybersecurity has existed for decades and continues to evolve as an art.

Program Approaches

There is more than one way to crack an egg. Similarly, there are several ways to approach the vision and mission of privacy. There is no single, correct approach; in fact, several approaches can be used to attack the matter of privacy. Numerous factors influence the approach, ranging from executive culture to regulatory obligations as well as risk tolerance and risk appetite. Perhaps a good starting point is to consider the typical stakeholders, which include

•   Legal

•   Human resources (HR)

•   Information technology (IT)

•   Cybersecurity

•   Marketing and sales

•   Business units or departments

Some organizations may include additional stakeholders.

Privacy Objectives

Organizations have various reasons for putting resources into a privacy function. Not all organizations and their circumstances are alike, although they share some common threads. Two primary objectives are most often used:

•   Avoidance of regulatory problems

•   Enhancement of customer experience

You may note the stark contrast between these objectives. In the first, the organization is moving away from something (regulatory trouble), while in the second, the organization is moving toward something (improved customer experience and market competitiveness). It is said that all human action is driven by two basic emotions: fear and love. The primary objective of a privacy program appears to be so aligned.

Executive Sponsorship

Executive sponsorship is the formal or informal approval to commit resources to a business problem or challenge. Privacy is no exception: without executive sponsorship, privacy will be little more than an unrealized idea.

In its simplest form, the business case for implementing a privacy program comes down to one or two points: the consequences for failing to implement a privacy program and the benefits enjoyed from implementing a program. These can be expressed in financial terms or in terms of image, brand, reputation, and/or market share.

The other dimension related to sponsorship is this: How much privacy is enough? Cybersecurity executives and their corporate counterparts have been arguing a similar point for decades: How much security is enough? Both questions can be answered by understanding the organization’s current state, its desired future state, and the costs and consequences involved.

Business Alignment

As vision gives way to strategy, the organization’s privacy leader must ensure that the information privacy program fits in with the rest of the organization. This means that the program needs to align with the organization’s highest level of guiding principles, including the following:

•   Mission Why does the organization exist? Who does it serve and what products and services are provided?

•   Goals and objectives What achievements are projected to be accomplished, and when does the organization want to achieve these objectives?

•   Strategy What activities need to take place to fulfill the organization’s goals and objectives?

To be business aligned, privacy and security professionals should be aware of several characteristics of the organization, including these:

•   Business model and processes These include the organization’s data flows (particularly flows of personal information), its use of information systems, and its sources of revenue.

•   Sources and uses of personal information At the core of a privacy program, it’s vital that all sanctioned and unsanctioned uses of personal information are understood, documented, rationalized, and managed.

•   Culture This includes how personnel in the organization work, think, and relate to one another. Of utmost importance is the cultural attitude toward the treatment of personal information.

•   Asset value This includes information the organization uses to operate, which often consists of intellectual property such as designs, source code, production costs, and pricing, as well as sensitive information related not only to the organization’s personnel but to its customers, its information processing infrastructure, and its service functions as well.

•   Risk tolerance Risk tolerance for the organization’s privacy and information security programs needs to align with the organization’s overall tolerance for risk.

•   Legal obligations What external laws and regulations govern what the organization does and how it operates? These laws and regulations include Gramm–Leach–Bliley Act (GLBA), General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act (HIPAA). Also, contractual obligations with other parties often shape the organization’s legal behaviors and practices.

•   Market conditions How competitive is the marketplace in which the organization operates? What are the organization’s strengths and weaknesses when compared to its competitors? How does the organization want its privacy and security differentiated from its competitors?

•   Privacy law enforcement Are regulators and other authorities actively enforcing privacy laws and regulations, or are those laws “paper tigers” that stand unenforced? Organizations are generally reluctant to devote resources to changing business models, business processes, and information systems to comply with laws that may not be enforced.

Goals and Objectives

An organization’s goals and objectives specify the activities that are to take place in support of the organization’s overall strategy. Goal and objective statements are typically imperatives that describe the development or improvement of business capabilities. For instance, goals and objectives may be related to increases in capacity, improvements of quality, or the development of entirely new capabilities. Goals and objectives further the organization’s mission, helping it to continue to attract new customers or constituents, increase market share, and increase revenue and/or profitability.

Risk Appetite

Each organization has a particular “appetite” for risk, although few have documented that appetite. ISACA (www.isaca.org) defines risk appetite as “the level of risk that an organization is willing to accept while in pursuit of its mission, strategy, and objectives, and before action is needed to treat the risk.”

Risk capacity is related to risk appetite. ISACA defines risk capacity as “the objective amount of loss that an organization can tolerate without its continued existence being called into question.”

Generally, only highly risk-averse and regulated organizations such as banks, insurance companies, and public utilities will tangibly document and define their risk appetite. Other organizations are more tolerant of risk and make individual risk decisions based on gut feelings or qualitative risk analyses. However, because of increased regulation, as well as influence and mandates by customers, many organizations are finding it necessary to document and articulate their risk postures and appetites. This is an emerging trend in the marketplace but is still relatively new to many organizations.

In a properly functioning corporate risk management program, the chief information security officer (CISO) or chief risk officer (CRO) is rarely the person who makes a risk-treatment decision and is rarely accountable for that decision. Instead, the CISO or CRO is a facilitator for risk discussions that eventually lead to risk treatment decisions. The only time the CISO or CRO would be the accountable party would be when risk treatment decisions directly affect the risk management program itself, such as in the selection of a governance, risk, and compliance (GRC) tool for managing and reporting on risk.

The data privacy officer (DPO) plays a similar role in privacy-related risk decisions. Like the CISO and CRO, the DPO is a domain expert and guides the business toward decisions that align with applicable laws, internal policies, and the expectations of its affected constituents. Generally, business leaders will make those decisions.

Establish a Data Governance Model

When properly implemented, governance is a process whereby senior management exerts strategic control over business functions through policies, objectives, delegation of authority, and monitoring. Governance is management’s continuous oversight of an organization’s business processes to ensure that they effectively meet the organization’s business vision and objectives.

Organizations often establish governance through a committee or designated position that is responsible for setting long-term business strategy and making changes to ensure that business processes continue to support the business strategy and the organization’s overall needs. Effective governance is enabled through the development and enforcement of documented policies, standards, requirements, and various reporting metrics.

Data Governance

Data governance is management’s visibility and control over the use of information in an organization. By defining strict and tangible consequences for the failure to protect and use personal information transparently, privacy laws have ushered in the emergence of policies and practices that shine a light on data collection, usage, and protection. Organizations are now accountable for confronting data sprawl and indiscriminate use of personal information.

A typical data governance structure contains the following:

•   High-level policy and related standards defining data management practices

•   Defined roles and responsibilities for data management

•   Key controls

•   Assessments of key controls to ensure that they are effective

•   Methods of reporting to management the descriptions of incidents, activities, and assessments

A key prerequisite to effective data governance is organizational change management—that is, management must have visibility into and control over changes made to business processes. Organizations lacking organizational change management will find that processes will change—including new and changed uses of personal information that may be contrary to policy—without management’s awareness.

Governance Models

As organization leaders develop a vision for data governance, they need to be aware of the structure and scope of the organization. It is the author’s belief that existing structures should be leveraged as much as possible when designing new corporate management or governance structures. For example, if information security in a global organization is highly distributed, then data governance and privacy perhaps should also be highly distributed. On the other hand, if information security and privacy are highly centralized, then data governance probably should be as well.

Other factors come in to play for data governance, such as local laws for privacy, information security, cross-border data flow, and data sovereignty. Further, local laws may have differing norms for both minimum and maximum data retention. The geographic reach of an organization’s operations adds complexity and begs for at least local involvement if not local control.

There are no easy answers with regard to governance models: privacy, security, and data management leaders need to understand the organization and internal and external influencers and capabilities, and then proceed with a model that is best supported and most likely to succeed. Management will need to continue to monitor the program and should be willing to make adjustments as needed.

Policies and Standards

In the context of data governance, data policies and standards define the required behavior of personnel associated with data architecture, data management, and data usage. Data governance policies and standards will address topics including

•   Approvals required for the acquisition of new data sources

•   Approvals required for new or changed uses of existing data sources

•   Safeguards to protect data from unauthorized access and use

Policies and standards will also define roles and responsibilities and imply the development of controls.

Roles and Responsibilities

A data governance charter or policies and standards should define roles and responsibilities concerning the management of data, including

•   Decisions for access to data and databases

•   Reviews of access rights to data and databases

•   Decisions and reviews for uses of data and databases

•   Ownership of individual controls

•   Investigations into misuse and unauthorized access to data and databases

Readers versed in information security will recognize these roles and responsibilities as essential parts of a comprehensive information security program.

Control Objectives and Controls

Following the development of policies, standards, roles, and responsibilities, control objectives and controls can be developed. Control objectives and individual controls specify key desired outcomes to ensure that data governance policies will be carried out.

The functional areas where controls will be developed include

•   Approvals for the acquisition of new data sources

•   Approvals for new uses of data

•   Monitoring of data usage

•   Approvals for requests to access data

•   Reviews of access to data

Organizations will develop processes and procedures that include these controls.

Assessments

The effectiveness of policies and controls cannot be fully known unless they are assessed or audited. The criticality of controls and the applicability of specific regulations will determine the approach and rigor needed to assess controls, whether they are reviewed, assessed, or audited.

Prior to recently enacted privacy laws, many organizations paid little attention to risks associated with the protection and use of personal information. Overall and focused risk assessments concerning the use of personal information are warranted, however.

Assessing controls alone addresses their effectiveness but may overlook aspects of privacy and security where no controls exist. Control assessments and risk assessments should be included in the organization’s overall risk management life cycle, as discussed in Appendix A and in more detail in CISM Certified Information Security Manager All-In-One Exam Guide.

Reporting

Governance is incomplete if management is uninformed of routine business activities and incidents that occur in a program. Management needs to be periodically informed of how many incidents occur and how effective they have been at circumventing controls, and the effectiveness of incident response, corrective actions, and improvements.

Privacy Governance

Privacy governance is a set of established activities that typically focuses on several fundamental principles and outcomes. These focused activities are designed to enable management to have a clear understanding of the state of the organization’s privacy program, its current risks, its direct activities, and its alignment to the organization’s business objectives and practices. A goal of the privacy program is enabling the fulfillment of the privacy strategy, which itself will continue to align with the business, business objectives, and developing regulations. The processes supporting these principles and outcomes include privacy policy, data governance, compliance, risk management, and cybersecurity. Whether the organization has a board of directors, council members, commissioners, or some other top-level governing body, governance begins with establishing top-level strategic objectives that are translated into actions and roles and responsibilities through policies, processes, procedures, and other activities downward through each level in the organization.

Privacy is a business issue, and organizations that are not yet properly managing or adequately protecting personal information have a business problem. The reason for this is almost always a lack of understanding and commitment by boards of directors and senior executives. For many, privacy is viewed as a security issue that focuses on data protection problems at the tactical level, and it’s not about data usage at all. The challenge is that, because of a lack of awareness or experience in privacy, organizations still struggle with how to organize, manage, and communicate about privacy successfully at the executive leadership and boardroom levels.

To manage privacy successfully, organizations need to understand that privacy is also a people issue. When people at each level in the organization—from board members to individual contributors—understand the importance of privacy and security within their own roles and responsibilities, an organization will be in a position of reduced risk. This reduction in risk or identification of potential privacy or security events results in fewer incidents with less impact on the organization’s ongoing reputation and operations.

Images

NOTE    Because modern privacy practices are heavily influenced by privacy laws such as the EU GDPR, the CCPA, and the California Privacy Rights Act (CPRA), organizations should rely upon qualified legal counsel as a part of the overall governance process. Including legal counsel helps to ensure that the organization’s privacy policies and practices comply with these and other laws.

Think of privacy as having two main components: proper data management and usage, and data protection—commonly referred to as cybersecurity, data security, or information security. A privacy program cannot succeed without effective cybersecurity. Further, cybersecurity cannot succeed without a solid foundation in IT and IT operations. IT is the enabler and force multiplier that facilitates business processes that fulfill organization objectives. Without effective IT governance, privacy and information security governance practices will not reach their full potential. Figure 1-1 shows how the business vision, strategy, and objectives of privacy and information security governance flow downward in an organization through its privacy and IT security strategies, policies, standards, and processes.

Images

Figure 1-1 Business vision flows downward in an organization.

