Certified Banking Data Privacy Law and Regulation - Module 9.pptx

American Security and Privacy, LLC Data Privacy Law and Regulation Certification
Data Privacy Law and
Regulation
Certification
Dr. Kevin F. Streff
Founder and Managing Partner
1

American Security and Privacy, LLC Data Privacy Law and Regulation Certification 2
◦ Testified to Congress several times on
behalf of banking and cyber
◦ Author of Data Privacy textbook
◦ Conducted training and education for
examiners
◦ Done cybersecurity work in almost all
states in the U.S. banking system for
over 20 years
◦ Published in both banking and
academic magazines and journals
◦ Regular speaker at banking conferences
◦ Leading technology, cyber, and privacy
educator at Dakota State University and
the ASP Academy™
Dr. Kevin Streff

Dr. Streff is not an attorney
and is not providing legal
advice
3

Agenda
4
Module 1 Information Privacy Overview
Module 2 Information Privacy Harms
Module 3 GLBA
Module 4 GLBA - Reg P
Module 5 Federal and State Laws
Module 6 GDPR and International Laws
Module 7 CFPB 1033 Ruleset
Module 8 Data Breach Notification Laws
Module 9 Information Privacy Programs

Module 9
AN INFORMATION PRIVACY PROGRAM
5

Learning Objectives
• Understand Privacy Maturity Model
• Understand Linking Business Strategy to
Privacy Program
• Understand Data Privacy Program Options
• Understand ASP Data Privacy Program
• Get into a defensible position
6

SP-CMM Security & Privacy
Maturity Model
• SP-CMM is an acronym for Security &
Privacy Capability Maturity Model.
Maintained by the Secure Controls
Framework Council, this framework
seeks to help organizations in the
establishment and evaluation of
their security and privacy controls.
7

SP-CMM Security & Privacy
Maturity Model
• On a high-level, it has three primary
objectives:
• Provide C-level executives with a well-
defined criterion for setting the expectations
for an organization’s cybersecurity and
privacy program;
• Provide internal security teams with a well-
defined criterion for planning and
implementing security practices; and
• Provide a baseline criterion for organizations
to evaluate third-party service providers.
8

9

Leading Privacy Frameworks
1.NIST Privacy Framework
2.OASIS Privacy Framework
3.APEC Privacy Framework
4.Nymity Privacy Management Accountability
Framework
5.HITRUST Privacy Framework
6.STREFF Privacy Process
7.American Security and Privacy (ASP)
Information Privacy Framework (IPP)
10

NIST Privacy Framework
11

Oasis Privacy Framework
• The International Open Standards Consortium (OASIS) was founded under
the name "SGML Open" in 1993.
• The consortium changed its name to "OASIS" (Organization for the
Advancement of Structured Information Standards) in 1998 to reflect an
expanded scope of technical work.
• Later renamed to the International Open Standards Consortium,
announcements about creating privacy frameworks emerged (The OASIS
PMRM TC) that to assist business process engineers, IT analysts, architects,
and developers implement privacy and security policies in their operations.
• PMRM extends broad privacy policies, as most policies describe fair
information practices and principles but offer little understanding into how
to operationalize or implement these practices.
12

Oasis Privacy Framework
• PMRM includes two phases: Use Case and High-Level Analysis.
• The first phase entails the scoping of the Use Case in which data is
associated.
• This includes drafting a complete description of the environment following
the definitions of “business environment” or “application” as established by
the Stakeholders using the PMRM within a particular Use Case.
• The second phase is the analysis phase.
• This high-level analysis likely includes Privacy Impact Assessments, previous
privacy and security risk assessments, privacy maturity assessments,
compliance reviews, and privacy audits.
• PMRM can be used to examine an entire business environment to develop
Policies, Privacy Controls, Services and Functions, Mechanisms, or a Privacy
Architecture.
13

APEC Privacy Framework
1. Asian-Pacific Framework
2. Set of principles and implementation guidelines that
were created in order to establish effective privacy
protections that avoid barriers to information flows,
and ensure continued trade and economic growth in
the Asia Pacific Economic Cooperation region of 27
countries.
14

