CIPM Assess Flashcards
Privacy operational life cycle: 4 phases
- Assess (measure) current processes, procedures, management and practices for privacy management
- Protect (improve)
- Sustain (evaluate)
- Respond (support)
Assessment maturity models definition
methods to measure progress against established benchmarks and measurements-provides standardised reference for companies to use in assessing level of maturity of privacy program
Assessment models
- AICPA/CICA
- PROP (privacy risk optimisation process)/PbD
- FTC/PbD
PbD definition
(1) Embed privacy into design of technology, business practices, physical design (for assess and protect phases);
(2) dictates that privacy and DP embedded throughout life cycle of technologies
(3) proactive:
- life cycle protection
- embedded in design
- by default
(4) respect for users
- visibility/transparency
- positive sum
AICPA/CICA 5 level privacy maturity model
- ad hoc: informal, incomplete, inconsistent
- repeatable: procedures exist but with gaps
- defined: fully documented, cover all
- managed: reviews conducted for effectiveness of controls in place
- optimized: regular reviews and feedback towards optimization
PROP (privacy risk optimisation process)
used to integrate PbD into business processes
FTC consumer PbD
Baseline principle of PBD is that companies promote consumer privacy throughout organization at every stage of development of products and services. Includes: 1. Substantive privacy practices: -data security -reasonable collection limits -sound retention and disposal -data accuracy -procedural protections to implement substantive principles Privacy protection PIA
Assess key areas of business
- Audit: identify risks and gaps
- IT- BC and DR and alignment with privacy policy
- IS-IT systems, building, remote users, vendors; CIA and AA (confidentiality, integrity, availability, accountability, assurance); IRP
- HR/Ethics - latter should be independent
- Legal - due diligence - which privacy laws apply
- Compliance - privacy program track and investigate roles and responsibility
- Processors/3P vendors - privacy controls in K; vet vendors then monitor and control