Images

NOTE    Although CIPM certification is not directly tied to IT governance, this implicit dependence of privacy and security governance on IT governance cannot be understated. IT and security professionals specializing in IT governance itself may be interested in ISACA’s Certified Information Security Manager (CISM) and Certified in the Governance of Enterprise IT (CGEIT) certifications, which specialize in these domains.

Although IT governance, information security governance, and privacy governance may be separate activities, in many organizations, these activities will closely resemble or rely upon one another. Many issues will span IT, security, and privacy governance bodies, and many individuals will participate actively in all three areas. Some organizations may integrate IT, information security, and privacy governance into a single set of participants, activities, and business records. The most important thing is that organizations figure out how to establish governance programs that are effective for achieving formally established business outcomes.

Privacy governance will enable alignment of the organization’s privacy program with customer or constituent expectations, applicable regulations, identified risks, and business needs. An objective of privacy governance is to provide assurance of the proper protection and use of personal information from a strategic perspective to ensure that required privacy practices align with the business practices.

Here are some of the artifacts and activities that flow out of sound privacy governance:

•   Program objectives The desired capabilities or end states, ideally expressed in achievable, measurable terms.

•   Established legal basis The manner in which the organization may lawfully collect and process personal information about data subjects.

•   Consent The mechanisms through which the organization directly or indirectly obtains permission from data subjects to collect and process their personal information.

•   Strategy The plan to achieve one or more objectives.

•   Policy The mission, objectives, and goals of the overall organization that align with constituent expectations and applicable laws.

•   Priorities The main concerns of the privacy program, which should flow directly from the organization’s mission, objectives, and goals. Whatever is most important to the organization as a whole should be relevant to privacy and information security.

•   Standards The technologies, protocols, and practices used by IT that should reflect the organization’s needs. On their own, standards help to drive a consistent approach to solving business challenges; the choice of standards should facilitate solutions that meet the organization’s needs in a cost-effective and secure manner.

•   Processes The formalized descriptions of repeated business activities that include instructions to applicable personnel. Processes include one or more procedures, as well as definitions of business records and other facts that help workers understand how things are supposed to be done.

•   Controls The formal descriptions of critical activities performed to ensure desired outcomes.

•   Program and project management The ways in which the organization’s privacy, security, and IT programs and projects are organized and performed, which should be in a consistent manner that reflects business priorities and supports the business.

•   Metrics/reporting The formal measurement of processes and controls that management can understand and measure.

•   Review/audit The formal evaluation of processes and controls to determine their effectiveness.

To the greatest possible extent, privacy governance in an organization should be practiced in the same way that the organization performs cybersecurity, IT, and overall corporate governance. Privacy governance should mimic organizational and/or security and IT governance processes, or it may be integrated into corporate, cybersecurity, or IT governance processes.

Though privacy governance contains the elements just described, strategic planning is also a key component of governance. Strategy development is discussed in the next section.

Privacy and Security: Together or Separate?

Should privacy and security be managed separately or together? Although there’s no right or wrong answer, know this: privacy cannot succeed without information security. The objectives of a privacy program are the protection and proper handling of personal information. The protection part is done by information security, and the proper handling part is solely the domain of privacy.

Privacy needs information security to be successful. Security is a prerequisite to privacy, but privacy adds more: the proper handling of information and its protection.

This is why privacy and security are discussed hand-in-hand throughout this chapter and this book. To discuss privacy alone, without security, tells only half of the entire story that needs to be told.

Factors Influencing Privacy Governance

An organization’s privacy program must focus on several internal and external events and activities. Privacy managers realize that some of these factors can be influenced to some degree, while others are entirely out of the managers’ sphere of influence. We must be informed and able to react to these influencers.

The Nature of Personal Data and Information Much of the information contained in information systems is about people. In both government and business organizations, information systems keep track of property owners, taxpayers, voters, citizens, patients, clients, customers, and potential customers. Often, the information retained about people is sensitive in nature, sometimes even secret, and all parties have a vested interest in the adequate protection and proper handling of that information.

In most situations, transactions between individuals and businesses, governments, and healthcare organizations are considered confidential, not to be disclosed, and to be used for official business purposes only. When this information migrated from paper to information systems, and along with advancements in information technology, organizations developed numerous techniques by which additional value could be obtained from the information about their citizens, patients, customers, and constituents. Abuses of these practices have given rise to privacy laws intended to curb such activities.

Privacy laws are discussed in detail in this section. Note that there are many variances among these laws in the following areas:

•   Definitions of personal information Privacy laws sometimes provide specific, sometimes vague definitions of which type of data is considered sensitive and which is not. Most laws consider the aggregation of someone’s name, together with other items, such as financial account numbers, medical records, political affiliation, and more, as personal information that is to be safeguarded and used within stated guidelines.

•   Data subject rights Privacy laws define a number of rights that vary somewhat from one regulation to another. These rights cover transparency and limitations of use, adequate protection, personal data correction, and data removal.

•   Protection of personal information Laws require organizations to take measures to ensure the adequate protection of personal information so that it cannot be accessed, altered, stolen, or destroyed by unauthorized parties.

•   Use of personal information Laws require transparency regarding the uses of personal information so that persons can be aware of these uses.

•   Notification of breach Laws require organizations to disclose to affected individuals any instances in which their personal information was improperly accessed, used, or compromised.

•   Jurisdiction Many privacy laws today are extraterritorial, meaning that they intend to regulate the activities of organizations located outside of political boundaries.

Data privacy and data protection laws are being enacted at a relatively fast pace, as a reflection of vast expansions of the collection and use of personal information, abuses and breaches by the organizations collecting and using personal data, and still-developing social norms regarding the definitions and expectations of privacy.

The Imperfect Lexicon of Privacy

As in every profession, privacy and information security professions include some special vocabularies. In the privacy profession, there are the terms personal information and data subject request. Are there really distinctions and valid reasons why “personal information” uses the term “information” while “data subject request” uses the term “data”?

Looking at dictionary definitions, data and information have similar definitions. However, if we go deeper and more specific, we find definitions (in this case, from www.diffen.com) along these lines: “Data are simply facts or figures—bits of information, but not information itself. When data are processed, interpreted, organized, structured, or presented so as to make them meaningful or useful, they are called information. Information provides context for data.”

Perhaps this is a clue. The remainder of this exercise is left to the reader.

Privacy Governance Drivers

Whether you attribute the emergence of sweeping data privacy laws to citizen backlash, politicians knee-jerk reacting to that backlash, or merely a coming of age, organizations everywhere are becoming aware of the fact that people’s privacy rights matter, and that ignoring these rights can land an organization in hot water. For the most part, organizations are being forced to change their practices, their information systems, and sometimes even their business models to align with the new reality: organizations must be transparent about how they obtain, collect, process, and pass on personal information.

Governance is management’s sharpest tool for getting things done. With regard to privacy laws such as the GDPR, CCPA, and CPRA, organizations have put governance structures in place to oversee the transformation in their business processes and information systems from practices of opaqueness to practices of transparency. In many cases, this transformation has meant an about-face on internal practices. Indeed, this has prompted numerous (dare I say the majority of) organizations to “discover” how they are using personal information internally, as though the proverbial foxes have been in charge of the henhouse.

Simply put, privacy governance is all about keeping organizations out of trouble with regulators, outraged citizens, and the courts. Many organizations have had no desire to change their business models, and many complain that it will hurt them financially. Just as the do-not-call lists and laws have curbed the use of unsolicited robo-calls in the United States, privacy laws will forever alter business models that include mining and monetizing personal data behind the dark curtains of organizations’ marketing machinery.

While the foregoing portrays the darker side of some organizations, many others were already “doing the right thing” with regard to transparency in managing personal data. For them, the new journey to privacy compliance has been less impactful. All are moving toward new expected norms, which are expected to change still further.

Because privacy governance is generally driven by emerging privacy laws, many organizations have legal counsel in their governance structure as experts on the law and its interpretation. As even more privacy laws are enacted, and as case law begins to emerge, organizations will be watching privacy laws develop and will adjust their systems, processes, and business models accordingly.

The flexibility and capabilities of information systems make it all too easy for organizations to exceed implicitly or explicitly stated purposes for the collection and use of personal information, leading to potential abuses and overreach. As a privacy manager, you must understand the workings of the business with regard to the data it collects about natural persons—how that data is collected, how it is used, and how it is protected. These things should be considered when you’re building out a privacy governance structure, but the type of information used by the organization will drive the priority that is given to managing data usage and protection. Privacy governance, then, is needed to ensure that the organization’s data management and data protection activities do not lead to incidents that can bring harm to affected persons or the organization itself.

Establish a Privacy Program

Establishing a privacy program requires the development of a strategy. Business, technology, privacy, and security professionals have many different ideas about the meaning of a strategy and the techniques used to develop a strategy, and this can result in general confusion. Although a specific strategy itself may be complex, the concept of a strategy is quite simple. A strategy can be defined as “the plan to achieve an objective.” The effort to build a strategy requires more than saying those six words. Again, however, the idea is not complicated. The concept is this: Understand where you are now and where you want to be. The strategy is the path you must follow to get from where you are (current state) to where you want to be (strategic objective).

The remainder of this section explores strategy development in more detail.

Strategy Objectives

As stated, a strategy is a plan to achieve an objective. The objective (or objectives) is the desired future state for the organization’s privacy and security posture and level of risk.

There are, in addition, objectives of a strategy:

•   Strategic alignment The desired future state, and the strategy to get there, must be in alignment with the organization and its strategy and objectives.

•   Effective risk management Privacy and security programs must include a risk management policy, processes, and procedures. Without risk management, decisions are made blindly and often without regard to their consequences or level of risk.

•   Value delivery The desired future state of a privacy or security program should include a focus on continual improvement and increased efficiency. No organization has unlimited funds for privacy and security; instead, organizations need to reduce the right risks for the lowest reasonable cost.

•   Resource optimization Similar to value delivery, strategic goals should efficiently utilize available resources. Among other things, this means having only the necessary staff and tools required to meet strategic objectives.

•   Performance measurement While strategic objectives need to be SMART (specific, measurable, attainable, relevant, and timely), the ongoing privacy and privacy-related business operations should themselves be measurable, enabling management to drive continual improvement.

•   Assurance process integration Organizations typically operate one or more separate assurance processes in silos that are not integrated. An effective strategy would work to break down these silos and consolidate assurance processes to reduce hidden risks.

All of these should be developed in a way that makes them measurable. The metrics for a privacy program should include these objectives.

Risk Objectives

A vital part of strategy development is the determination of desired risk levels. One of the inputs to strategy development is the understanding of the current level of risk, and the desired future state may also have a level of risk associated with it.

It is quite difficult to quantify risk, even for the most mature organizations. Getting risk to a reasonable “high-medium-low” value is simpler, though less straightforward, and difficult to do consistently across an organization. In specific instances, the costs of individual controls can be known and the costs of theoretical losses can be estimated, but doing this across an entire risk-control framework is tedious and uncertain, because the probabilities of occurrence for threat events amount to little more than guesswork.

Images

NOTE    A key part of a security or privacy strategy may well be the reduction of risk (it could also be cost reduction or compliance improvement). When this is the case, the strategist will need to employ a method for determining before-and-after risk levels that are reasonable and credible. For the sake of consistency, a better approach would be the use of a methodology—however specific or general—that fits with other strategies and discussions involving risk.

Strategy Resources

A strategy describes the process by which goals and objectives are to be met. Before an organization can develop a privacy and security strategy, it must first understand what privacy and security measures are currently in place. Existing resources paint a picture of an organization’s current capabilities, including policies, procedures, behaviors, skills, practices, and posture. The gap between the current state and future state can then be filled via tasks and projects involving technologies, skills, policies, and practices.

Two types of inputs must be considered: those that will influence the development of strategic objectives and those that define the current state of privacy and security programs and their protective controls. The following inputs must be considered before objectives are developed:

•   Risk assessments

•   Threat assessments

When suitable risk and threat assessments have been completed, a privacy or security strategist can then develop strategic objectives; or, if objectives have already been created, the strategist can determine whether these strategic objectives will satisfactorily address risks and threats identified in those assessments.

Privacy and security strategists can examine several other inputs to help them understand the workings of the current privacy and security program. Many of these activities are more security-centric than privacy-centric, because a successful privacy program requires an effective security program as a foundation. These activities include the following:

•   Program charter The organization may have a privacy program charter that defines strategy, roles and responsibilities, objectives, and other matters.

•   Risk assessment A risk assessment can reveal privacy and security risks present in the organization, and it helps the strategist understand threat scenarios and their estimated impacts and frequency of occurrence. Risk assessment results provide the strategist with valuable information about the types of resources required to bring risks down to acceptable levels. This is vital for developing and validating strategic objectives.

