Know where privacy sensitive information (e.g. consumer Personally Identifiable Information (PII)) is stored and processed on their information systems.
A periodically updated inventory of privacy sensitive information.
Documented procedures, tools and associated training to control access to privacy sensitive information, and assist authorized employees in protecting privacy sensitive information during receipt from customers and consumers, transmission (e.g., via e-mail) and storage.
Discuss … Who does this? How? Lessons learned?
WHERE is privacy sensitive information in the enterprise?
Credentialing is an essential component and should focus on: (1) employees, (2) customers and (3) vendors/third parties.
Through credentialing, an organization is able to mitigate the risk of fraud, and ensuring permissible regulatory purpose and legitimate business purpose for accessing information products, systems and data.
In the privacy and information security context, accountability is critical. Establish a governance model.
Technology solutions to help safeguard information and effectively implement privacy related controls
Masking/Non-display of privacy sensitive information
Firewalls, IDS, IPS, etc.
Data leakage detection and response
WHO is allowed to have access to privacy sensitive information?
Training, education and internal/external outreach. Ensures that all constituencies are aware of the framework’s components and responsibilities that accompany those components.
For employees, regular mandatory training will help keep privacy and information security top of mind. Additionally, regular privacy and information security reminders and alerts keep employees abreast of current and emerging trends and risks.
Outreach to external audiences educates customers, consumers, stakeholders, advocacy communities and others on the good practices of your organization and creates transparency that fosters communication and trust.
Documented, tested plans and procedures around responding to incidents and breaches.
Roles and responsibilities
Post incident response (privacy related)
Dry-run testing of procedures (similar to DR testing)