The document provides an overview of 12 privacy frameworks that can be used to develop comprehensive privacy programs. It describes each framework, including its organization, cost, and key benefits. The top frameworks are ISO 29100, ISO 27701, the ICO Accountability Framework, and the TrustArc-Nymity Framework. They provide standards, guidelines and best practices for building privacy into products and governance. The document aims to help privacy professionals select the most appropriate framework for their needs without needing to reinvent existing approaches.
Just created a slideshare presentation giving a basic introduction to ISO27001 and its Scope, Implementation & Application. You can see more slideshows on http://www.slideshare.net/ImranahmedIT or visit my website: http://imran-ahmed.co.uk
ISO27001 standard was revised and a new version was published in 2013. ISO27001 is also becoming more common Information Security standard among service providers. This presentation focuses on the recent changes in 2013 version and also the process for implementing and getting certified for ISO27001.
Following are the key objectives of this presentation:
Provide an introduction to ISO27001 and changes in 2013 version
Discuss the implementation approach for an Information Security Management System (ISMS) framework
Familiarize the audience with some common challenges in implementation
Just created a slideshare presentation giving a basic introduction to ISO27001 and its Scope, Implementation & Application. You can see more slideshows on http://www.slideshare.net/ImranahmedIT or visit my website: http://imran-ahmed.co.uk
ISO27001 standard was revised and a new version was published in 2013. ISO27001 is also becoming more common Information Security standard among service providers. This presentation focuses on the recent changes in 2013 version and also the process for implementing and getting certified for ISO27001.
Following are the key objectives of this presentation:
Provide an introduction to ISO27001 and changes in 2013 version
Discuss the implementation approach for an Information Security Management System (ISMS) framework
Familiarize the audience with some common challenges in implementation
Due to the dramatic increase of threats worldwide, there is a need for the companies to find ways how to increase the information security. Therefore, one solution is to implement the ISO/IEC 27001 in order to protect information both internally and externally.
Main points that will be covered are:
• The scope of ISO 27001 & associated other standards references
• Information Security and ISIM Terminologies
• ISIM auditing principles
• Managing audit program & audit activities
Presenter:
Eng. Kefah El-Ghobbas is a specialist in ‘Business Process Excellence' through ‘Business Process Re-engineering' with over 20 years of experience.
Link of the recorded session published on YouTube: https://youtu.be/rTxA8PVULUs
ISO 27001:2013 is the international standard that provides a framework for Information Security Management Systems (ISMS) to provide continued confidentiality, integrity and availability of information as well as legal compliance.
ISO 27001 certification is essential for protecting your most vital assets like employee and client information, brand image and other private information. The ISO standard includes a process-based approach to initiating, implementing, operating and maintaining your ISMS.
This implementation guide will help you run through the benefits, PDCA Cycle and Annex SL structure in detail for implementing ISO 27001.
Find out more or get a quote for certification here – https://www.nqa.com/en-gb/certification/standards/iso-27001
Iso iec 27001 foundation training course by interpromMart Rovers
What is involved with the ISO/IEC 27001 Foundation certification training course? Learn about the course curriculum, target audience, duration, formats, exam, fees and much more.
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...PECB
ISO/IEC 27701, Data Protection, and Risk Management: How do they map?
Risk management has become a very important feature when it comes to data protection and information security. Due to the criticality of data that is processed on a daily basis, risk management is highly needed to ensure that individuals’ rights are protected.
Amongst others, the webinar covers:
• Privacy, Data Protection, and Risk Management Definitions
• Privacy, Data Protection , and Risk Management Inter-relationship
• Risk Management – Real world example
• Data Protection – How would it apply to the example?
Presenters:
Anthony English
One of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
George Usi
George Usi is the CEO of Omnistruct Inc, a GaaS (cyber Governance as a Service) company with a vision to be the safety airbag of cyber risk and compliance.
After more than twenty-five years in internet open standards, networking, and security, George recognized that getting hacked in an Internet-delivered world was a matter of when. He also recognized that cyber laws with the potential of steep fines for business leaders who neglect to illustrate cyber security diligence would evolve with more aggressive sanctions in arrears of hacker success. So, he ideated a goal to eliminate cyber risk and set a mission for Omnistruct to be the “safety airbag” of cyber compliance. With a continuous audit and documentation approach, business owners can protect consumer privacy rights when they ideate, illustrate, and continuously measure their cyber posture using a new US guideline in cyber risk developed by NIST.
George attended California State University Chico, is a graduate of California State University Sacramento and a graduate of the Stanford Latino Executive Initiative (SLEI-ed) and Latino Business Action Network (LBAN) Graduate School of Business certificate program.
Michael Bastiani
Michael is a freelancer with his company Risk-BASE, available for roles as (but not limited to) risk manager, project manager, and consultant. With years of experience in the railway industry, Michael has experience in operational technology, automation, maintenance, IT, strategy, and safety. With his background as an engineer at TU Delft, one can always count on Michael to bring an innovative perspective to the table.
Date: July 20, 2022
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
In this session, we will go through ISO/IEC 27701 and ISO/IEC 27001 key practical implementation steps and how they can help you to be compliant with the GDPR.