•   Threat assessment A threat assessment offers information about the types of threats most likely to have an impact on the organization. It provides an additional perspective on risk, because the assessment focuses on external threats and threat scenarios, regardless of the presence or effectiveness of preventive or detective controls.

Images

NOTE     A threat assessment is an essential element of strategy development. Without a threat assessment, strategic objectives may fail to address important threats, which would result in a privacy or security strategy that would not adequately protect the organization.

•   Vulnerability assessment A vulnerability assessment helps the strategist better understand the current privacy and security postures of the organization’s processes and infrastructure. The vulnerability assessment may target personnel, business processes, network devices, appliances, operating systems, subsystems such as web servers and database management systems, and applications—or any suitable combination thereof.

•   Maturity assessment A maturity assessment provides valuable information about the maturity of business processes so that the strategist will better understand whether processes are orderly, organized, consistent, measured, examined, and periodically improved.

•   Audits Internal and external audits can tell the strategist quite a bit about the state of the organization’s privacy and security programs. A careful examination of audit findings can potentially provide significant details on regulatory compliance, control effectiveness, vulnerabilities, disaster preparedness, or other aspects of the program—depending on the objectives of those audits.

Images

NOTE    The topic of audits is discussed in considerable detail in CISA Certified Information Systems Auditor All-In-One Exam Guide.

•   Policies An organization’s privacy and security policies, as well as its practices with regard to these policies, may say a great deal about its desired current state. Privacy and security policies can be thought of as an organization’s internal laws and regulations with regard to the protection and proper use of personal information and other assets. Examining current privacy and security policies can reveal a lot about what behaviors are required in the organization. Assessments, discussed earlier in this list, help a strategist understand the organization’s compliance with its policies.

Images

NOTE    Many organizations align the structure of their privacy and security policies with the privacy and security control frameworks they have adopted.

•   Standards Privacy and security standards describe, in detail, the methods, techniques, technologies, specifications, brands, and configurations to be used throughout the organization. As with privacy and security policies, privacy and security managers must understand the breadth of coverage, strictness, compliance, and last review and update of the organization’s standards. These all indicate the extent to which an organization’s privacy and security standards are used—if at all.

•   Guidelines The very presence of current and actionable guidelines may signal a higher than average maturity level. Most organizations don’t get any further than creating policies and standards, so the presence of proper guidelines means that the organization may have (or had, in the past) sufficient resources or prioritization to make documenting guidance on policies important enough to undertake. According to their very nature, guidelines are typically written for personnel who need assistance on compliance with policies and standards.

•   Processes and procedures An organization’s processes and procedures may speak volumes about its level of discipline, consistency, risk tolerance, and the maturity of not only its privacy and security programs but also of IT and the business in general. Like other types of documents discussed in this section, the relevance, accuracy, and thoroughness of process and procedure documents are indicators of maturity and commitment to robust privacy and security programs. Strategists need to confirm whether processes and procedures are actually followed, or if they are merely written artifacts.

•   Architecture An organization’s documentation of systems, networks, data flows, and other aspects of its environment gives privacy and security strategists much useful information about how the organization has implemented its information systems and the business processes supported by the organization. Documentation in the form of architecture diagrams is as important as written policies, standards, guidelines, and other artifacts. The strategist needs to determine whether the organization’s architecture supports the organization’s goals, objectives, and operations.

•   Controls The strategist should look for artifacts and interview personnel to determine whether specific controls are in place. The presence of documentation alone may not indicate whether controls are being utilized or whether documentation is just more shelfware. Interviewing personnel and observing controls in action are better ways to determine whether controls are in use. Internal and external audits also help the strategist understand the controls’ effectiveness. A strategist will also need to understand whether the controls in place are part of a control framework such as ISO/IEC 27701, ISO/IEC 27001, NIST 800-53, CIS CSC (Center for Internet Security Critical Security Controls), GLBA, HIPAA, or PCI DSS (Payment Card Industry Data Security Standard).

•   Skills and knowledge An inventory of skills gives the strategist an idea of what staff members are able to accomplish. Understanding skills at all levels helps the strategist understand the types of work that the current staff is able to perform, where minor skills gaps exist, and where the strategist may recommend additional staff through hiring, contracting, or professional services. A key consideration to keep in mind is the potential for a major shift in practices and technologies. A good example is if the organization has been “playing it loose” with personal information and has not yet adopted data governance and data management practices that are required in modern privacy programs. If the staff lacks knowledge about these practices, the organization will struggle to put them in place to comply with applicable privacy regulations.

•   Metrics Properly established metrics will serve as a guide for the long-term effectiveness of privacy and security controls and processes. Evaluating metrics helps the strategist understand what works well and where improvement opportunities reside. The strategist can then design end states with more certainty and confidence.

•   Assets The strategist needs to determine whether the organization has sufficient formal asset management practices and records to keep track of its hardware (including virtual machines and other virtual assets), software, and data. Asset management is a key activity for both privacy and security programs—there’s a saying often used among information security professionals: “You cannot protect what you do not know about.”

•   Risk ledger The presence of a risk ledger can give the strategist a great deal of insight into risk management and risk analysis activities in the organization. Depending on the detail available in the risk ledger, a strategist may be able to discern the scope, frequency, quality, and maturity of risk assessments; the presence of a risk management and risk treatment process; and whether records of incidents exist.

•   Risk treatment decision records When available, risk treatment records reveal what issues warranted attention, discussion, and decisions. Coupled with the risk ledger, this information can provide a record of issues tackled by the organization’s risk management process.

•   Insurance The privacy or security strategist may want to know whether the organization has cybersecurity insurance or any general insurance policy that covers some types of cyber events and incidents. As important as having cyber insurance is, equally important is the reason the organization purchased it, such as compliance requirements, customer requirements, prior incidents, or a risk treatment decision. It is vitally important to understand the terms of any cyber-insurance policy. Though the amounts of benefits are important, the most important aspects of a cyber-insurance policy are its terms, conditions, and exclusions.

•   Data management practices The strategist needs to understand whether the organization implements formal data management practices, including but not limited to a data classification policy, an internal privacy policy, and any tooling that exists (such as data loss prevention [DLP] in its many forms) to provide visibility and control over the movement and use of personal information and other sensitive data.

•   Critical data Privacy and security strategists need to understand the nature and use of an organization’s critical data. It’s important to understand the term “critical.” There are at least three common uses of the term when associated with data: critical operational data, highly sensitive (including personal information) data, and critical market data (including intellectual property and other competitive data).

•   Critical systems Aside from critical data, organizations have systems that are critical to the operation of business processes and of other systems. They may not store critical data, but their cessation can still bring the organization to a halt.

•   Business impact analysis A business impact analysis (BIA) identifies an organization’s business processes, the interdependencies between processes, the resources required for process operation, and the impact on the organization if any business process is incapacitated for a time for any reason. It is also useful for privacy and security professionals aside from business continuity purposes, because it gives the security strategist a better idea of which business processes and systems warrant the greatest protection.

Images

NOTE    The presence of a recent BIA provides a strong indication of the organization’s maturity through its intention to protect its most critical processes from disaster scenarios. Correspondingly, the absence of a BIA suggests that the organization does not consider business continuity and disaster recovery (BCDR) strategically important.

•   Privacy and security incident logs Privacy and security incident logs provide the strategist with a history of privacy and security incidents that have occurred in the organization. Depending on the information captured in the incident logs, the strategist may be able to discern the maturity of the organization’s privacy and security programs, especially its incident response program. The lack of incident logs is a good indicator of the lack of an incident response process.

•   Outsourced services The degree to which an organization has outsourced its business applications to the cloud is not the concerning matter. Instead, what’s important is the amount of due care exercised in the process of outsourcing—namely, whether a formal third-party risk management (TPRM) program is in place.

•   Culture The culture of an organization can tell the strategist a lot about the state of privacy and security. Many people mistakenly believe that privacy and information security are all about the technology. Although technology is part of privacy and security, people are the most important aspect of a privacy and security program. No amount of technology can adequately compensate for an employee’s incorrect attitude and understanding about protecting an organization’s information assets or about mishandling of personal information. People are absolutely key.

Images

CAUTION    When considering an organization’s culture, the strategist needs to rely more upon the organization’s actual operations rather than its statements of culture and values. The actual organizational culture may not align with the organization’s claims.

•   Maturity The characteristics of privacy and security management programs discussed in this list all contribute to the overall maturity of the organization’s program. By itself, the maturity level of the program doesn’t tell the strategist anything about the program’s details. The strategist’s observations of the overall program will provide a visceral feeling for its overall maturity.

•   Risk appetite Undocumented in most organizations, risk appetite can be discerned through the record of risk treatment decisions and observation of an organization’s executive culture. Even then, however, the attitude and culture of risk appetite may differ from an organization’s actual practices.

Privacy Program Strategy Development

After performing risk and threat assessments and carefully reviewing the state of privacy and security programs through the examination of artifacts, the strategist can develop strategic objectives. Generally speaking, strategic objectives will fall into one or more of these categories:

•   Improvements in data management processes

•   Improvements in protective controls

•   Improvements in incident visibility and response

•   Reductions in risk, including compliance risk

•   Reductions in cost

•   Increased resiliency of key business systems

These categories all contribute to strategic improvements in an organization’s privacy and security programs. Depending on the current and desired future state of privacy and security, objectives may represent large projects or groups of projects implemented over several years to develop broad new capabilities, or they may be smaller projects focused on improving existing capabilities.

Here are some examples of broad, sweeping objectives for developing new privacy and security capabilities:

•   Define and implement a data loss prevention (DLP) system to provide visibility and control over the movement of personal information.

•   Define and implement a security information and event management (SIEM) system to provide visibility into privacy, security, and operational events.

•   Define and implement a privacy incident response program.

•   Define and implement a security awareness learning program.

Here are examples of objectives for improving existing capabilities:

•   Integrate vulnerability management and GRC systems.

•   Link privacy awareness and access management programs so that staff members must successfully complete privacy awareness training to retain access to systems containing personal information.

Once one or more objectives have been identified, the strategist will undertake several activities that are required to meet the objectives. These activities are explained in the remainder of this section.

Images

NOTE    The strategist must consider many inputs before developing objectives and strategies to achieve them. These inputs serve a critical purpose: to help the strategist understand the organization’s current state. The journey to developing and achieving a strategy is not possible without understanding the journey’s starting point. These are discussed in the previous section, “Strategy Resources.”

Gap Analysis

In developing privacy and security strategies and objectives, privacy and security professionals may often spend too much time focusing on the end goals and not enough time on the current state of the organization’s privacy and security program. Without having sufficient knowledge of the current state, the strategist will find that accomplishing objectives will be more difficult and achieving success will be less certain.

A gap analysis helps the strategist understand missing capabilities and augment existing capabilities to achieve the desired end state. When performing a gap analysis, the strategist examines the present condition of processes, technologies, and people. The analysis focuses on several aspects of a privacy or security program, including one or more of the items discussed earlier in the “Strategy Resources” section.

When examining all of this and other information about an organization’s privacy and security programs, the strategist should bring the appropriate measure of skepticism. There is much to know about what information is found, but the absence of information may speak volumes as well. Here are some considerations:

•   Absence of evidence is not evidence of absence This time-honored adage applies to artifacts in any program. For instance, a sparse or nonexistent incident log may be an indication of several things: the organization may not have the required visibility to know when an incident has taken place, the organization’s staff may not be trained in the recognition of incidents, or the organization may be watching only for “black swan” events and may be missing commonplace incidents.

•   Freshness, usefulness, and window dressing When it comes to policy, process, and procedure documentation, it is important to find out whether documents are created for appearances only (in which case they may be well-kept secrets except by their owners) or whether they are widely known and utilized. A look at these documents’ revision histories tells part of the story, while interviewing the right personnel completes the picture by revealing how well the documents’ existence is made known and whether they are really used.

•   Scope, turf, and politics In larger organizations, privacy and security managers need to understand current and historical practices with regard to roles and responsibilities for privacy, security, and related activities. For example, records for a global security program may reflect only what is occurring in the Americas, even though there may be nothing found in writing to the contrary.

•   Reading between the lines Depending upon the organization’s culture and the ethics of current or prior privacy and security personnel, records may not accurately reflect goings-on in the program. In other words, there may be overemphasis, underemphasis, distortions, or simply “look-the-other-way” situations that may result in records being incomplete.

