CyberSecurity Privacy Impact Assessment workflow

2,632 views

Published on

CyberSecurity Privacy Impact Assessment workflow

Published in: Business
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total views
2,632
On SlideShare
0
From Embeds
0
Number of Embeds
47
Actions
Shares
0
Downloads
50
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

CyberSecurity Privacy Impact Assessment workflow

  1. 1. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com The Privacy Impact Assessment (PIA) is a compliance risk tool based on the COSO Enterprise Risk Management framework definitions and categorizations of risk. Before initiating the PIA it is advisable to have previously facilitated an assessment of all information assets in scope to fully understand the purpose and focus of the PIA. It is also important to understand the purpose and implied usage of the personal information as technically one PIA should be created for every instance of personal information. The PIA is considered to be a living document that will be revised as changes occur to the security of systems and applications handling private information. During the course of the PIA 10 questions will be answered each addressing the 10 principals of data protection and privacy legislation. One of the 10 questions will branch off into the threat-risk assessment (TRA), which is a separate process that can be facilitated in parallel with the PIA. Decision Document Data Manual input Preparation Decision The Security Office meets with a Product Manager to review a new implementation or a change in an existing technology, system, application or process and determines if a PIA is required. The Security Office assembles Subject Matter Experts to review details and begins to develop the PIA. The Security Office and SMEs develop the initial PIA. Process The Security Office determines if the PIA is ready for Engineering Team review. Decision YES NO The Security Office and Engineering Team review team determine if PIA is ready for submission to System Owner. NO Engineering Team reviews PIA and makes revisions as practical and necessary. The Security Office distributes the PIA to the Engineering Team for review. If a material change is suspected the Security Office will consult with General Counsel NO YES Process YES Process The Security Office updates revision table, turns on tracked changes and update document version Decision Is this a new PIA or a revision to an existing PIA YES Process No YES New version prepared A B

×