Our presenters, Peter Geelen and Stefan Mathuvis, will guide you through the implementer tasks with practical hints and tips and show you how an auditor will look at your implementation, searching for evidence and compliance.
In addition, we will match the ISO/IEC 27(7)01 requirements to complete the GDPR obligations as far as possible.
Starting from executive management to privacy policies, handling notifications, setting up awareness programs, controlling user access requests, over vendor management to incident management (data breaches) and continuous updates.
The webinar will cover:
• Quick recap on general ISO components and approach
• Implementing ISO/IEC 27001 with the ISO/IEC 27701 extension for GDPR compliance
• Do's and don’ts for implementation and audit
• The importance of evidence in the audit
• Managing audit expectations and the never ending audit cycle
Recorded webinar: https://youtu.be/HL-VUiCj4Ew
Come implementare un sistema di gestione della sicurezza delle informazioni (SGSI) conforme alla norma ISO 27001 che consenta di gestire la sicurezza di tutte le informazioni aziendali, quindi non solo dei dati personali, al fine di tutelare le informazioni aziendali dai rischi che possono correre ed organizzare e controllare i dati e i sistemi che li gestiscono.
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
Due to an increase in the collection of consumer data, high-profile data breaches have become common.
Currently, there are 128 countries all over the world that have already put in place regulations to secure the protection of data and privacy.
The webinar covers:
Data protection, a global development
Introduction to the GDPR, ePrivacy & ISO/IEC 27701
GDPR & ISO/IEC 27701mapping
ePrivacy & ISO/IEC 27701 mapping
Recorded Webinar: https://youtu.be/oVhIoHAGGwk
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
ISO/IEC 27001 is the main standard that aims to enhance an organization’s information security.
Amongst others, the webinar covers:
• ISO/IEC 27001 & ISO/IEC 27002, catching up with history
• Quick recap on the ISO/IEC 27002:2022
• From ISO/IEC 27002 to the ISO/IEC 27001 updates
• Some considerations & consequences of the update
• What's up next with ISO/IEC 27001, in practice?
Presenters:
Peter Geelen
Peter Geelen is the director and managing consultant at CyberMinute and Owner of Quest for Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms. Peter is accredited Lead Auditor for ISO/IEC 27001, ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified ISO/IEC 27701 lead implementer and lead auditor, ISO/IEC 27001 Master, Sr. Lead Cybersecurity Manager, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, cDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
Stefan Mathuvis
Stefan Mathuvis, is owner & senior consultant at Quality Management & Auditing BV, Zonhoven, Belgium. With over 20 years of experience, Stefan built strong experience in quality management systems, Information Security management systems, GDPR, data privacy & data protection. Stefan is accredited ISO/IEC 27001 Lead Auditor and operates as a third party auditor for DQS Belgium. Dividing his time between consultancy, training & third party auditing on an international scale, Stefan remains in touch with the issues of today allowing him to assist clients in their needs for Information Security and Data Privacy.
Date: November 9, 2022
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/isoiec-270022022--information-security-cybersecurity-and-privacy-protection
https://pecb.com/article/isoiec-27001---what-are-the-main-changes-in-2022
https://pecb.com/article/investing-in-information-security-awareness
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
The security of information systems and business-critical information needs constant managing to ensure your operational continuity and data protection. ISO 27001 Information Security Management Systems certification allows you to stand out from the competition through strong information security measurement.
As a follow-up on the previous session (4th of December), we run through the GDPR part of the ISO/IEC 27701 standard which has been published in August 2019.
We'll take it from another angle and use the ISO/IEC 27701 as a guide to complete the checklist for the GDPR implementation.
Also, with the help of the (new) PECB ISO/IEC 27701 lead auditor course, we'll have an auditor's look at the ISO certification and compliance. It's important to see how it works, to make sure your GDPR implementation can withstand the increasing demand for maturity from customers, subjects and data protection authorities that start to exercise their rights.
The ISO27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection.
The webinar covers:
- The GDRP view of the ISO/IEC 27701
- Mapping the GDPR to-do and the ISO/IEC 27701 to-do list.
- The ISO/IEC 27701 auditor mindset
- Compliance AND/OR/XOR solid data protection?
- Status of GDPR certification
Date: December 04, 2019
Recorded Webinar: https://www.youtube.com/watch?v=P80So3ryvJ8&feature=youtu.be
In this article I will provide an Overview of A new Information Security Management System
Standard ISO/IEC 27001:2013 , The new standard just Published from a few Days Earlier .
ISO/IEC 27001:2013 Provides requirements for Establishing, Implementing, Maintaining
and Continually Improving an Information Security Management System.
ISO/IEC 27001:2013 gives Organization a Perfect Information Security management framework for implementing
and maintaining security.
In this Article, I tried to shed some light on new standard and its Mandatory Requirements, Optional Requirements ,
Structure , Benefits , Certification Process and Estimated time for Implementation and Certification.
CHAPTER 6
INFORMATION GOVERNANCE
Information Governance Policy Development
ITS 833
Dr. Mia Simmons
Chapter Overview
■ This chapter will cover pages 71-94 in your book.
■ This chapter will cover how to develop an Information
Governance Policy.