•   Off the books For various reasons, certain activities and proceedings in a privacy or security program may not be documented. For example, certain incidents may conveniently not be present in the incident log—otherwise, external auditors might catch the scent and go on a foxhunt, causing all manner of unpleasantries.

•   Regulatory requirements When examining each aspect of a privacy or security program, the program manager needs to ask one important question: Is that activity included because it is required by regulations (with hell and fury from regulators if absent) or because the organization is managing risk and attempting to reduce the probability and/or impact of potential threats?

A common approach to determining the future state in a gap analysis is to determine the current maturity of a process or technology and compare that to the desired maturity level. Continue reading in the next section for a discussion on maturity levels.

Strengths, Weaknesses, Opportunities, and Threats Analysis

Strengths, weaknesses, opportunities, and threats (SWOT) analysis is a tool used in support of strategic planning. SWOT involves introspective analysis, where the strategist asks questions about the four components of the object of study:

•   Strengths What characteristics of the business give it an advantage over other businesses?

•   Weaknesses What characteristics of the business put it at a disadvantage?

•   Opportunities What elements in the environment could the business use to its advantage?

•   Threats What elements in the environment threaten to harm the business?

SWOT analysis involves the use of a matrix of the four elements, shown in Figure 1-2.

Images

Figure 1-2 A SWOT matrix with its four components (Courtesy of Xhienne)

Capability Maturity Models

The capability maturity model concept has been around for many years. One of the most significant developments for privacy and security practitioners was made by the Software Engineering Institute (SEI) at Carnegie Mellon University with its development of the Capability Maturity Model Integration (CMMI). The CMMI was developed in 2002 as an enhancement to a previous Capability Maturity Model framework and is now maintained by the CMMI Institute, a subsidiary of ISACA. The CMMI continues to be expanded and has multiple areas of focus such as product and service development, service delivery, and data management. Although the CMMI is perhaps the most broadly referenced maturity model, maturity models in other technology disciplines have also been developed, such as the Systems Security Engineering Capability Maturity Model (SSE-CMM) developed by the International Systems Security Engineering Association (ISSEA) and the ITIL Maturity Model, now maintained by AXELOS.

Maturity models provide a standardized method for defining practices and improving capabilities of a process. The CMMI uses five levels of maturity to describe the formality and performance of a process:

•   Level 0: Incomplete This represents a process that does not exist in entirety. Some CMMI illustrations do not show Level 0.

•   Level 1: Initial This represents a process that is ad hoc, inconsistent, unmeasured, and unrepeatable.

•   Level 2: Managed This represents a process that is performed consistently and with the same outcome. It may or may not be well-documented.

•   Level 3: Defined This represents a process that is well-defined and well-documented and the capability is more proactive rather than reactive.

•   Level 4: Quantitatively Managed This represents a quantitatively measured process with one or more metrics.

•   Level 5: Optimizing This represents a measured process that is under continuous improvement.

Not all strategists are familiar with maturity models. Strategists unaccustomed to capability maturity models need to understand two important characteristics of the models and how they are used:

•   Level 5 is not the ultimate objective. Most organizations’ average maturity level targets range from 2.5 to 3.5. There are few organizations whose mission justifies level 5 maturity. The cost of developing a level 5 process or control is often prohibitive and out of alignment with risks.

•   Each control or process may have its own maturity level. It is neither common nor prudent to assign a single maturity level target for all controls and processes. Instead, organizations with skilled strategists can determine the appropriate level of maturity for each control and process. They need not all be the same. Instead, it is more appropriate to use a threat-based or risk-based model to determine an appropriate level of maturity for each control and process. Some will be 2, some will be 3, some will be 4, and a few may even be 5.

Images

TIP    The common use of capability maturity models is the determination of the current maturity of a process, together with analysis, to determine the desired maturity level process by process and technology by technology.

Roadmap Development

Once strategic objectives, risk and threat assessments, and gap analyses have been completed, the strategist can begin to develop roadmaps to accomplish each objective. A roadmap is a list of steps required to achieve a strategic objective. The term roadmap is an appropriate metaphor because it represents a journey that, in the details, may not always appear to be contributing to the objective. But in a well-designed roadmap, each task and each project gets the organization closer to the objective.

A roadmap is just a plan, but the term is often used to describe the steps required by an organization to undertake and accomplish a long-term, complex, and strategic objective. Often a roadmap is thought of as a series of projects—some running sequentially, others concurrently—that an organization uses to transform its processes and technology to achieve the objective.

Figure 1-3 depicts a roadmap for an 18-month identity and access management project.

Images

Figure 1-3 Sample roadmap for identity and access management initiative (Courtesy Hi-Tech Security Solutions magazine)

A roadmap should be a top-down endeavor, following the usual hierarchy of control of an organization’s operations. The roadmap may contain one or more of the following elements:

•   Policy development Sweeping changes in organization practices around data protection and data management will probably require policy changes to codify expected behaviors and system characteristics. While not generally required in most industries, structuring the organization’s security policy with one or more relevant standards or frameworks is nonetheless a common practice. Privacy controls may be adopted from ISO/IEC 27701 or the NIST Privacy Framework.

Images

NOTE    ISO/IEC 27701 is an excellent guide for implementation of a Privacy Information Management System (PIMS) that includes not only controls but also governance and high-level processes.

Common standards and frameworks used as a structure for security policy include NIST CSF (Cybersecurity Framework), NIST SP 800-53, ISO/IEC 27001, HIPAA/HITECH (Health Information Technology for Economic and Clinical Health Act), PCI DSS, and CIS CSC.

•   Controls development The strategist may need to enact one or more controls in specific business processes to ensure desired outcomes related to data management and data protection. Generally, controls are developed (and retired) as a result of a risk assessment, and this may be the case when developing a privacy program strategy.

Images

EXAM TIP    CIPM candidates are not expected to memorize the contents of control frameworks for the exam but are expected to understand their purposes and uses.

•   Standards development Changes in policies, controls, or underlying technologies may necessitate that one or more standards be developed or updated. Though standards are often developed with regard to topics such as passwords and encryption, privacy-related standards can be developed on topics such as aggregation and de-identification.

•   Processes and procedures Often, the purpose of a new privacy or security strategy is an increase in the maturity of privacy- or security-related technologies and activities in an organization. And because many organizations’ privacy and security maturity levels are low, often this means that many important tasks are poorly documented or not documented at all. The desired increase in maturity may compel an organization to identify undocumented processes and procedures and assign staff to document them.

Images

EXAM TIP    The CIPM exam requires that candidates understand the structure and uses of policies, standards, guidelines, and procedures.

•   Roles and responsibilities When the strategy involves changes in technologies or processes (as they usually do), this may, in turn, impact the roles and responsibilities for privacy and security personnel, IT workers, and perhaps other staff. When business processes are added or changed, it often means that changes need to be made to the roles and responsibilities of personnel. There may also be new positions, requiring the development of charter documents and job descriptions.

•   Training and awareness Execution of a new privacy or security strategy often has a broad reach, impacting technology as well as policies, standards, processes, and procedures. This results in new information, in many forms and for several audiences, including general privacy and security awareness, updated policies and procedures, and new information systems.

Developing a Business Case

Many organizations require the development of a business case prior to approving significant expenditures on privacy or security initiatives. A business case is a written statement that describes the initiative and describes its business benefits. Following are the typical elements included in a business case:

•   Problem statement This is a description of the business condition or situation that the initiative is designed to solve. The condition may be a matter of compliance, a finding in a risk assessment, or a capability required by a customer, partner, supplier, or regulator.

•   Current state This is a description of the existing conditions related to the initiative.

•   Desired state This is a description of the future state of the relevant systems, processes, or staff.

•   Success criteria These are the defined items that the program will be measured against.

•   Requirements These are required characteristics and components of the solution that will remedy the current state and bring about the desired future state.

•   Approach This is a description of the proposed steps that will result in the desired future state. This may include alternative approaches that were considered, with reasons why they were not selected. If the initiative requires the purchase of products or professional services, business cases may include proposals from vendors. Alternatively, the business case may include a request for proposal (RFP) or request for information (RFI) that will be sent to selected vendors for additional information.

•   Plan This will include costs, timelines, milestones, vendors, and staff associated with the initiative.

Mature organizations utilize an executive steering committee that evaluates business cases for proposed initiatives and makes go/no-go decisions for initiatives. Business cases are often presented to a steering committee in the form of an interactive discussion, providing business leaders with the opportunity to ask questions and propose alternative approaches.

Business cases should include the following characteristics:

•   Alignment with the organization The business case should align with the organization’s goals and objectives, risk appetite, and culture.

•   Alignment with regulations A business case should cite and align with applicable privacy and data protection regulations.

•   Statements in business terms Problem statements, current state, and future state descriptions should all be expressed in business terms.

Establishing Communications and Reporting

Effective communications and reporting are critical elements of successful privacy and security programs. Because success depends mainly on people, in the absence of effective communications, they won’t have the required information to make good privacy- and security-related decisions. Without regard for privacy or information security, the results of decisions may include the emergence of unacceptable risks and even harmful incidents.

These are common forms of communications and reporting that are related to privacy and information security:

•   Board of director meetings Discussions of strategies, objectives, risks, incidents, and industry developments keep board members informed about privacy and security in the organization and elsewhere.

•   Governance and steering committee meetings Discussions of privacy and security strategies, objectives, assessments, risks, incidents, and developments guide decision-makers as they discuss strategies, objectives, projects, and operations.

•   Privacy and security awareness Periodic communications to all personnel help keep them informed on changes in privacy and security policies and standards, good privacy and security practices, and risks they may encounter such as phishing and social-engineering attacks.

•   Privacy and security advisories Communications on potential threats help keep affected personnel aware of developments that may require them to take steps to protect the organization from harm.

•   Privacy and security incidents Communications internally as well as with external parties during an incident keep incident responders and other parties informed. Organizations typically develop privacy and security incident plans and playbooks in advance, which include business rules on internal communications as well as with outside parties, including customers, regulators, and law enforcement.

•   Metrics Key metrics are reported upward in an organization, keeping management, executives, and board members informed as to the effectiveness and progress in the organization’s privacy and security programs.

As the organization builds or expands a privacy or security program, it’s best to utilize existing communications channels and add relevant privacy and security content to those channels, as opposed to building new, parallel channels. Effective privacy and security programs make the best use of existing processes, channels, and methods in an organization.

Obtaining Management Commitment

The execution of a privacy or security strategy requires management commitment. Without that commitment, the strategist will be unable to obtain funding and other resources to implement the strategy.

Getting management commitment is not always a straightforward endeavor. Often, executives and board members are unaware of their fiduciary responsibilities as well as the potency of modern threats and related incidents. Management in many organizations mistakenly believe that they are unlikely targets of hackers and cybercriminal organizations because their companies are small or uninteresting. Further, the common perception of executives and senior managers is that privacy and security tactical problems are solved with “firewalls and antivirus software” and that privacy and information security are in no way related to business issues and business strategy.

If top management lacks a strategic understanding about privacy and security, a privacy or security strategist will need to embark on efforts to inform executives on one or more aspects of modern privacy or information security management. When success is elusive, it may be necessary to bring in outside experts to convince executives that the privacy or security manager is not attempting to build a kingdom, but is instead trying to build a basic program to keep the organization out of trouble. As part of developing an effective communication approach, the strategist should not use fear, uncertainty, or doubt in an attempt to move the leadership team toward adopting the strategy. The better approach, as noted in this section, is to relate it to the leadership team in business terms and opportunities to improve business functions.

Strategy Constraints

Although the development of a new strategy may bring hope and optimism to the privacy or security team, there is no guarantee that changes in an organization can be implemented without friction and even opposition. Instead, the privacy and security manager should anticipate and be prepared to maneuver around, over, or through many constraints and obstacles.

No privacy or security manager plans to fail. However, the failure to anticipate obstacles and constraints may result in the failure to execute even the best strategy. The presence of an excellent strategy, even with executive support, does not mean that obstacles and constraints will simply step out of the way. Instead, these issues represent the realities of human behavior, as well as structural and operational realities that may present challenges to the privacy and security manager and the organization as a whole. There is apt meaning to the phrase “the devil is in the details.”

Typical constraints, obstacles, and other issues include the following:

•   Basic resistance to change It is basic human nature to be suspicious of change, particularly when we as individuals have no control over it and have no say about it. Change is bad, or so we tend to think. “We’ve always done it this way” is a common refrain. Strategists need to consider methods of involving management and staff members in anticipated changes, such as town hall meetings, surveys, and cross-functional committees.

