Organizations with mature privacy programs are reaping more benefits than average and are finding it easier to comply with new privacy regulations, 根据 思科2021年隐私基准研究. But what is the best way to build and measure privacy maturity? 隐私 frameworks are an excellent tool for evaluating, monitoring and improving privacy programs. Because there are only a few traditional frameworks for privacy currently available (e.g., the National Institute of Standards and Technology [NIST] 隐私 Framework), in this case the term “framework” is used more broadly to include standards and regulations (e.g., International Organization for Standardization [ISO] 29100 and the EU General Data Protection Regulation [GDPR]) that organizations can leverage to build, 管理和完善他们的隐私实践. 无论组织选择哪种框架, it can advance privacy maturity when implemented properly.
选择框架
Many organizations select a framework when trying to solve privacy challenges such as shifting regulatory requirements, 政策/程序发生冲突或变化, duplicate 合规 efforts and increased operational costs. Choosing a single framework as a foundation for a program solves a lot of these challenges and makes it easier to adapt to organizational and regulatory change.
But selecting a privacy framework is not without its own hurdles. To overcome or avoid these issues, there are a few key questions that should be asked:
- 谁应该参与其中?
- 框架将如何使组织受益?
- 哪些业务流程可能受到影响?
- Which frameworks are already being used within the organization?
- 什么法规要求(e.g., Health Insurance Portability and Accountability Act [HIPAA], 《澳门赌场官方下载》, 应该考虑GDPR)?
Although a privacy framework is focused on privacy efforts, it impacts many other parts of the organization and may overlap with other frameworks being used by other business functions.
It may be helpful to involve personnel from various functions, 比如网络安全, IT, 信息安全, 法律, 合规, 内部审计和风险管理, 以及关键业务流程所有者. Including a range of business functions in the selection process is important, but it is important to establish an authority (likely whoever leads the organization’s privacy efforts) to make the final decision.
无论选择什么框架, 它应该支持组织目标, 澳门赌场官方下载战略和利益相关者需求. 如果它未能与这些元素中的任何一个对齐, 澳门赌场官方下载范围内的采用将会很困难, 阻碍了框架的成功.
实施你的私隐架构
There is no one-size-fits-all approach when it comes to selecting and adopting a framework. However, taking the following four steps can ensure that framework implementation is efficient:
- 框架和规则映射—If an organization needs to comply with multiple privacy regulations, you will need to map out how they overlap with your framework and each other. In addition, this is the time to factor in any other frameworks (e.g., NIST网络安全框架, ISO 27001) the organization uses to make sure everything is aligned. Mapping out control areas and grouping them by regulation and framework can reduce the complexity.
- 为澳门赌场官方下载量身定制—Tailoring your framework to the organization’s specific privacy risk and regulatory requirements will help in making the implementation process smoother. This means modifying controls to align with specific business functions and the operating environment, which will require input from other parts of the business. But working with other teams to integrate your framework should help ensure enterprise-wide adoption.
- 文档—There may be instances where a specific control does not apply to the organization. It is good practice to document the business reasons for not implementing the control. If appropriate documentation of the reasoning behind the exception is maintained, it will we a resource for any future audits and assessments.
- 沟通,成功采用的关键部分是沟通. It is important to communicate any upcoming changes with core business teams within the organization. Providing appropriate support to the teams that may need to make changes as a result of the framework adoption is beneficial.
Whichever framework or combination of frameworks is chosen, there should be a strategy in place to carry out the controls for ensuring information privacy and data security. Simply having a privacy program and utilizing a framework on paper is not enough. The organization must have a process in place to be able to implement, 管理和加强控制, as well as processes for regularly reviewing controls to ensure effectiveness.
隐私框架的好处
Once the organization has successfully installed a privacy framework, implemented corresponding controls and set up a program for monitoring, the organization gets to reap all the wonderful benefits a framework provides. 这些包括:
- 流线型的合规
- 可衡量的结果
- 降低成本
- 改善风险缓解
- 有效的项目评估
- 与澳门赌场官方下载战略保持一致
- 统一隐私、安全和合规工作
- 可持续的隐私保护计划
Choosing and implementing a privacy framework requires a significant investment of time and effort up front, but it ultimately provides the organization with an efficient, mature privacy program that protects critical information and supports business goals.
编者按: For further insights and examples on this topic, read Minaz汗’s recent Journal article, 《澳门赌场官方软件》 ISACA杂志,第二卷,2021年.
别忘了,澳门赌场官方软件可以 免费获得CPE 来自ISACA期刊的测验!