– Inform and frame the policy with internal and external
frameworks, models, best practices, and standards—
those that apply to your organization and the scope of its
planned IG program.
2
Review of Record Keeping
■ Chapter 3 - ARMA International’s eight Generally Accepted
Recordkeeping Principles
1. Accountability
2. Transparency
3. Integrity
4. Protection
5. Compliance
6. Availability
7. Retention
8. Disposition
3
IG
REFERENCE
MODEL
4
IG Reference Model
■ Outer Ring
– An understanding of the business imperatives of the enterprise,
– Knowledge of the appropriate tools and infrastructure for managing
information, and
– Sensitivity to the legal and regulatory obligations with which the
enterprise must comply
For any piece of information you hope to manage, the primary
stakeholder is the business user of that information
■ Center
– Life-cycle or Work-Flow - information management is important
at all stages of the information life cycle—from its creation through
its ultimate disposition.
5
Best Practice Considerations
■ IG best practices are evolving & expanding, therefore it should also be
considered in policy formulation
■ 25 Best practices review in Chapter 5
1. IG is a key underpinning for a successful ERM program.
2. IG is not a project but rather an ongoing program.
3. .
4. .
5. .
6. .
24. Some digital information assets must be preserved permanently as
part of an organization’s documentary heritage.
25. Executive sponsorship is crucial
6
Standards Consideration
■ Two Types of standards should be included in policy :
1. De jure (“the law”)
■ published by recognized standards-setting bodies, such as the
International Organization for Standardization (ISO), American
National Standards Institute (ANSI), National Institute of Standards
and Technology (NIST—this is how most people refer to it, as they do
not know what the acronym stands for), British Standards Institute
(BSI), Standards Council of Canada, and Standards Australia.
2. De facto (“the fact”)
■ not formal standards but are regarded by many as if they were.
They may arise though popular use (e.g., Windows at the busi-ness
desktop in the 2001–2010 decade) or may be published by other
bodies, such as the U.S. National Archives and Records
Administration (NARA) or Department of Defense (DoD) for the U.S.
military sector.
7
Benefits and Risks of Standards
■ Quality assurance support. If a product meets a standard, you can be
confident of a certain level of quality.
■ Interoperability support. Some standards are detailed and mature enough
to allow for system interoperability between different vendor platforms.
■ Implementation frameworks a.
Due to the dramatic increase of threats worldwide, there is a need for the companies to find ways how to increase the information security. Therefore, one solution is to implement the ISO/IEC 27001 in order to protect information both internally and externally.
Main points that will be covered are:
• The scope of ISO 27001 & associated other standards references
• Information Security and ISIM Terminologies
• ISIM auditing principles
• Managing audit program & audit activities
Presenter:
Eng. Kefah El-Ghobbas is a specialist in ‘Business Process Excellence' through ‘Business Process Re-engineering' with over 20 years of experience.
Link of the recorded session published on YouTube: https://youtu.be/rTxA8PVULUs
ISO 27001:2013 is the international standard that provides a framework for Information Security Management Systems (ISMS) to provide continued confidentiality, integrity and availability of information as well as legal compliance.
ISO 27001 certification is essential for protecting your most vital assets like employee and client information, brand image and other private information. The ISO standard includes a process-based approach to initiating, implementing, operating and maintaining your ISMS.
This implementation guide will help you run through the benefits, PDCA Cycle and Annex SL structure in detail for implementing ISO 27001.
Find out more or get a quote for certification here – https://www.nqa.com/en-gb/certification/standards/iso-27001
Iso iec 27001 foundation training course by interpromMart Rovers
What is involved with the ISO/IEC 27001 Foundation certification training course? Learn about the course curriculum, target audience, duration, formats, exam, fees and much more.
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...PECB
ISO/IEC 27701, Data Protection, and Risk Management: How do they map?
Risk management has become a very important feature when it comes to data protection and information security. Due to the criticality of data that is processed on a daily basis, risk management is highly needed to ensure that individuals’ rights are protected.
Amongst others, the webinar covers:
• Privacy, Data Protection, and Risk Management Definitions
• Privacy, Data Protection , and Risk Management Inter-relationship
• Risk Management – Real world example
• Data Protection – How would it apply to the example?
Presenters:
Anthony English
One of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
George Usi
George Usi is the CEO of Omnistruct Inc, a GaaS (cyber Governance as a Service) company with a vision to be the safety airbag of cyber risk and compliance.
After more than twenty-five years in internet open standards, networking, and security, George recognized that getting hacked in an Internet-delivered world was a matter of when. He also recognized that cyber laws with the potential of steep fines for business leaders who neglect to illustrate cyber security diligence would evolve with more aggressive sanctions in arrears of hacker success. So, he ideated a goal to eliminate cyber risk and set a mission for Omnistruct to be the “safety airbag” of cyber compliance. With a continuous audit and documentation approach, business owners can protect consumer privacy rights when they ideate, illustrate, and continuously measure their cyber posture using a new US guideline in cyber risk developed by NIST.
George attended California State University Chico, is a graduate of California State University Sacramento and a graduate of the Stanford Latino Executive Initiative (SLEI-ed) and Latino Business Action Network (LBAN) Graduate School of Business certificate program.