•   Culture Organizational culture can be thought of as the collective consciousness of all workers, regardless of rank. Privacy and security strategists should not expect to change the culture significantly but instead should work with the culture when developing and executing the privacy or security strategy.

•   Organizational structure The strategist must understand the organization’s command-and-control structure, which is often reflected by the organizational chart. However, there may be an undocumented aspect of the org chart, which is actually more important: this indicates who is responsible for what activities, functions, and assets.

•   Staff capabilities A strategy cannot be expected to succeed if the new or changed capabilities do not align with what staff members are able to do. A gap analysis to understand the present state of the organization’s privacy or security program (discussed earlier in this chapter) needs to consider staff knowledge, skills, and capabilities. Where gaps are found, the strategy needs to include training or other activities to impart the necessary skills and language to staff.

Images

NOTE    When an organization lacks staff with specific knowledge about privacy or security techniques or tools, organizations may look to external resources to augment internal staff. The strategist needs to consider the costs and availability of these resources. Consultants and contracts in many skill areas are difficult to find; even larger firms may have backlogs of several months as a result.

•   Budget and cost The strategist must determine, with a high degree of precision, all of the hard and soft costs associated with each element of a strategy. Often, executive management will want to see alternative approaches; for example, if additional labor is required, the strategist may decide to determine the costs of hiring additional personnel versus the cost of retaining consultants or contractors.

•   Time Realistic project planning is needed so that everyone will know when project and strategy milestones will be completed. Project and strategy timelines must take into account all business circumstances, including peak period and holiday production freezes (where IT systems are maintained in a more stable state), and external events such as regulatory deadlines, audits, and other significant events that may impact schedules.

•   Legal and regulatory obligations An organization may include items in its strategy that represent business capabilities that are required for legal or regulatory reasons. The enactment of new privacy laws are specifically the subject of this book and represent considerable changes in practices in many organizations. The extraterritorial nature of some new privacy laws complicates this further.

•   Acceptable risk Initiatives in the privacy or security strategy need to align with executive management’s risk appetite. However, increased pressure from privacy regulations may also be impacting risk appetite and forcing organizations to build more structures and defenses than they would otherwise choose to do.

The Obstacle of Organizational Inertia

Every organization has a finite capacity to undergo change. This is a fact that is often overlooked by overly ambitious strategists who want to accomplish a great deal in too short a time. I have coined the term “organizational inertia” to represent an analogy to Newton’s laws of motion: an object either remains at rest or continues to move at a constant velocity, unless acted upon by a force. In an organization, this means that things will be done in the same way until some force requires the organization to change what is done or how things are done. The greater amount of change that is needed, the greater the outside force is required to implement the change.

The nature of organizational inertia, or its resistance to change, is threefold:

•   Operational people changing their processes and procedures

•   Learning curve

•   Human resistance to change

Structure the Privacy Team

As a privacy leader develops the organization’s privacy program strategy, the program will include various routine privacy operations that must be performed. The privacy leader will need to determine what positions will be required and what activities they will perform.

The privacy leader should consider whether any existing staff across the organization can take on some privacy responsibilities. For instance, the security operations team that monitors systems and networks for security events can be leveraged to also monitor data loss prevention (DLP) systems for possible file-handling violations—even though it may be privacy team members who investigate these matters. In another example, in-house legal counsel may be able to take on the responsibility for interpreting privacy regulations and advising personnel regarding compliance obligations. Finally, existing crisis communications capabilities can be used in the event of a privacy incident or breach.

This section discusses not only the roles solely dedicated to privacy, but also the privacy responsibilities of other positions in the organization. Privacy is not a wholly separate function in an organization; instead, many existing personnel, as well as executives, play key roles in an organization’s overall privacy program.

Roles

Privacy and information security governance are most effective when every person in the organization knows what is expected of them. More mature organizations develop formal roles and responsibilities that establish clear expectations for personnel with regard to their part in all matters related to the protection and proper use of systems and personal information.

In the context of organizational structure and behavior, a role is a description of normal activities that employees are obliged to perform as part of their employment. Roles are typically associated with a job title or position title, a label assigned to each person that designates his or her place in the organization. Organizations strive to adhere to more or less standard position titles so that other people in the organization, upon knowing someone’s position title, will have at least a general idea of a person’s role in the organization.

Typical roles include the following:

•   IT auditor

•   Systems engineer

•   Privacy analyst

•   Accounts receivable manager

•   Service desk technician

A position title also often consists of a person’s rank, which denotes a person’s seniority, placement within a command-and-control hierarchy, span of control, or any combination of these. Typical ranks include the following, in order of increasing seniority:

•   Supervisor

•   Manager

•   Senior manager

•   Director

•   Senior director

•   Executive director

•   Vice president

•   Senior vice president

•   Executive vice president

•   President

•   Chief executive officer

•   Member, board of directors

•   Chairman, board of directors

This should not be considered a complete listing of ranks. Larger organizations also include the modifiers “assistant” (as in assistant director), “general” (general manager), “associate” (a junior position), and “first” (first vice president).

A responsibility is a statement of outcomes that a person is expected to support. Like roles, responsibilities are typically documented in position descriptions and job descriptions. Typical responsibilities include the following:

•   Perform monthly corporate expense reconciliation.

•   Troubleshoot network faults and develop solutions.

•   Audit internal privacy controls and prepare exception reports.

In addition to specific responsibilities associated with individual position titles, organizations typically include general responsibilities in all position titles. Examples include the following:

•   Understand and conform to information security policy, data protection policy, harassment policy, and other policies.

•   Understand and conform to a code of ethics and behavior.

In the context of privacy and information security, an organization assigns roles and responsibilities to individuals and groups to meet the organization’s privacy and security strategies and objectives.

RACI Charts

Many organizations utilize Responsible-Accountable-Consulted-Informed (RACI) charts to denote key responsibilities in business processes, projects, tasks, and other activities. A RACI chart assigns levels of responsibility to individuals and groups. The development of a RACI chart helps personnel determine roles for various business activities. A typical RACI chart is shown in Table 1-1.

Images

Table 1-1 Typical RACI Chart Defining Responsible Parties and Their Roles

The same RACI chart can also be depicted as a second example in Table 1-2. This RACI chart specifies the roles carried out by several parties in the user account access request process:

Images

Table 1-2 Example RACI Chart for an Access Request Process

The meanings of the four roles in a RACI chart are as follows:

•   Responsible (R) The person or group that performs the actual work or task.

•   Accountable (A) The person who is ultimately answerable for complete, accurate, and timely execution of the work. This person often manages those in the Responsible role.

•   Consulted (C) One or more people or groups who are consulted for their opinions, experience, or insight. People in the Consulted role may be subject-matter experts for the work or task, or they may be owners, stewards, or custodians of an asset associated with the work or task. Communication with the Consulted role is two-way.

•   Informed (I) One or more people or groups who are informed by those in other roles. Depending on the process or task, the Informed role may be told of an activity before, during, or after completion. Communication with Informed is one-way.

Several considerations must be taken into account when assigning roles to individuals and groups in a RACI chart, including the following:

•   Skills Some or all individuals in a team assignment, as well as specifically named individuals, need to have the skills, training, and competence to carry out tasks as required.

•   Segregation of duties Critical tasks, such as the user account provisioning the RACI chart, must be free of segregation-of-duties conflicts. This means that two or more individuals or groups are required to carry out a critical task. In this example, the requestor, approver, and provisioner roles cannot be assigned to the same person or group.

•   Conflict of interest Critical tasks must not be assigned to individuals or groups when such assignments will create conflicts of interest. For example, a user who is an approver cannot approve a request for his or her own access. In this case, a different person must approve the request—while also avoiding a segregation-of-duties conflict.

There are some variations of the RACI model, including PARIS (Participant, Accountable, Review Required, Input Required, Sign-off Required) and PACSI (Perform, Accountable, Control, Suggest, Informed).

Board of Directors

The board of directors is a body that oversees organizational activities. Depending on the type of organization, board members may be elected by shareholders or constituents, or they may be appointed. This role can be either paid or voluntary in nature.

Activities performed by the board of directors, as well as directors’ authority, are usually defined by a constitution, bylaws, or external regulation. The board of directors is typically accountable to the owners of the organization or, in the case of a government body, to the electorate or to another agency.

In many cases, board members have a fiduciary duty. This means they are accountable to shareholders or constituents to act in the best interests of the organization with no appearance of impropriety, conflict of interest, or ill-gotten profit.

In private industry, the board of directors is responsible for appointing a chief executive officer (CEO) and possibly other executives. The CEO, then, is accountable to the board of directors and carries out the board’s directives. Board members may also be selected for any of the following reasons:

•   Investor representation One or more board members may be appointed by significant investors to give them control over the organization’s strategy and direction.

•   Business experience Board members bring outside business management experience, which helps them develop successful business strategies for the organization.

•   Access to resources Board members bring business connections, including additional investors, business partners, suppliers, or customers.

Often, one or more board members will have business finance experience to bring financial management oversight to the organization. In the case of US public companies, the Sarbanes–Oxley Act requires board members to form an audit committee; one or more audit committee members are required to have financial management experience. External financial audits and internal audit activities are often accountable directly to the audit committee to perform direct oversight of the organization’s financial management activities. As the issues of privacy and information security become more prevalent in discussions at the executive level, some organizations have added a board member who is technically savvy or have formed an additional committee often referred to as the technology risk committee.

The board of directors is generally expected to require that the CEO and other executives implement a corporate governance function to ensure that executive management has an appropriate level of visibility and control over the operations of the organization. Executives are accountable to the board of directors to demonstrate that they are effectively carrying out the board’s strategies.

Many, if not most, organizations are highly dependent upon information technology for their daily operations. Many also process personal information for their workforce and often for their customers or constituents. As a result, privacy and information security are important topics to boards of directors. Today’s standard of due care for corporate boards requires that they include privacy and information security considerations in the strategies they develop and the oversight they exert on their organizations. In its publication, Cyber-Risk Oversight, the National Association of Corporate Directors (NACD) has developed five principles about the importance of information security:

•   Principle 1: Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

•   Principle 2: Directors should understand the legal implications of cyber risks as they relate to their specific circumstances.

•   Principle 3: Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.

•   Principle 4: Boards should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.

•   Principle 5: Board management discussions about cyber risk should include identifying which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.

The wording of these information security principles makes them entirely relevant to the mission of protecting personal information and to its proper usage.

Executive Management

Executive management is responsible for carrying out directives issued by the board of directors. In the context of privacy and information security management, this includes ensuring that the organization has sufficient resources available to implement privacy and security programs and to develop and maintain controls to protect critical assets and personal information.

Executive management must ensure that priorities are balanced. In the case of IT, privacy, and security, these functions are usually tightly coupled but are sometimes in conflict. IT’s primary mission is the development and operation of business-enabling capabilities through the use of information systems. In contrast, the missions of privacy and information security include protection, compliance, and proper usage. Executive management must ensure that these sometimes-conflicting missions successfully coexist.

Following are some typical IT-, privacy-, and security-related executive position titles:

•   Chief information officer (CIO)

•   Chief technology officer (CTO)

•   Chief privacy officer (CPO) or data protection officer (DPO)

•   Chief information security officer (CISO)

To ensure the success of the organization’s privacy and information security programs, executive management should be involved in three key areas:

•   Ratification and enforcement of corporate privacy and security policies This may take different forms, such as formal minuted ratification in a governance meeting, a statement for the need for compliance along with a signature within the body of the privacy or security policy document, a separate memorandum to all personnel, or other visible communication to the organization’s rank and file that stresses the importance of and need for compliance to the organization’s privacy and information security policies.

•   Leadership by example Executive management should lead by example and not exhibit behavior suggesting they are “above” policy; that is, executives should not have the appearance of enjoying special privileges of a nature that suggests that one or more policies do not apply to them. Instead, their behavior should visibly support privacy and security policies that all personnel are expected to comply with.

•   Ultimate responsibility Executives are ultimately responsible for all actions carried out by the personnel who report to them. Executives are also ultimately responsible for all outcomes related to organizations to which operations have been outsourced.

Privacy and Security Steering Committees

Many organizations form a security and privacy steering committee—separate or combined—consisting of stakeholders from many (if not all) of the organization’s business units, departments, functions, and key locations. Some organizations will separate privacy and security into separate committees, especially if there are differences in membership or focus.

A privacy or security steering committee may have a variety of responsibilities, including the following:

•   Risk treatment deliberation and recommendation The steering committee may discuss relevant risks and potential avenues of risk treatment, and may develop recommendations for said risk treatment for ratification by executive management.

