Mark's Privacy Program Health Check. If I were facilitating a privacy audit here’s an example of a few
things that I would look for . I would need to identifyevidence to substantiate the privacy program.
• Security Policy – Has your privacy program been endorsed by management assuring their support and
commitment to the Privacy program? Do you have it in writing?
• Security Organization – Does your privacy program have an established management framework to
initiate and control the implementationof privacy program within your organization and to help you
manage your ongoing privacy compliance?
• Asset Classification and Control – Does your privacy program include a comprehensive inventory of
private information assets? Does the privacy program include a classificationschema and governance to
assign responsibilities to ensure that effective security protection is maintained?
• Personnel Security – Does your privacy program include well defined job descriptions for all staff
outlining privacy protection roles and responsibilities?
• Physical and Environmental Security – Does your privacy program have a clear definition of personal
information and the requirements to protect it so that employees are empowered to safeguard private
• Communications and Operations Management – Does your privacy program include a formal
communication strategy designed to facilitate smooth operation of your privacy program?
• Access Control – Does your privacy program include controls over network management to ensure that
only those with the appropriate responsibility have access to private information traversing the networks?
• Systems Development and Maintenance – Does your privacy program maintain the capabilityof
assuring IT projects and support activitiesare conducted in a secure manner throughout the information life
• Business Continuity Management – Does your privacy program use a managed process for developing
and maintaining business contingency plans that protect critical business processes handling private
information from major disasters or failures?
• Compliance – Does your privacy program maintainthe capabilityof demonstrating to clients, employees
and authoritiesyour organizations commitment to statutory data protection or privacy legislation?
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Contact: Skype; Mark_E_S_Bernard, CRISC,CGEIT, CISM, CISSP,CISA, ISO 27001 Lead Auditor