Michael Bastiani
Michael is a freelancer with his company Risk-BASE, available for roles as (but not limited to) risk manager, project manager, and consultant. With years of experience in the railway industry, Michael has experience in operational technology, automation, maintenance, IT, strategy, and safety. With his background as an engineer at TU Delft, one can always count on Michael to bring an innovative perspective to the table.
Date: July 20, 2022
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
In this session, we will go through ISO/IEC 27701 and ISO/IEC 27001 key practical implementation steps and how they can help you to be compliant with the GDPR.
Our presenters, Peter Geelen and Stefan Mathuvis, will guide you through the implementer tasks with practical hints and tips and show you how an auditor will look at your implementation, searching for evidence and compliance.
In addition, we will match the ISO/IEC 27(7)01 requirements to complete the GDPR obligations as far as possible.
Starting from executive management to privacy policies, handling notifications, setting up awareness programs, controlling user access requests, over vendor management to incident management (data breaches) and continuous updates.
The webinar will cover:
• Quick recap on general ISO components and approach
• Implementing ISO/IEC 27001 with the ISO/IEC 27701 extension for GDPR compliance
• Do's and don’ts for implementation and audit
• The importance of evidence in the audit
• Managing audit expectations and the never ending audit cycle
Recorded webinar: https://youtu.be/HL-VUiCj4Ew
Come implementare un sistema di gestione della sicurezza delle informazioni (SGSI) conforme alla norma ISO 27001 che consenta di gestire la sicurezza di tutte le informazioni aziendali, quindi non solo dei dati personali, al fine di tutelare le informazioni aziendali dai rischi che possono correre ed organizzare e controllare i dati e i sistemi che li gestiscono.
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
Due to an increase in the collection of consumer data, high-profile data breaches have become common.
Currently, there are 128 countries all over the world that have already put in place regulations to secure the protection of data and privacy.
The webinar covers:
Data protection, a global development
Introduction to the GDPR, ePrivacy & ISO/IEC 27701
GDPR & ISO/IEC 27701mapping
ePrivacy & ISO/IEC 27701 mapping
Recorded Webinar: https://youtu.be/oVhIoHAGGwk
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
ISO/IEC 27001 is the main standard that aims to enhance an organization’s information security.
Amongst others, the webinar covers:
• ISO/IEC 27001 & ISO/IEC 27002, catching up with history
• Quick recap on the ISO/IEC 27002:2022
• From ISO/IEC 27002 to the ISO/IEC 27001 updates
• Some considerations & consequences of the update
• What's up next with ISO/IEC 27001, in practice?
Presenters:
Peter Geelen
Peter Geelen is the director and managing consultant at CyberMinute and Owner of Quest for Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms. Peter is accredited Lead Auditor for ISO/IEC 27001, ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified ISO/IEC 27701 lead implementer and lead auditor, ISO/IEC 27001 Master, Sr. Lead Cybersecurity Manager, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, cDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
Stefan Mathuvis
Stefan Mathuvis, is owner & senior consultant at Quality Management & Auditing BV, Zonhoven, Belgium. With over 20 years of experience, Stefan built strong experience in quality management systems, Information Security management systems, GDPR, data privacy & data protection. Stefan is accredited ISO/IEC 27001 Lead Auditor and operates as a third party auditor for DQS Belgium. Dividing his time between consultancy, training & third party auditing on an international scale, Stefan remains in touch with the issues of today allowing him to assist clients in their needs for Information Security and Data Privacy.
Date: November 9, 2022
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/isoiec-270022022--information-security-cybersecurity-and-privacy-protection
https://pecb.com/article/isoiec-27001---what-are-the-main-changes-in-2022
https://pecb.com/article/investing-in-information-security-awareness
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
The security of information systems and business-critical information needs constant managing to ensure your operational continuity and data protection. ISO 27001 Information Security Management Systems certification allows you to stand out from the competition through strong information security measurement.
As a follow-up on the previous session (4th of December), we run through the GDPR part of the ISO/IEC 27701 standard which has been published in August 2019.
We'll take it from another angle and use the ISO/IEC 27701 as a guide to complete the checklist for the GDPR implementation.
Also, with the help of the (new) PECB ISO/IEC 27701 lead auditor course, we'll have an auditor's look at the ISO certification and compliance. It's important to see how it works, to make sure your GDPR implementation can withstand the increasing demand for maturity from customers, subjects and data protection authorities that start to exercise their rights.
The ISO27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection.
The webinar covers:
- The GDRP view of the ISO/IEC 27701
- Mapping the GDPR to-do and the ISO/IEC 27701 to-do list.
- The ISO/IEC 27701 auditor mindset
- Compliance AND/OR/XOR solid data protection?
- Status of GDPR certification
Date: December 04, 2019
Recorded Webinar: https://www.youtube.com/watch?v=P80So3ryvJ8&feature=youtu.be
In this article I will provide an Overview of A new Information Security Management System
Standard ISO/IEC 27001:2013 , The new standard just Published from a few Days Earlier .
ISO/IEC 27001:2013 Provides requirements for Establishing, Implementing, Maintaining
and Continually Improving an Information Security Management System.