•   Prioritization, discussion, and coordination of IT, privacy, and security projects The steering committee members may discuss various IT, privacy, and security projects to resolve any resource or scheduling conflicts. They may also address potential conflicts between multiple projects and initiatives and work out solutions.

•   Review of recent risk assessments The steering committee may discuss recent risk assessments to develop a shared understanding of their results, as well as discuss remediation of findings.

•   Discussion of new laws, regulations, and requirements The committee may discuss new laws, regulations, and requirements that may impose changes in the organization’s operations. Committee members can develop high-level strategies that their respective business units or departments can further build out.

•   Review of recent privacy and security incidents Steering committee members can discuss recent privacy and security incidents and their root causes. This often can result in changes in processes, procedures, or technologies to reduce the risk and impact of future incidents.

Reading between the lines, the primary mission of a steering committee is to identify and resolve conflicts and to maximize the effectiveness of privacy and security programs, as balanced among other business initiatives and priorities.

Business Process and Business System Owners

Business process and system owners are typically nontechnical personnel in management positions in an organization. While they may not be technology or compliance experts, in many organizations, their business processes are enhanced by IT in business applications and other capabilities. In the context of information privacy, the term “business system” includes databases containing personal information.

Remembering that IT, privacy, and information security functions serve the organization, and not the other way around, business process and business system owners are accountable for making business decisions that sometimes impact the use of IT, the use of personal information, the organization’s security posture, or any combination of these. A simple example is a decision on whether an individual employee should have access to specific personal information. While IT or security may have direct control over which personnel have access to what information, the best decision is a policy-backed business decision by the manager responsible for the information.

The responsibilities of business process and business system owners include the following:

•   Access grants Process owners decide whether individuals or groups should be given access to the system, as well as the level and type of access.

•   Access revocation Process owners should decide when individuals or groups no longer require access to a system, signaling the need to revoke that access.

•   Access reviews Process owners should periodically review access lists to determine whether each person and group should continue to have their access.

•   Subject inquiries and requests Process owners receive privacy-related inquiries from data subjects in the form of queries about personal data usage, corrections to personal data, opt-in and opt-out requests, requests to be removed, and complaints.

•   Configuration Process owners determine the configuration needed for systems and applications, ensuring their proper function and support of applications and business processes.

•   Function definition In the case of business applications and services, process owners determine which functions will be available, how they will work, and how they will support business processes. Typically, this definition is constrained by functional limitations within an application, a service, or a product.

•   Process definition Process owners determine the sequence, steps, roles, and actions carried out in their business processes.

•   Physical location Process owners determine the physical location of their systems. Factors influencing location choices include physical security, proximity to other systems, proximity to relevant personnel, and data protection and privacy laws.

Often, business and system owners are nontechnical personnel, so it may be necessary to translate business needs and applicable laws and regulations into technical specifications.

Images

EXAM TIP    For the exam, do not confuse the terms business owner and system owner with persons who possess a majority of shares of the organization. Instead, these terms connote responsibility for business operations.

Custodial Responsibilities

In many organizations, system owners are not involved in the day-to-day activities related to the management of their systems, especially when those systems are applications and the data used by them. Instead, somebody (or several people) in the IT organization acts as a proxy for system owners and makes access grants and other decisions on their behalf. Although this is a common practice, it is often carried too far, resulting in the system owner being virtually unaware, uninvolved, and uninformed. Instead, system owners should be aware of, and periodically review, activities carried out by people, groups, and departments making decisions on their behalf.

The most typical arrangement is that people in IT make access decisions on behalf of system owners based on established policies and practices. Except in cases where there is a close partnership between these IT personnel and system owners, these IT personnel often do not adequately understand the business nature of systems or the implications when certain people are given access to them. Most often, far too many staff members have access to systems, usually with higher privileges than necessary.

Privacy by Design

Privacy by design involves proactively embedding privacy as a default capability into the design and operation of IT systems, networked infrastructure, and business practices. The principle of privacy by design is explicitly stated in GDPR Article 25, “Data protection by design and by default.” This principle should be included in every organization’s privacy policy, whether the organization is subject to GDPR or other privacy regulations.

This is easier done for new information systems that benefit from a “clean-sheet” design. It is more difficult and costly to retrofit existing information systems developed before modern privacy laws were enacted.

Images

EXAM TIP    You should remember that privacy by design and by default are key tenets of the GDPR and are only implied by other privacy regulations.

Chief Privacy Officer

Some organizations, typically those that manage large amounts of personal information related to employees, customers, or constituents, will employ a CPO. Some organizations have a CPO because applicable regulations such as GLBA require it. Other regulations such as HIPAA, the Fair Credit Reporting Act (FCRA), and GLBA place a slate of responsibilities upon an organization that compels them to hire an executive responsible for overseeing compliance. Others have a CPO because they store massive amounts of personal information and have chosen to appoint an executive-level individual to be responsible for managing the privacy program.

The roles of a CPO typically include safeguarding personal information and ensuring that the organization does not misuse the personal information at its disposal. Because many organizations with a CPO also have a CISO, the CPO’s duties mainly involve oversight into the organization’s proper handling and use of personal information.

The CPO is sometimes seen as a customer advocate, and often this is the actual role of the CPO, particularly when regulations require a privacy officer.

Another similar title with similar responsibilities includes the data protection officer or data privacy officer (DPO). While responsibilities may be similar to those of the CPO, it is important to highlight that DPOs are expected to operate in strictly an oversight of governance role. In some cases, a CPO may not be able to fulfill the role of a DPO, particularly in organizations where the CPO has responsibility for implementing data processing activities or systems that will enable data processing activities.

Images

NOTE    Many smaller organizations appoint an existing staff member as the acting privacy officer.

Does GDPR Require a DPO?

Much discussion and debate has ensued over GDPR’s requirements for organizations to hire or retain a DPO. The GDPR is somewhat vague on the matter. Section 4, Article 37 reads:

The controller and the processor shall designate a data protection officer in any case where:

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

The key language is included in subsections (a) and (b), which have some subjectivity. When it comes to GDPR, most companies are obliged to assign a DPO.

Images

NOTE    Smaller organizations can consider retaining a consulting CPO, sometimes known as a virtual CPO or fractional CPO. This individual can also act as a strategic advisor to help the organization build its privacy program.

Chief Information Security Officer

The CISO is the highest ranking information security title in an organization. A CISO will develop business-aligned security strategies that support present and future business initiatives and will be responsible for the development and operation of the organization’s information risk program, and the development and implementation of security policies, security incident response, and perhaps some operational security functions.

In some organizations, the CISO reports to the chief operating officer (COO) or the CEO. In other organizations, the CISO may report to the CIO, chief legal counsel, or another executive in the organization.

Other titles with similar responsibilities include the following:

•   Chief security officer (CSO) A CSO often is responsible for physical security and workplace safety in addition to cybersecurity.

•   Chief information risk officer (CIRO) Generally, this position represents a change of approach to the CISO position, from being protection-based to being risk-based.

•   Chief risk officer (CRO) This position is responsible for all aspects of risk, including information risk, business risk, compliance risk, and market risk. This role is separate from IT.

Many organizations do not have a CISO but instead have a director or manager of information security who reports farther down in the organization chart. There are several possible reasons for organizations not having a CISO, but generally, it can be said that the organization does not consider information security as a strategic function. This will hamper the visibility and importance of information security and often results in information security being a tactical function concerned with basic defenses such as firewalls, antivirus software, and other tools. In such situations, responsibility for strategy-level information security implicitly lies with some other executive, such as the CIO. This situation often results in the absence of a security program and the organization’s general lack of awareness of relevant risks, threats, and vulnerabilities.

For small to medium-sized organizations, a full-time strategic security leader may not be cost-effective. In these situations, it is advisable to contract with a virtual CISO (vCISO) to assist with strategy and planning. The benefit of this type of approach for organizations that may not require or cannot afford a full-time person is that it enables the organization to benefit from the knowledge of a seasoned security professional to assist in managing the information security program.

Software Development

Positions in software development are involved in the design, development, and testing of software applications and often include the following:

•   Systems architect This position is usually responsible for the overall information systems architecture in the organization. This may or may not include overall data architecture as well as interfaces to external organizations.

•   Systems analyst A systems analyst is involved with the design of applications, including changes in any application’s original design. This position may develop technical requirements, program design, and software test plans. If an organization licenses applications developed by other companies, the systems analyst designs interfaces to other applications.

•   Software engineer/developer This position develops application software. Depending upon their level of experience, people in this position may also design programs or applications. In organizations that utilize purchased application software, developers often create custom interfaces, application customizations, and custom reports.

•   Software tester This position tests changes in programs made by software engineers/developers.

While the trend toward outsourcing applications has resulted in organizations infrequently developing their own applications from scratch, software development roles persist in organizations. Developers are needed to create customized modules within software platforms, as well as integration tools to connect applications. Still, most organizations have a smaller number of developers than they did decades ago.

Images

EXAM TIP    You should remember that the regulatory requirements of privacy by design usually rest with the systems architect and others who drive design decisions for organizations that develop software that processes personal information.

Rank Sets Tone and Gives Power

A glance at the highest ranking privacy and information security positions in an organization reveals much about executive management’s opinion of privacy and information security in larger organizations. Executive attitudes about privacy and security are reflected in the privacy and security leaders’ titles, which may resemble the following:

•   Privacy manager or security manager Privacy and information security are tactical only and often viewed as consisting only of basic tactical controls. The privacy and security managers have no visibility into the development of business objectives. Executives consider privacy and security as unimportant and based on simple practices only.

•   Privacy director or security director Privacy and information security are essential, and the director has moderate decision-making capability but little influence on the business. A director in a larger organization may have little involvement in overall business strategies and little or no access to executive management or the board of directors.

•   Vice president Privacy and information security are strategic objectives but do not influence business strategy and objectives. The vice president will have some access to executive management and possibly the board of directors.

•   CISO/CIRO/CSO/vCISO/CPO/DPO Privacy and information security are strategic objectives, and business objectives are developed with full consideration for risk. The C-level security and privacy personnel have free access to executive management and the board of directors.

Data Management

Positions related to data management are responsible for developing and implementing database designs and for maintaining databases. These personnel will be carrying out some of privacy’s design principles. These positions are concerned with data within applications, as well as data flows between applications:

•   Data manager This position is responsible for data architecture and data management in larger organizations.

•   Database architect This position develops logical and physical designs of data models for applications. With sufficient experience, this person may also design an organization’s overall data architecture.

•   Big data architect This position develops data models and data analytics for large, complex data sets.

•   Database administrator (DBA) This position builds and maintains databases designed by the database architect and those databases that are included as part of purchased applications. The DBA monitors databases, tunes them for performance and efficiency, and troubleshoots problems.

•   Database analyst This position performs tasks that are junior to the DBA, carrying out routine data maintenance and monitoring tasks.

•   Data scientist This position applies scientific methods, builds processes, and implements systems to extract knowledge or insights from data.

Images

EXAM TIP    CIPM candidates need to understand that the roles of data manager, big data architect, database architect, database administrator, database analyst, and data scientist are distinct from data owners. The data owner role governs the business use of, and access to, data in information systems, while the others are IT department roles for managing data models and data technology.

Network Management

Positions in network management are responsible for designing, building, monitoring, and maintaining voice and data communications networks, including connections to outside entities and the Internet:

•   Network architect This position designs data and voice networks and designs changes and upgrades to networks as needed to meet new organization objectives.

•   Network engineer This position implements, configures, and maintains network devices such as routers, switches, firewalls, and gateways.

•   Network administrator This position performs routine tasks in the network, such as making configuration changes and monitoring event logs.

•   Telecom engineer Positions in this role work with telecommunications technologies such as telecom services, data circuits, phone systems, and conferencing systems.

Systems Management

Positions in systems management are responsible for architecture, design, building, and maintenance of servers and operating systems. This may include desktop operating systems as well. Personnel in these positions also design and manage virtualized environments as well as microsegmentation:

•   Systems architect This position is responsible for the overall architecture of systems (usually servers), in terms of both the internal architectures and the relationships between systems.

•   Systems engineer This position designs, builds, and maintains servers and server operating systems.

•   Storage engineer This position designs, builds, and maintains storage subsystems.

•   Systems administrator This position performs maintenance and configuration operations on systems.

Operations

In larger organizations, positions in operations are responsible for day-to-day operational tasks that may include networks, servers, databases, and applications:

•   Operations manager This position is responsible for overall operations that are carried out by others. Responsibilities include establishing operations shift schedules and assisting staff members.