Nymity Privacy Framework
1. Maintain Governance Structure
2. Maintain Personal Data Inventory
and Data Transfer Mechanisms
3. Maintain Internal Data Privacy
Policy
4. Embed Data Privacy into
Operations
5. Maintain Training and Awareness
Program
6. Manage Information Security
7. Manage Third Party Risk
8. Maintain Notices
9. Respond to Requests and
Complaints from Individuals
10. Monitor for New Operational
Policies
11. Maintain Data Privacy Breach
Management Program
12. Monitor Data Handling Practices
13. Track External Criteria
15

HITRUST Privacy Framework
• Founded in 2007, Health Information Trust Alliance (HITRUST) was
launched with the idea that information protection should be a core
pillar of the broad adoption of health information systems.
• HITRUST brought together public and private healthcare professionals
to develop a common risk and compliance management framework.
• In 2015, HITRUST announced that their security framework was
updated with privacy controls.
• Over 84 percent of hospitals and health plans, as well as many other
healthcare organizations and business associates, use the CSF, making it
the most widely adopted security framework in the industry.
• CSF – Common Security and Privacy Framework
16

• The CSF contains 14 control categories, comprised of 49 control objectives and 156
control specifications.
• The CSF control categories, accompanied with their respective number of control
objectives and control specifications for each category, are:
◦ 0. Information Security Management Program (1, 1)
◦ 1. Access Control (7, 25)
◦ 2. Human Resources Security (4, 9)
◦ 3. Risk Management (1, 4)
◦ 4. Security Policy (1, 2)
◦ 5. Organization of Information Security (2, 11)
◦ 6. Compliance (3, 10)
◦ 7. Asset Management (2, 5)
◦ 8. Physical and Environmental Security (2, 13)
◦ 9. Communications and Operations Management (10, 32)
◦ 10. Information Systems Acquisition, Development, and Maintenance (6, 13)
◦ 11. Information Security Incident Management (2, 5)
◦ 12. Business Continuity Management (1, 5)
◦ 13. Privacy Practices (7, 21)
HITRUST Privacy Framework
17

Data
Mgmt
Consent
Mgmt
Vendor
Mgmt
DSAR
Mgmt
Web
Tracing
& Cookie
Mgmt
Privacy
Program
Mgmt
Privacy
Engineering
Breach
Notification
Information Privacy Program Blueprint
Assessments
Compliance Reporting
Remediation
Inventories
Policies
Procedures
Standards
Guidelines
Plans
Audit/Test Results
Reports
SARS
Meeting Minutes
Committee
Approvals
Previous Exams
Awareness/
Training Materials
Vendor Reports
Network Diagram
Organizational
Chart
Process Flows
Incident Reports
Data Flows
Privacy Audit
Consent Mgmt Audit
Id Mgmt Audit
Cookie Tracking Audit
Website Tracking Audit
Data Masking Audit
Pseudonymity Audit
Privacy/PIA
Cookie Tracking
Website Tracking
Data Masking
Pseudonymity
Assessment Changes
Compliance
Recommendations
Exam Findings
Regulatory Changes
Legal Changes
Board
Committees
Operations
Vendor
Examiner
Strategies/
Budgets
Training Logs
Memos
DSARS
ROPAS
Data Mappings
Functions
Processes
Documentation
Privacy Notices
Awareness
& Training
Mgmt
ETC.
User
Mgmt
18

• Leverage an industry recognized
framework
• Work with management to ensure legal
requirements are operationalized
• Work with the audit group to ensure they
understand the legal requirements
19

CONGRATULATIONS!
YOU ARE READY FOR YOUR EXAM
AND READY TO BECOME CERTIFIED
IN DATA PRIVACY LAW AND
REGULATION!!!
20

Dr. Kevin Streff
American Security and Privacy, LLC
• Founder & Managing Partner
• www.americansecurityandprivacy.com
• Kevin.Streff@americansecurityandprivacy.com
• 605.270.4427
• www.drstreff.com
21
ASP ACADEMY™

Certified Banking Data Privacy Law and Regulation - Module 9.pptx

More Related Content

Similar to Certified Banking Data Privacy Law and Regulation - Module 9.pptx

More from trevor501353

Recently uploaded

Certified Banking Data Privacy Law and Regulation - Module 9.pptx