ISO/IEC 27001:2013 gives Organization a Perfect Information Security management framework for implementing
and maintaining security.
In this Article, I tried to shed some light on new standard and its Mandatory Requirements, Optional Requirements ,
Structure , Benefits , Certification Process and Estimated time for Implementation and Certification.
CHAPTER 6
INFORMATION GOVERNANCE
Information Governance Policy Development
ITS 833
Dr. Mia Simmons
Chapter Overview
■ This chapter will cover pages 71-94 in your book.
■ This chapter will cover how to develop an Information
Governance Policy.
– Inform and frame the policy with internal and external
frameworks, models, best practices, and standards—
those that apply to your organization and the scope of its
planned IG program.
2
Review of Record Keeping
■ Chapter 3 - ARMA International’s eight Generally Accepted
Recordkeeping Principles
1. Accountability
2. Transparency
3. Integrity
4. Protection
5. Compliance
6. Availability
7. Retention
8. Disposition
3
IG
REFERENCE
MODEL
4
IG Reference Model
■ Outer Ring
– An understanding of the business imperatives of the enterprise,
– Knowledge of the appropriate tools and infrastructure for managing
information, and
– Sensitivity to the legal and regulatory obligations with which the
enterprise must comply
For any piece of information you hope to manage, the primary
stakeholder is the business user of that information
■ Center
– Life-cycle or Work-Flow - information management is important
at all stages of the information life cycle—from its creation through
its ultimate disposition.
5
Best Practice Considerations
■ IG best practices are evolving & expanding, therefore it should also be
considered in policy formulation
■ 25 Best practices review in Chapter 5
1. IG is a key underpinning for a successful ERM program.
2. IG is not a project but rather an ongoing program.
3. .
4. .
5. .
6. .
24. Some digital information assets must be preserved permanently as
part of an organization’s documentary heritage.
25. Executive sponsorship is crucial
6
Standards Consideration
■ Two Types of standards should be included in policy :
1. De jure (“the law”)
■ published by recognized standards-setting bodies, such as the
International Organization for Standardization (ISO), American
National Standards Institute (ANSI), National Institute of Standards
and Technology (NIST—this is how most people refer to it, as they do
not know what the acronym stands for), British Standards Institute
(BSI), Standards Council of Canada, and Standards Australia.
2. De facto (“the fact”)
■ not formal standards but are regarded by many as if they were.
They may arise though popular use (e.g., Windows at the busi-ness
desktop in the 2001–2010 decade) or may be published by other
bodies, such as the U.S. National Archives and Records
Administration (NARA) or Department of Defense (DoD) for the U.S.
military sector.
7
Benefits and Risks of Standards
■ Quality assurance support. If a product meets a standard, you can be
confident of a certain level of quality.
■ Interoperability support. Some standards are detailed and mature enough
to allow for system interoperability between different vendor platforms.
■ Implementation frameworks a.
In order to have a successful IG program, one of the eight (8) IMalikPinckney86
In order to have a successful IG program, one of the eight (8) Information Risk Planning and Management step is to develop metrics and measure results. From your required readings, discuss the value that metrics brings to the organization, and identify critical measures of success that should be tracked
CHAPTER GOALS AND OBJECTIVES
Know the 8 Generally Accepted Recordkeeping Principles®
What is the IG Reference Model?
What does the IGRM Diagram consist of?
What are the best practice considerations?
What is the benefits and risks of having standards?
What are the key standards relevant to IG
2
A Review of the 8 Generally Accepted
Recording Keeping Principles®
1. Accountability
2. Transparency
3. Integrity
4. Protection
5. Compliance
6. Availability
7. Retention
8. Disposition
So…what is the significance of these principles?
3
IG REFERENCE MODEL
➢ Who?
➢ ARMA International & CGOC
➢ When?
➢ 2012
➢ Where?
➢ As part of the EDRM Project Version 3.0
➢ Why?
➢ To foster the adoption by facilitating
communication and collaboration between
IG stakeholder functions, legal, records
management, risk management, and business
unit stakeholders.
4
HOW TO INTERPRET THE IGRM DIAGRAM
Outer Ring: Complex set of interoperable processes
and implementing he procedures and structural
element to put them into practice
➢ Requirements:
➢ Understanding of business imperatives
➢ Knowledge of appropriate tools and infrastructure
➢ Sensitivity to legal and regulatory obligations
Inner Ring: Depicts a work-flow (life-cycle) diagram.
Shows that information management is important at
all stages of the lifecycle
5
How the IGRM Diagram related to the
Generally Accepted Recordkeeping Principles®
➢ Support the ARMA Principle by identifying the cross-functional groups of IG
stakeholders
➢ Depicts the intersecting objectives of the organization
➢ Depicts the relationship duty, value and information assets
➢ Used by proactive organizations as an introspective lens to facilitate visualization,
understanding and discussion concerning how to apple the “Principles” to the
organization.
➢ Puts focus on the “Principles”
➢ Provides essential context for the maturity model
6
Considerations in IG Policy Formation
➢ Best Practices?
➢ YES!
➢ Understand that Best
Practices will vary per
organization
➢ Review 25 generic Best
Practices, Pages 75 and 76
of text book
7
➢ Standards?