•   Operations analyst This position may be responsible for developing operational procedures; examining the health of networks, systems, and databases; setting and monitoring the operations schedule; and maintaining operations records.

•   Controls analyst This position monitors batch jobs and performs data entry work and other tasks to make sure they are operating correctly.

•   Systems operator This position monitors systems and networks, performs backup tasks, runs batch jobs, prints reports, and performs other operational tasks.

•   Data entry This position is responsible for keying batches of data from hard copy or other sources.

•   Media manager This position maintains and tracks the use and whereabouts of backup tapes and other media.

Privacy Operations

Though few organizations have personnel in a privacy operations function, the staff in many business departments have access to personal information of the organization’s workforce or to its customers or constituents. These business functions include

•   Human resources

•   Sales and marketing

•   Customer support

•   Warranty or assurance services

•   Business operations

Workers in these and other business functions need to be aware of the implications of having access to personal information and the organization’s privacy policy, so that their day-to-day work does not run afoul of privacy policy or applicable laws.

Images

NOTE    For the most part, it’s more important that you know that an organization has assigned various privacy responsibilities to designated personnel than to know the structure of the organization (or org chart).

Security Operations

Positions in security operations are responsible for designing, building, and monitoring security systems and security controls to ensure the confidentiality, integrity, and availability of information systems:

•   Security architect This position designs security controls and systems such as authentication, audit logging, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and firewalls.

•   Security engineer This position designs, builds, and maintains security services and systems that are designed by the security architect. Such systems include firewalls, IDSs and IPSs, web application firewalls (WAFs), web content filters, cloud access security brokers (CASBs), and others.

•   Security analyst This position examines logs from firewalls, IDSs, and audit logs from systems and applications. A security analyst could also have other responsibilities, such as performing security reviews, performing risk analyses, and maintaining security-related business records. This position may also be responsible for issuing security advisories to others in IT.

•   Access administrator This position is responsible for accepting approved requests for user access management changes and performing the necessary changes at the network, system, database, or application level. Often, this position is carried out by personnel in network and systems management functions; in larger organizations, user account management is performed by information security or in a separate user access department.

Privacy Audit

Positions in privacy audit are responsible for examining process design and for verifying the effectiveness of privacy policies and controls:

•   Privacy audit manager This position is responsible for audit operations and scheduling and managing audits.

•   Privacy auditor This position performs internal audits of privacy controls to ensure that they are being operated properly.

The topic of auditing privacy programs and operations is discussed in Chapter 5.

Security Audit

Positions in security audit are responsible for examining process design and for verifying the effectiveness of security controls:

•   Security audit manager This position is responsible for audit operations and scheduling and managing audits.

•   Security auditor This position performs internal audits of IT controls to ensure that they are being operated properly.

Images

NOTE    Although a privacy and security audit may not be a formal internal audit function, those performing security audits need to be able to exercise independence from the functions they audit.

Service Desk

Positions at the service desk are responsible for providing frontline support services to IT and IT customers:

•   Service desk manager This position serves as a liaison between end users and the IT service desk department.

•   Service desk analyst This position provides frontline user support services to personnel in the organization. This is sometimes known as a help-desk analyst.

•   Technical support analyst This position provides technical support services to other IT personnel and perhaps also to IT customers.

Quality Assurance

In larger organizations, positions in quality assurance (QA) are responsible for evaluating IT systems and processes to confirm their accuracy and effectiveness:

•   QA manager This position facilitates quality improvement activities throughout the IT organization.

•   QC manager This position tests IT systems and applications to confirm whether they are free of defects.

Other Roles

Other roles in IT organizations include the following:

•   Third-party risk management manager This position assesses third-party service providers to ensure that their practices do not result in unacceptable risks to the protection of sensitive information, particularly personal information of customers, constituents, or employees.

•   Vendor manager This position is responsible for maintaining business relationships with external vendors, measuring their performance, and handling business issues.

•   Program manager This position manages teams of project managers and oversees larger and more complex projects.

•   Project manager This position creates project plans and manages IT projects.

General Staff

The rank and file in an organization may or may not have explicit privacy or information security responsibilities. This is determined in part by executive management’s understanding of the broad capabilities of information systems and the personnel who use them. It also determines executives’ understanding of the human role in privacy and information security.

Typically, general staff privacy- and security-related responsibilities include the following:

•   Understanding and compliance with organization privacy and security policy

•   Acceptable use of organization assets, including information systems and personal information

•   Proper judgment, including proper responses to people who request access to personal information or request that staff members perform specific functions (the primary impetus for this is the phenomenon of social engineering and its use as an attack vector)

•   Reporting of privacy- and security-related matters and incidents to management

Organizations with a more mature privacy and security culture use standard language in job descriptions that specifies general responsibilities for the protection of assets, systems, and personal information.

Competency

Privacy leadership, together with the human resources function, need to establish means for ensuring that all staff have the necessary competencies to perform their roles correctly. In understanding individual staff competencies, an organization can consider prior experience, certifications, and training, and can bolster individual workers’ competence as necessary to ensure that processes and tasks are performed correctly and timely.

These activities should be intentional, documented, and applied fairly across relevant parts of the workforce.

Privacy Program Communications

Key categories of communications help an organization’s workforce better understand the principles and policies related to information privacy.

Privacy Training and Awareness

Personnel are the primary weak point in an organization’s privacy and cybersecurity status. Personnel are generally considered the largest and most vulnerable portion of an organization’s attack surface, and for good reason: most breaches start with a social-engineering attack, often via e-mail, or they start with the unintended misuse of personal information.

Many organizations conduct security awareness training so that personnel are aware of these common attacks, as well as several other topics that mainly fall into the category known as Internet hygiene, which is the safe use of computers and mobile devices, particularly while accessing the Internet. Organizations also must provide privacy awareness training that enables personnel to be aware of the expectations regarding the proper collection, storage, transmission, and use of customer, constituent, and employee personal information as well as the tools and processes the organization has in place to enable personnel to adhere to these expectations.

Training Objectives

The primary objective of privacy and security awareness programs is the keen awareness, on the part of all personnel, of the proper handling of personal information, the reality of the different types of attacks that they may be subject to, and what they are expected to do in various situations. Further, personnel must understand and comply with an organization’s acceptable use policy, privacy policy, security policy, code of ethics or code of conduct, and other applicable policies.

Better privacy and security awareness training programs include opportunities for personnel to practice skills, with testing at the end of training sessions. In computer-based training, users should be required to pass the test successfully with a minimum score—70 percent is a typical minimum score to complete the course.

The best privacy and security awareness training courses, whether in-person or online, are engaging and relevant. Although some organizations conduct privacy and security awareness training for compliance purposes, many organizations have a genuine interest in their personnel getting the most value out of the training. The point of privacy and security awareness training is, after all, the reduction of risk.

Business records should be created, recording when each employee receives training. Many organizations are subject to privacy and security regulations that require personnel to complete awareness training; business records provide ample evidence of users’ completion of their training.

Creating or Selecting Content

Privacy and security managers need to develop or acquire awareness training content for personnel in the organization. The content that is selected or developed should be

•   Understandable The content should make sense to all personnel. A common mistake that security and privacy managers make is to create or select content that is overly technical and difficult for many nontechnical personnel to understand.

•   Relevant The content should be applicable to the organization and its users. For example, training on the topic of cryptography would be irrelevant to the vast majority of personnel in most organizations. Irrelevant content can cause personnel to disengage from further training.

•   Actionable The content should ensure that personnel know what to do (and not do) in common scenarios.

•   Memorable The best content will give personnel opportunities to practice their skills at some of the basic tasks important to privacy and security, including selecting and using passwords, reading and responding to e-mail, making good decisions about the use of personal information, and interacting with persons inside and outside the organization.

Audiences

When planning an awareness training program, privacy and security managers need to understand the entire worker population and their various roles in the organization. This helps managers understand what training subject matter is relevant to which groups of workers. Managers need to ensure that all workers get all the training they need and not overburden personnel with training that is not relevant to their jobs.

For example, workers in a large retail organization fall into four categories:

•   Corporate workers These persons all use computers, and most of them use mobile devices. Most have access to sensitive information, including personal information about customers and/or employees.

•   Retail floor managers These persons work in retail store locations and use computers daily in their jobs.

•   Retail floor cashiers These persons work in retail store locations. They do not use computers, but they do collect payments by cash, check, and credit card.

•   Retail floor workers These persons work in retail store and warehouse locations and may use computers for single tasks only.

Privacy and security managers should package awareness training so that each audience receives relevant training. In this example, retail floor workers probably need little Internet or computer-related security awareness training, but instead would receive training on physical security and workplace safety topics. Cashiers need training on fraud techniques (counterfeit currency, currency counting fraud, and matters related to credit card payments such as skimming). Corporate workers and retail floor managers should probably receive full-spectrum privacy and security training since they all use computers and many have access to personal information and sensitive information. Retail floor managers should also receive all of the training delivered to retail floor workers and cashiers because they also work at retail locations and supervise these personnel.

Images

NOTE    Privacy training ensures that all personnel understand the organization’s privacy policies, practices, and expectations.

Information Workers Workers in an organization who have contact with the personal information of employees, customers, or constituents should receive privacy awareness training. Information workers need to be aware of the organization’s policies on the protection and proper use of personal information, so that the organization is less likely to suffer a privacy breach caused by poor judgment.

Technical Workers Technical workers in an organization, typically IT personnel, should be trained in security techniques relevant to their positions. Technical workers are responsible for system architecture and system and network design, implementation, and administration. Without security training, these workers may unknowingly have lapses in judgment that could result in significant vulnerabilities that could lead to compromises.

Technical workers also need privacy awareness training to be aware of the proper handling of personal information. This is especially important for the organization, to ensure that information systems will be designed and configured to bring about the greatest possible protection and sound handling of personal information.

Software Developers Software developers typically receive little or no education on privacy by design or secure software development in colleges, universities, and tech schools. The art and science of privacy by design and of secure coding, then, is new to many software developers. Training for software developers helps them to be more aware of the common mistakes made by software developers, including these:

•   Vulnerabilities that permit injection attacks

•   Broken authentication and session management that can lead to attackers accessing other user sessions

•   Cross-site scripting

•   Broken access control

•   Security misconfiguration

•   Sensitive data exposure

•   Insufficient attack protection

•   Cross-site request forgery

•   Use of components with known vulnerabilities

•   Underprotected APIs

This list, which changes from time to time, is published by the Open Web Application Security Project (OWASP, at www.owasp.org), an organization that helps software developers better understand the techniques needed for secure application development and deployment.

Privacy and security training for software developers should also include protection of the software development process itself. Topics in secure software development generally include the following:

•   Protection of source code

•   Reviews of source code

•   Care when using open-source code

•   Testing of source code for vulnerabilities and defects

•   Archival of changes to source code

•   Protection of systems used to store source code, edit and test source code, build applications, test applications, and deploy applications

Note that some of these aspects are related to the architecture of development and test environments and may not be needed for all software developers.

Third Parties Privacy and security awareness training needs to be administered to all personnel who have access to personal information through any means. Because this may include personnel who are employees of other organizations, those workers need to participate in the organization’s privacy and security awareness training. In larger organizations, the curriculum for third-party personnel may be altered somewhat, since portions of the privacy and security awareness training content may not apply to outsiders.

New Hires New employees, as well as consultants and contractors, should be required to attend privacy and security training as soon as possible. There is a risk that new employees could make mistakes early in their employment and prior to their training if they are not yet familiar with all of the practices in the organization.

Better organizations link access control with privacy and security training: new employees are not given access to systems until after they have completed their privacy and security training. This gives new workers added incentive to complete their training quickly, since they want to be able to get access to corporate applications and get to work.

Training Schedule

Regular awareness training is required by some regulations, and most privacy and security awareness programs include at least annual refresher training for all workers. Annual training should be considered the minimum. A well-structured program can offer awareness and training in small bits throughout the year to help keep privacy, security, and Internet safety a part of every worker’s day-to-day thinking process and to help them avoid common mistakes. Further, because handling procedures, protective techniques, and attack techniques change quickly, regular refresher training helps workers be aware of these developments.

Training takes time, and people tend to put it off for as long as possible. Workers can be offered incentives to complete their training through various types of rewards. For example, workers who complete their training in the first week can be awarded gift cards or other prizes.

Organizations generally choose one of two options for annual training:

•   Train the entire organization all at once.

