Description: https://images.manning.com/360/480/resize/book/5/9536d10-0171-4ff0-873f-ceaac190a842/Bhajaria-PC-MEAP-HI.png

From Privacy Engineering by Nishant Bhajaria

In order to identify privacy risks, you will want to look at your infrastructure and systems as individual units as well as how they interact collectively. Just as engineers need to perform unit testing and integration testing prior to code deployment, privacy engineers need to look at the entire business through a similar inside-out lens.


Take 40% off Privacy Engineering by entering fccbhajaria into the discount code box at checkout at manning.com.


Given the decentralized nature of modern engineering, privacy risk identification requires several component activities. These are not activities that you can turn on and off rapidly. Additionally, it may take a while for their impact to be felt. That is why it is helpful to examine the three levels of maturity and plan your evolution accordingly. We will now look at these in turn.

Asset Management

Given that your IT infrastructure will serve either as a pipe for transfers or as a container for data storage, asset management is critical to identify privacy risks. In particular, you will need to track the status and ownership of any assets that affect your data. This is critical so that you can then focus on applying the data privacy techniques seen throughout this book on the assets based on their prioritization.

TABLE 1 below provides an example of the sorts of activities you will need to perform under the aegis of asset management and how your execution must evolve for maturity.

Table 1.  Asset Management Maturity Evolution

Foundational

Mature

Advanced

Scope focuses on tracking and cataloging assets

Scope focuses on tracking, cataloging, and prioritization

Scope focuses on automation and orchestration improvement

There is an informal list of business processes and information assets Example: data, physical devices and software

Engineers have an intuitive albeit undocumented understanding of which systems contain which information

Classification criteria for information assets are defined and reviewed

There is complete database of all business processes and information assets; assets are defined at a business rather than technical level

Assets are tagged to indicate  ownership, data sensitivity and business criticality

Asset inventory includes the entire digital footprint (example: printers, IP phones, public cloud, etc.

The process of discovering and cataloging assets is automated with minimal errors.

Asset inventory lists  business value, privacy risk and associated owners; assets are defined at a business rather than technical level to drive mitigation strategy

Information assets are at least partially mapped to technical systems

Some workflows and data flows are occasionally mapped as needed, such as in response to inappropriate access of customer data by employees

A majority of 3rd party information systems are catalogued, and prioritized based on the company’s internal risk appetite

The most privacy-sensitive assets are mapped to business risk to facilitate analysis and prioritization.

All 3rd party systems are catalogued and regularly refreshed to reflect external updates and are prioritized based on the company’s risk appetite.

There is a dollar value assigned to each business process and asset to determine the impact and likelihood of privacy harm.

KPIs are tracked at the team level.

KPIs are tracked organizationally.

KPIs are tracked and updated at all levels.

For TABLE 1 above as well as for subsequent tables, the following two points apply:

  • Each offering attains more maturity as you move from left to right. For example: the scope (row #1) under “Mature” requires that you prioritize cataloging of assets rather than just tracking them ad hoc, as companies are likely to do at the “Foundational” stage of relative immaturity
  • Additionally, each entry assumes the work in the box to its left is already accomplished.

Governance

Regardless of size, companies need a governance structure to help identify risks. This means having standards and guidelines to be used to monitor operations and flag risks. TABLE below lists the activities you need to perform and how the maturity levels evolve.

Table 2.  Governance

Foundational

Mature

Advanced

Privacy policies and standards are documented and communicated to employees upon hire

Privacy policies and standards are communicated to employees upon hire and regularly thereafter through required awareness training

Privacy policies and standards are communicated to employees regularly; regular testing ensures that they understand applicability of standards to their roles

Teams have an informal  path to evaluate policy exceptions on a case-by-case basis

A committee comprised of data privacy specialists reviews the risks by applying policies and standards

A committee comprised of data privacy specialists partners with businesses to review risks and build metrics around policies and standards.

Privacy standards are defined for all risk areas, such as identity and access management and data encryption, but no clear enterprise standard needs to be in place

Enterprise-wide privacy standards are in place in some but not all of the risk areas; for remaining risk areas foundational standards exist

Standard, comprehensive enterprise-wide privacy controls address privacy risks including architecture, endpoints, access management, change management, vendor management, etc.

Each business function establishes its own privacy risk metrics and KPIs to measure its compliance

The company maintains a central scorecard to measure privacy risk reduction using a complete set of KPIs

Besides the central scorecard, the company maintains and updates privacy risk appetite thresholds for each business area

As you can see from TABLE 2 above, improved privacy governance can help detect privacy risks. At the foundational level, you see standards and policies that are vertical in nature, in that they apply to a specific business unit. A more mature governance offering creates companywide controls while the advanced governance posture shows a more collaborative and itinerant process.

The likelihood of timely risk identification grows as you move from foundational to advanced, but a caveat does apply: as your privacy governance capabilities grow, possibly so do new business units, mergers and cavalier behaviors among employees. Therefore, any maturity of your privacy governance is not to be seen as an absolute gain but as a moving target.

Risk Management

It is critical that businesses have mechanisms to manage assets and govern them to discover risks. However, another key vertical of the identification capability for privacy is risk management. Once risks are identified, businesses can end up on one of two extremes. They could either be overly tactical and miss out on efficiencies or be overly strategic and get caught in analysis. Therefore, developing a maturity framework for risk management is vital, and TABLE 3 below lays out such a framework.

Table 3.  Risk Management

Foundational

Mature

Advanced

Privacy risk management strategy is based in part on input from threat and risk management teams. As such, the strategy leans into a more defensive mindset.

Privacy risk management strategy is developed in close collaboration with business and technology stakeholders. As such, the strategy is dynamic and evolving.

Business leaders engage in risk evaluation and remediation trade-offs (backed up by KPIs and risk appetite mappings) as part of privacy strategy development

The strategy includes input from business and technology strategies but is developed separately.

Business leaders are consulted as part of cyber strategy development but do not provide formal review or sign-off

The privacy risk management strategy is developed in close collaboration with business and technology stakeholders, but there is no formal sponsorship by those stakeholders.

The privacy risk management strategy is developed in close collaboration with business and technology stakeholders, and there is a formal sponsorship by those stakeholders.  The business stakeholders are accountable for the success of the strategy.

Business leaders may be consulted as part of privacy strategy development but do not provide formal review or sign-off

Business leaders are consulted as part of cyber strategy development and provide formal review or sign-off

Business leaders are initiators  of privacy risk management strategy and also provide formal review or sign-off

Multiple tools (e.g. project management, communication, collaboration) are used in the management of strategy development and execution

A unified set of tools (e.g. project management, communication, collaboration) is used in the management of strategy development and execution

The privacy risk management strategy explained by the tools is routinely consulted before key business decisions.

As you can see from TABLE 3 above, the foundational risk management strategy is very team-specific. It is possible, even likely, that teams develop such strategies for themselves while being oblivious to dependencies and redundancies with other teams. There is a substantial evolution as we move to a more mature model, where there are more sustained partnerships with the business. There is a gentler evolution with the advanced model, where the business uses the privacy risk management strategy more proactively.

We have seen how a company can evolve in its identification and management of privacy risk. In the next subsection we will examine how a company can protect itself from such risks after having identified them.

That’s all for this article. If you want to learn more about the book, check it out on Manning’s liveBook platform here.