➢ YES!
➢ Two types to consider
➢ De Jure Standards - Legal standards published by
standards setting bodies such as IOS, ANSI, NIST, BTS and
others
➢ De Facto Standards – Informal standards regarded by
many as actual standards – arising through popular use
(Example: Windows in the business world in 2001-2010).
May be published by formal standards setting bodies
without having “Formal” status
Benefits and Risks of Standards
Benefits
➢ Quality Assurance Support
➢ Interoperability Support
➢ I ...
ISO 27001 is an international standard that collects requirements for the creation and development of an information security management system.
By and large, it is a collection of "best practices" that allows you to select security controls in such a way as to ensure the protection of information and provide customers with appropriate guarantees.
Data Privacy Protection Competrency Guide by a Data SubjectJohn Macasio
Data Privacy Protection Competency Guide shares the belief that the valid, verifiable, and actionable demonstration of respect on the data privacy rights of a data subject, and that the privacy and security of personal information are protected, comes from open guidance that presents the share-able practice standards that guide the right content of understanding, decision, and work of data privacy law compliance.
The workplace view of data privacy risks, policy, organization, process, and documentation have to be easily and consistently created and improved with freely available knowledge on the rules and standards of practice.
The directly accountable and responsible in the personal data collection, retention, use, sharing, and disposal have to be engaged to experience the applicability of data privacy rules and standards in their filing system, automation program, and technology services.
PYA Principal Barry Mathis presented “The IT Analysis Paralysis,” in which attendees:
Received a compressive review of the many IT frameworks that can be used to develop effective internal audit programs.
Learned the differences between commercial, federal, and industry frameworks.
Received tips, tools, and techniques for creating an effective framework based on risk assessment and identified risks.
This presentation highlights the fair data economy rulebook, covering its importance, application in data network construction, and content with contract templates for secure data sharing.
Rooted in Sitra's IHAN project, it envisions responsible and human-centric data utilization.
1001Lakes is your trusted companion in fair data sharing ecosystem collaborations.
Cloud Cybersecurity: Strategies for Managing Vendor RiskHealth Catalyst
As more organizations shift away from on-premise architectures toward the cloud or hybrid hosting models, critical cybersecurity concerns emerge. Organizations, especially health systems, should carefully examine the shared responsibility model in partnership with their cloud vendor.
Kevin Scharnhorst, Health Catalyst Chief Information Security Officer, shares perspectives on how your organization’s security program, through adherence to standards-based policy and procedures, can align with your cloud vendor on reduced organizational risk.
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
Module 6: Standards for Information Security Management
Information Security Management Systems (ISMS) - ISO 27001 - Framing Security Policy of
Organization- Committees- Security Forum, Core Committee, Custodian and Users, Business
Continuity Process Team & Procedure- Information Security Auditing Process. IT Security Incidents
Every CISO should know how to create and implement information security policies. The best approach is defined in the ISO 27001 standard and presented in the attached presentation, "ISMS Documented Information"
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
2. 2
A framework is a basic
conceptual structure used
to solve or address
complex issues
Regulation: Rules or laws defined and enforced
by an authority to regulate conduct. ISACA
(e.g., GDPR)
Standard: A mandatory requirement, code of
practice or specification approved by a recognized
external standards organization (such as ISO). ISACA
(e.g.., ISO 27701, BS 10012, ISO 29100)
Guideline: Non-mandatory information leading to a
compliant solution for the related requirement. ISO
(e.g., NOREA Guide)
ISACA
All of them can be used as frameworks!
4. My TOP 12:
1. ISO 29100
2. ISO 27701
3. ICO Accountability Framework
4. TrustArc - Nymity Framework
5. MITRE Privacy Maturity Model
6. NIST Privacy Framework
7. AICPA Privacy Management Framework
8. NDMO Data Management and Personal Data
Protection Standards
9. NOREA Privacy Control Framework
10. PDPC Guide to Developing a Data Protection
Management Programme
11. Standard Data Protection Model (SDM)
12. SCF Privacy Management Principles (SCF-PMP)
4
5. 5
1. ISO 29100
ISO/IEC 29100:2011 Information technology —
Security techniques — Privacy framework
This standard was last reviewed and confirmed in 2017.
ISO/IEC 29100:2011 provides a privacy framework which:
• specifies a common privacy terminology;
• defines the actors and their roles in processing personally
identifiable information (PII);
• describes privacy safeguarding considerations; and
• provides references to known privacy principles for information
technology.
ISO 29100 is applicable to natural persons and organizations
involved in specifying, procuring, architecting, designing,
developing, testing, maintaining, administering, and operating
information and communication technology systems or services
where privacy controls are required for the processing of PII.
• Organisation: ISO
• CHF 124 ($140)
8. 8
2. ISO 27701
ISO/IEC 27701:2019 Security techniques —
Extension to ISO/IEC 27001 and ISO/IEC 27002 for
privacy information management —
Requirements and guidelines
This document specifies requirements and provides guidance for
establishing, implementing, maintaining and continually
improving a Privacy Information Management System (PIMS) in
the form of an extension to ISO/IEC 27001 and ISO/IEC 27002
for privacy management within the context of the organization.