•   Train groups of workers on their hire-month anniversaries.

Communication Techniques

Privacy and security awareness training programs often utilize a variety of means for imparting information-handling procedures, Internet hygiene, and safe computing information to its workers. Communication techniques often include

•   E-mail Privacy and security managers may occasionally send out advisories to affected personnel to inform them of recent developments, such as a new phishing attack. Occasionally, a senior executive will send a message to all personnel to emphasize that privacy and security are every worker’s job and that they are to be taken seriously.

•   Internal web site Organizations with internal web sites or web portals may, from time to time, include privacy and security content.

•   Video monitors, posters, and bulletins Sometimes, a privacy or security message can be delivered on monitors, posters, or bulletins on various topics that keep people thinking about privacy and security.

Maintaining an Awareness Program

Privacy laws, regulations, and practices are changing and evolving at a fast pace. This can provide particular challenges to personnel who develop and deliver privacy training to an organization’s workforce. Just as an organization’s legal counsel (or other designee) researches regulatory and legal developments in information privacy informs the CPO and privacy operations about these changes, those maintaining privacy training need to be informed as well, so that they can make required changes to training materials.

Chapter Review

An organization’s vision for a privacy program needs to include data protection as well as data usage functions. To be effective, the privacy program vision may also need to include IT governance if this is lacking.

Executive sponsorship is the formal or informal approval to commit resources to a business problem or challenge. Privacy is no exception: without executive sponsorship, privacy would be little more than an idea.

As vision gives way to strategy, the organization’s privacy leader must ensure that the information privacy program fits in with the rest of the organization. This means that the program needs to align with the organization’s highest level guiding principles.

Governance is a process whereby senior management exerts strategic control over business functions through policies, objectives, delegation of authority, and monitoring. Governance is management’s continuous oversight of an organization’s business processes to ensure that they effectively meet the organization’s business vision and objectives.

Data governance is management’s visibility and control over the use of information in an organization. Privacy programs will have difficulty succeeding in its absence.

Privacy governance involves established activities that typically focus on several fundamental principles and outcomes designed to enable management to have a clear understanding of the state of the organization’s privacy program, its current risks, its direct activities, and its alignment to the organization’s business objectives and practices.

To manage privacy successfully, organizations need to understand that privacy is also a people issue. When people at each level in the organization—from board members to individual contributors—understand the importance of privacy and security within their own roles and responsibilities, an organization will be in a position of reduced risk.

Privacy governance will enable alignment of the organization’s privacy program with customer or constituent expectations, applicable regulations, identified risks, and business needs. An objective of privacy governance is to provide assurance of the proper protection and use of personal information from a strategic perspective to ensure that required privacy practices align with business practices.

Establishing a privacy program requires the development of a strategy. Among business, technology, privacy, and security professionals, there are many different ideas about the meaning of a strategy and the techniques used to develop a strategy, and this can result in general confusion. Although a specific strategy itself may be complex, the concept of a strategy is quite simple. A strategy can be defined as “the plan to achieve an objective.”

A vital part of strategy development is the determination of desired risk levels. One of the inputs to strategy development is the understanding of the current level of risk, and the desired future state may also have a level of risk associated with it.

Depending on the current and desired future state of privacy and security, objectives may represent large projects or groups of projects implemented over several years to develop broad new capabilities, or they may be smaller projects focused on improving existing capabilities.

Once strategic objectives, risk and threat assessments, and gap analyses have been completed, the strategist can begin to develop roadmaps to accomplish each objective.

Although the development of a new strategy may bring hope and optimism to the privacy or security team, there is no guarantee that changes in an organization can be implemented without friction and even opposition. The privacy and security manager should anticipate and be prepared to maneuver around, over, or through many types of constraints and obstacles.

As a privacy leader develops the organization’s privacy program strategy, the program will include various routine privacy operations that must be performed. The privacy leader will need to determine what positions will be required and what activities they will perform. The privacy leader should consider whether any existing staff across the organization can take on some privacy responsibilities.

Privacy and information security governance are most effective when every person in the organization knows what is expected of them. More mature organizations develop formal roles and responsibilities that establish clear expectations for personnel with regard to their part in all matters related to the protection and proper use of systems and personal information.

The role of a CPO typically includes safeguarding personal information and ensuring that the organization does not misuse the personal information at its disposal. Because many organizations with a CPO also have a CISO, the CPO’s duties mainly involve oversight into the organization’s proper handling and use of personal information.

Privacy leadership, together with the human resources function, must establish means for ensuring that all staff members have the necessary competencies to perform their roles correctly.

Many organizations conduct security awareness training so that personnel are aware of common attacks, as well as several other topics that are considered Internet hygiene, which is the safe use of computers and mobile devices while accessing the Internet. Organizations also must provide privacy awareness training that enables personnel to be aware of the expectations regarding the proper use of customer, constituent, and employee personal information.

Because privacy laws, regulations, and practices are changing and evolving at a fast pace, it is important to ensure that privacy awareness training programs remain current.

Quick Review

•   Privacy and security programs should be in alignment with the organization’s overall mission, goals, and objectives. This means that the chief privacy officer, chief information security officer, and others should be aware of, and involved in, strategic initiatives and the execution of the organization’s strategic goals.

•   An organization’s definitions of roles and responsibilities may or may not be in sync with its culture of accountability. For instance, an organization may have clear definitions of responsibilities documented in policy and process documents and yet may rarely hold individuals accountable when preventable security events occur.

•   Privacy and information security is the responsibility of every person in an organization; however, the means for assigning and monitoring privacy and security responsibilities to individuals and groups vary widely.

•   Privacy and security strategists should be mindful of each organization’s tolerance for change within a given period of time. While much progress may be warranted, the amount of change that can be reasonably implemented within a short amount of time is limited.

•   Although it is important for privacy and security strategists to understand the present state of the organization when developing a strategic roadmap, the strategist must proceed with the knowledge that there can never be a sufficient level of understanding. Even if the most thorough snapshot has been taken, the strategist must understand that the organization is slowly (or perhaps quickly) changing. Execution of a strategic plan is intended to accelerate changes in certain aspects of an organization that is slowly changing anyway.

•   Each organization has its own practice for the development of business cases for the presentation, discussion, and approval for strategic initiatives.

•   Privacy and security strategists must anticipate obstacles and constraints affecting the achievement of strategic objectives and consider refining those objectives so that they can be realized.

Questions

1. Privacy governance is most concerned with:

A. Privacy policy

B. Security policy

C. Privacy strategy

D. Security executive compensation

2. A gaming software startup company does not employ penetration testing of its software. This is an example of:

A. High tolerance of risk

B. Noncompliance

C. Irresponsibility

D. Outsourcing

3. A privacy strategist is developing a privacy awareness program. What is the best method for ensuring that employees have retained important content?

A. Measure the time it takes for employees to complete training.

B. Include competency quizzes at the end of training sessions.

C. Note how quickly employees complete training after being asked.

D. Include videos in privacy training content.

4. Privacy responsibilities are included in which of these IT positions?

A. Security engineer

B. Application developer

C. Database administrator

D. All of these

5. The best first step in building privacy operations is:

A. Perform a risk assessment.

B. Identify requirements.

C. Perform data discovery.

D. Conduct a penetration test.

6. The best definition of a strategy is:

A. The objective to achieve a plan

B. The plan to achieve an objective

C. The plan to achieve business alignment

D. The plan to reduce risk

7. Which of the following should be considered a prerequisite when building a privacy program?

A. Executive support

B. Approved privacy policy

C. Appointing a CPO

D. Performing a risk assessment

8. As part of understanding the organization’s current state, a privacy strategist is examining the organization’s privacy policy. What does the policy tell the strategist?

A. The level of management commitment to privacy

B. The maturity level of the organization

C. The compliance level of the organization

D. None of these

9. While gathering and examining various privacy-related business records, the privacy officer has determined that the organization has no privacy or security incident log. What conclusion can the privacy officer make from this?

A. The organization does not have privacy or security incident detection capabilities.

B. The organization has not yet experienced a privacy or security incident.

C. The organization is recording privacy or security incidents in its risk register.

D. The organization has effective privacy policies.

10. The tool that permits senior management to observe and control an organization is known as:

A. Training

B. Control

C. Policy

D. Governance

11. A privacy strategist has examined a business process and has determined that personnel who perform the process do so consistently, but there is no written process document. The maturity level of this process is:

A. Initial

B. Repeatable

C. Defined

D. Managed

12. A privacy strategist has examined several business processes and has found that their individual maturity levels range from managed to optimizing. What is the best future state for these business processes?

A. All processes should be changed to managed.

B. All processes should be changed to optimizing.

C. There is insufficient information to determine the desired end states of these processes.

D. Processes that are managed should be changed to defined.

13. Which of the following roles should include responsibility for monitoring a DLP system for alerts?

A. Systems engineering

B. Database management

C. Security operations

D. Privacy manager

14. A privacy strategist is seeking to improve the privacy program in an organization with a strong but casual culture. What is the best approach here?

A. Conduct focus groups to discuss possible avenues of approach.

B. Enact new detective controls to identify personnel who are violating policy.

C. Implement security awareness training that emphasizes new required behavior.

D. Lock users out of their accounts until they agree to be compliant.

15. A privacy strategist recently joined a retail organization that operates with slim profit margins and has discovered that the organization lacks several important privacy capabilities. What is the best strategy here?

A. Insist that management support an aggressive program quickly to improve the program.

B. Develop a risk ledger that highlights all identified risks.

C. Recommend that the biggest risks be avoided.

D. Develop a risk-based strategy that implements changes slowly over an extended period of time.

Answers

1. C. Privacy governance is the mechanism through which a privacy strategy is established, controlled, and monitored. Long-term and other strategic decisions are made in the context of privacy governance.

2. A. A software startup in an industry like gaming is going to be highly tolerant of risk: time to market and signing up new customers will be its primary objectives. As the organization achieves viability, other priorities such as security will be introduced.

3. B. Competency quizzes as a part of training are an effective means for recording knowledge retention.

4. D. Privacy responsibilities flow to nearly all positions in IT and IT security. The principle of privacy by design and by default means that all related information systems and supporting processes and procedures need to align with privacy policy.

5. B. When building a new privacy operation, it is first necessary to understand what activities and characteristics are required of the organization. This will come from the text of applicable security and privacy regulations and other legal obligations such as privacy contracts. Legal counsel should be on hand to interpret these regulations and other obligations correctly.

6. B. A strategy is the plan to achieve an objective. An objective is the “what” that an organization wants to achieve, and a strategy is the “how” the objective will be achieved.

7. A. Without executive support, a privacy leader may struggle to obtain the necessary resources to develop and execute a strategy for building a privacy program.

8. D. By itself, privacy policy tells someone little about an organization’s privacy practices. An organization’s policy is only a collection of statements; without interviewing personnel and examining business processes and records, a privacy professional cannot develop any conclusions about an organization’s privacy practices.

9. A. An organization that does not have a privacy or security incident log probably lacks the capability to detect and respond to an incident. It is not reasonable to assume that the organization has had no incidents, since minor incidents occur with regularity. Claiming that the organization has effective controls is unreasonable, because it is understood that incidents occur even when effective controls are in place (because not all types of incidents can reasonably be prevented).

10. D. Governance is the process that permits senior management to exert strategic control over business functions in an organization.

11. B. A process that is performed consistently but is undocumented is generally considered to be managed.

12. C. There are no rules that specify that the maturity levels of different processes need to be the same or at different values relative to one another. In this example, each process may already be at an appropriate level based on risk appetite, risk levels, and other considerations.

13. C. The security operations team is the best choice for monitoring a DLP system. Such a system would probably be sending alerts to a SIEM, which a security operations team would be routinely monitoring.

14. A. Organizational culture is powerful, as it reflects how people think and work. In this example, there is no mention that the strong culture is bad, only that it is casual. Punishing people for their behavior may cause resentment, a revolt, or the loss of good employees who decide to leave the organization. The best approach here is to conduct focus groups to try to understand the culture and work with people in the organization to figure out how a culture of privacy and security can be introduced successfully.

15. D. A privacy strategist needs to understand an organization’s capacity to spend its way to lower risk. Developing a risk-based strategy that implements changes slowly over an extended period of time is the correct response because it is unlikely that an organization with low profit margins is going to agree to an aggressive improvement plan. Developing a risk ledger that depicts these risks may be a helpful tool for communicating risk, but by itself, it involves no action to change anything. Similarly, recommending risk avoidance may mean discontinuing the very operations that bring in revenue.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset