Highlights of the February 22, 2023, HBK Risk Advisory Services webinar hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director
The National Institute of Standards and Technology (NIST) defines IT Security as, “The technological discipline concerned with ensuring that IT systems perform as expected and do nothing more; that information is provided adequate protection for confidentiality; that system, data and software integrity is maintained; and that information and system resources are protected against unplanned disruptions of processing that could seriously impact mission accomplishments.”
The International Association of Privacy Professionals (IAPP) defines data privacy as, “Privacy is the right to be left alone, or freedom from interference or intrusion. Information Privacy is the right to have some control over how your personal information is collected and used.”
Privacy focuses on the governance and use of data. Security tries to keep us from being a victim of a malicious cyber attack. They are often intertwined or confused.
Why be concerned about privacy? Our information is being captured and mined all the time. One expression of that is the suggestions or recommendations from location services on your phone.
Prominent trends in privacy
Data localization: Where is your data? You need to know where it is, especially give the multitude of cloud opportunities.
Enhancing computations regarding data, or artificial intelligence (AI):
Remote monitoring: trying to balance security and privacy:
More ways to manage privacy for customers:
Many states are enacting their own privacy laws. We should have some type of federal legislation on privacy, but nothing is expected any time soon.
Globally, enforcement of the Europe Union’s General Data Protection Regulation (GDPR) continues to increase, and its influence has spread to America.
Monitoring and tracking privacy regulations
The IAPP is an excellent resource for privacy information. Resources include reports and documents, privacy regulation tracking, and information on specific regulations.
Privacy tracking legislation is in different phases of development, and state by state.
California consumer privacy act models much like GDPR. And has already been amended, including by the California Privacy Rights Act, which went into effect January 1, 2023. Businesses must comply if they meet one of three requirements:
Creating Privacy Controls
Consider privacy frameworks, such as ISACA and ISO 29100:2011
Frameworks have privacy principles, like GDPR’s:
ISACA has 14 privacy principles
Principles can be converted into controls and controls can be evaluated as to how they equate to a privacy program.
Key requirements of a privacy program:
Privacy controls are the administrative, technical, and physical safeguards employed within an agency to ensure compliance with applicable privacy requirements and to manage privacy risks.
Sample: Choice and Consent
Principle: To ensure appropriate and necessary consents have been obtained
Control: What you must have where the collection of personal data takes place
Maturity: Gauging the maturity of your program in terms of rating metrics from one to five: incomplete, initial, managed, defined, quantitatively managed, optimized
Ways to start: inventory your data, know where your customers are, then follow the regulations. If you have privacy concerns, you can look at privacy frameworks for principles to turn into controls, create a privacy program, and measure your program’s maturity.