This document specifies PIMS-related requirements and provides
guidance for PII controllers and PII processors holding
responsibility and accountability for PII processing.
This document is applicable to all types and sizes of
organizations, including public and private companies,
government entities and not-for-profit organizations, which are
PII controllers and/or PII processors processing PII within an
ISMS.
• Organisation: ISO
• CHF 187 ($210)
11. 11
3. ICO Accountability
Framework
Accountability is one of the key principles in data protection law
– it makes you responsible for complying with the legislation and
says that you must be able to demonstrate your compliance.
The framework is an opportunity for you to assess your
organisation’s accountability. Depending on your circumstances,
you may use it in different ways. For example, you may want to:
• create a comprehensive privacy management programme;
• check your existing practices against the ICO’s expectations;
• consider whether you could improve existing practices,
perhaps in specific areas;
• understand ways to demonstrate compliance;
• record, track and report on progress;
• or increase senior management engagement and privacy
awareness across your organisation.
Organisation: ICO (UK)
Free
13. 13
The framework is divided into 10 categories.
Selecting a category will display ICO’s key
expectations and a bullet-pointed list of ways
you can meet their expectations.
1. Leadership and oversight
2. Policies and procedures
3. Training and awareness
4. Individuals’ rights
5. Transparency
6. Records of processing and lawful basis
7. Contracts and data sharing
8. Risks and data protection impact
assessments (DPIAs)
9. Records management and security
10.Breach response and monitoring
14. 14
4. TrustArc - Nymity
Framework
The TrustArc-Nymity integrated Privacy and Data
Governance Accountability Frameworks combine and
align privacy and data governance controls with privacy
management activities across the privacy program lifecycle
to help organizations effectively achieve these goals and
continuously improve upon them over time.
A framework-based approach can be implemented at any
stage of a privacy program.
• Organisation: TrustArc / Nymity
• Free
16. • The Core: The three pillars of Build, Implement, and
Demonstrate
• Standards and Controls: The 16 Standards and 55
Framework Controls
• Privacy Management Categories and Activities:
The 13 Privacy Management Categories and 139
Privacy Management Activities organized under the
Core three pillars
• Framework Mapping to Popular Laws:
The Framework is mapped to several popular laws,
regulations, and other standards
16
17. 17
5. MITRE Privacy
Maturity Model
Framework for developing, implementing, maintaining, and
evaluating privacy programs. Privacy programs must be
comprehensive enough to address all requirements established by
authoritative sources (e.g., laws, regulations, guidance), and must
be supported by written policies, appropriate training, ongoing
practices, and appropriate assessment.
This model may be used to assess both completeness (whether an
organization has identified and implemented all elements of a
privacy program) and maturity level (an evaluation of to what
degree practices supporting each element are effective in achieving
their intended purpose).
It was developed based not only on comprehensive research of
relevant laws and guidance, but on practices that have been
assessed as effective in many organizations.
It is a part of the MITRE’s Privacy Engineering Tools:
https://www.mitre.org/news-insights/publication/mitres-privacy-
engineering-tools-and-their-use-privacy-assessment
• Organisation: MITRE
• Free
21. 21
6. NIST Privacy
Framework
The NIST Privacy Framework is a voluntary tool developed in
collaboration with stakeholders intended to help organizations
identify and manage privacy risk to build innovative products and
services while protecting individuals’ privacy.
NIST is developing the framework to help organizations with:
• Building customer trust by supporting ethical decision-making
in product and service design or deployment that optimizes
beneficial uses of data while minimizing adverse consequences
for individuals’ privacy and society as a whole;
• Fulfilling current compliance obligations, as well as future-
proofing products and services to meet these obligations in a
changing technological and policy environment; and
• Facilitating communication about privacy practices with
customers, assessors, and regulators.
Organisation: NIST
Free
24. 24
7. AICPA Privacy
Management
Framework
The Privacy Management Framework (PMF) can be used as
a foundational element in establishing and operating a
comprehensive information privacy program that addresses
privacy obligations and risks while facilitating current and
future business opportunities.
• Organisation: AICPA
• For Memebers Only
27. 27
8. NDMO Standards
The National Data Management and Personal Data Protection
Standards document covers 15 Data Management and Personal
Data Protection domains. To support the development of the
Data Management and Personal Data Protection standards, a set
of international references, internal relevant policies and
regulations, and guiding principles were defined.
Government Entities (KSA) must implement the standards, and
compliance will be measured yearly to monitor progress and
drive efforts towards a successful implementation.
• Organisation: National Data Management Office (Saudi Arabia)
• Free
30. 30
9. NOREA Privacy
Control Framework
This guide (in Dutch “Handreiking”) is issued by NOREA,
the professional association of IT auditors in the
Netherlands and was developed to guide Dutch chartered
IT-auditors in issuing assurance reports in alignment with
the European General Data Protection Regulation (GDPR)
and the relevant standards on assurance engagements.
• Organisation: NOREA (Netherlands)
• Free
32. 32
The PCF contains:
95 controls in total, divided over
32 subjects in
9 Lifecycle Management phases
33. 33
10. PDPC Guide
Guide to Developing a Data Protection Management
Programme
This guide seeks to help organisations develop or improve
their personal data protection policies and practices
through the implementation of a Data Protection
Management Programme (DPMP). Organisations may
benchmark their existing personal data protection policies
and practices against this guide.
• Organisation: PDPC (Singapure)
• Free
36. 36
11. Standard Data
Protection Model
(SDM)
The Standard Data Protection Model (SDM)
A method for Data Protection advising and controlling on
the basis of uniform protection goals
The SDM provides appropriate measures to transform the
regulatory requirements of the GDPR to qualified technical
and organisational measures.
The SDM's catalogue of reference measures can be used to
check for each individual processing whether the legally
required ‘target’ of measures corresponds to the existing
‘actual’ of measures.
• Provider: Conference of the Independent Data Protection
Supervisory Authorities of the Federation and the Länder
(Germany)
• Free
39. 39
12. SCF Privacy
Management Principle
(SCF-PMP)
The Secure Controls Framework™ (SCF) focuses on internal
controls.
The SCF is a metaframework – a framework of frameworks
• Organisation: SCF
• Free
42. 42
One more thing:
CNIL DPO Guide
The objective of this guide is to support both organisations
in setting up the function of Data Protection Officer (DPO)
and such officers in the exercise of their profession.
This guide is a living tool which will be enriched by best
practices reported by professionals to the French Data
Protection Authority (CNIL).
• Organisation: CNIL (France)
• Free
44. 44
[Concept] Mapping - An indication that one
concept is related to another concept. NIST
45. 45
Mapping
The main question:
How does conforming to one framework help
the organization conform to another framework?
Five Important Assumptions for the Mapping
1. The intended users of the mapping
2. Why someone would want to use this mapping
3. The types of concepts to be mapped
4. The direction of the mapping
5. How exhaustive the mapping will be
49. 49
Framework Why do I like it?
1. ISO 29100 Simple, Privacy Principles, Aligned with the ISO Standards
2. ISO 27701 Integrated with the ISMS (ISO 27001), Well-known international standard, Good
Structure, Certification, Mapping to GDPR
3. ICO Accountability Framework Recommendations from the Supervisory Authority (SA), Good Structure, Case studies,
Additional resources (self-assessment and tracker), GDPR, Free
4. TrustArc-Nymity Framework Simple, Good Structure, Free
5. MITRE Privacy Maturity Model Good Structure (Elements of a Privacy Program), Maturity Levels, Checklist, Additional
Resources, Free
6. NIST Privacy Framework Aligned with NIST CSF (cybersecurity), Tiers 1-4 (Partial, Risk Informed, Repeatable,
Adaptive), Free
7. AICPA Privacy Management
Framework
Simple, Good Structure, Mapping to GDPR, Free (for members)
8. NDMO Standards Recommendations from the SA, Data Management Guiding Principles, Set of controls,
Control description, Aligned with DAMA DMBoK, Free
9. NOREA Privacy Control Framework Focus on Audits, Good Structure, Set of controls, GDPR, Mapping to GDPR, Mapping to
ISO 27001, ISO 27701 and ISO 29100, Free
10. PDPC Guide Recommendations from the SA, Simple, Examples and Checklists, Training and
Communication Initiatives, Data Inventory Map, Free
11. Standard Data Protection Model
(SDM)
Recommendations from the SA, Protection goals, Data Life Cycle, SDM cube, Risks,
PDCA, Integrations with BSI Grundschutz, GDPR, Mapping to GDPR, Free
12. SCF-PM Metaframework, Good Structure, Mapping to many frameworks, Free
50. 50
1. ISO 29100 www.iso.org/standard/45123.html
2. ISO 27701 www.iso.org/standard/71670.html
3. ICO Accountability Framework www.ico.org.uk/for-organisations/uk-gdpr-guidance-and-
resources/accountability-and-governance/accountability-framework
4. TrustArc - Nymity Framework www.trustarc.com/trustarc-privacy-data-governance-accountability-
framework
5. MITRE Privacy Maturity Model www.mitre.org/news-insights/publication/mitres-privacy-engineering-
tools-and-their-use-privacy-assessment
6. NIST Privacy Framework www.nist.gov/privacy-framework
7. AICPA Privacy Management Framework www.us.aicpa.org/interestareas/informationtechnology/privacy-
management-framework
8. NDMO Standards www.sdaia.gov.sa/en/SDAIA/about/Documents/PoliciesEN.pdf
9. NOREA Privacy Control Framework www.norea.nl/uploads/bfile/bb6ebde8-a436-43d0-b3df-ceef7a50556c
10. PDPC Guide www.pdpc.gov.sg/help-and-resources/2019/07/guide-to-developing-a-
data-protection-management-programme
11. Standard Data Protection Model (SDM) www.datenschutz-mv.de/datenschutz/datenschutzmodell
12. SCF-PM www.securecontrolsframework.com
CNIL DPO Guide www.cnil.fr/en/cnil-publishes-guide-dpos
All Privacy Standards and Frameworks www.patreon.com/posts/best-privacy-and-85140462
51. Thanks, and good luck!
May the Privacy Frameworks Force be with you!
www.linkedin.com/in/andreyprozorov
www.patreon.com/AndreyProzorov
51