The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).



Similar documents
Services Providers. Ivan Soto

Program Overview. CDP is a registered certification designed and administered by Identity Management Institute (IMI).

Certified Information Security Manager (CISM)

Information Security Program CHARTER

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

Accountable Privacy Management in BC s Public Sector

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

State of Oregon. State of Oregon 1

(a) the kind of data and the harm that could result if any of those things should occur;

Cloud Computing. Introduction

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Cloud Computing: Legal Risks and Best Practices

Third Party Security Requirements Policy

White Paper on Financial Institution Vendor Management

INFORMATION TECHNOLOGY SECURITY STANDARDS

FFIEC Cybersecurity Assessment Tool

Cybersecurity in the States 2012: Priorities, Issues and Trends

PRIVACY MANAGEMENT ACTIVITIES

University of Sunderland Business Assurance Information Security Policy

Copyright 2014 Nymity Inc. All Rights Reserved.

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Domain 1 The Process of Auditing Information Systems

Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

IT Governance Regulatory. P.K.Patel AGM, MoF

(Instructor-led; 3 Days)

Information Security Program Management Standard

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

VENDOR MANAGEMENT. General Overview

IT Governance Charter

Privacy and Cloud Computing for Australian Government Agencies

ISO COMPLIANCE WITH OBSERVEIT

John Essner, CISO Office of Information Technology State of New Jersey

Privacy Management Program Toolkit Health Custodians Personal Health Information Act

From Information Management to Information Governance: The New Paradigm

Compliance Policy AGL Energy Limited

FINAL May Guideline on Security Systems for Safeguarding Customer Information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Cybersecurity The role of Internal Audit

A Best Practice Guide

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Manage Compliance with External Requirements

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

ISO Controls and Objectives

Office 365 Data Processing Agreement with Model Clauses

Information Technology: This Year s Hot Issue - Cloud Computing

Outsourcing and third party access

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

Third Party Risk Management 12 April 2012

CITY UNIVERSITY OF HONG KONG

II. Compliance Examinations - Compliance Management System. Compliance Management System. Introduction. Board of Directors and Management Oversight

2014 Vendor Risk Management Benchmark Study

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

Privacy Governance and Compliance Framework Accountability

Guideline for Roles & Responsibilities in Information Asset Management

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Compliance Management Systems (CMS) Division of Depositor and Consumer Protection

Information Security Policies. Version 6.1

I. Introduction to Privacy: Common Principles and Approaches

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Cloud Computing Contracts. October 11, 2012

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Health Sciences Compliance Plan

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Privacy Risk Assessments

Hans Bos Microsoft Nederland.

RISK AND COMPLIANCE COMMITTEE CHARTER

Microsoft s Compliance Framework for Online Services

NSW Government Digital Information Security Policy

Board of Directors and Management Oversight

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0

Vendor Risk Management Financial Organizations

INCIDENT RESPONSE CHECKLIST

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Privacy Impact Assessment Of the. Office of Inspector General Information Technology Infrastructure Systems

How To Manage Information Security At A University

Virginia Commonwealth University School of Medicine Information Security Standard

Managing Cyber Risk through Insurance

Credit Union Liability with Third-Party Processors

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

CLASSIFICATION SPECIFICATION FORM

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Information Security Program

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Electronic Health Record Privacy Policies

Cybersecurity Framework Security Policy Mapping Table

A new paradigm for EHS information systems: The business case for moving to a managed services solution

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Transcription:

Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of a privacy program and defines how the privacy program may be developed, measured and improved. Domain II details the management and operations of the privacy program governance model within the context of the organization s privacy strategy. The Privacy Program Operational Life Cycle domain is built upon a common industry-accepted framework of: Assessing or analyzing an organization s privacy regime; Protecting information assets through the implementation of industry-leading privacy and security controls and technology; Sustaining the privacy program through communication, training and management actions; and Responding to privacy incidents. I. Privacy Program Governance A. Organization Level a. Create a company vision i. Acquire knowledge on privacy approaches ii. Evaluate the intended objective iii. Gain executive sponsor approval for this vision b. Establish a privacy program i. Define program scope and charter ii. Identify the source, types, and uses of personal information (PI) within the organization and the applicable laws iii. Develop a privacy strategy 1. Business alignment a. Finalize the operational business case for privacy b. Identify stakeholders c. Leverage key functions d. Create a process for interfacing within organization e. Align organizational culture and privacy/data protection objectives f. Obtain funding/budget for privacy and the privacy team

Page 2 of 7 2. Develop a data governance strategy for personal information (collection, authorized use, access, destruction) 3. Plan inquiry/complaint handling procedures (customers, regulators, etc.) c. Structure the privacy team i. Governance models 1. Centralized 2. Distributed 3. Hybrid ii. Establish the organizational model, responsibilities and reporting structure appropriate to the size of the organization 1. Large organizations a. Chief privacy officer b. Privacy manager c. Privacy analysts d. Business line privacy leaders e. First responders 2. Small organizations/sole data protection officer (DPO) including when not only job iii. Designate a point of contact for privacy issues iv. Establish/endorse the measurement of professional competency B. Develop the Privacy Program Framework a. Develop organizational privacy policies, standards and/or guidelines b. Define privacy program activities i. Education and awareness ii. Monitoring and responding to the regulatory environment iii. Internal policy compliance iv. Data inventories, data flows, and classification v. Risk assessment (Privacy Impact Assessments [PIAs], etc.) vi. Incident response and process, including jurisdictional regulations vii. Remediation viii. Program assurance, including audits C. Implement the Privacy Policy Framework a. Communicate the framework to internal and external stakeholders b. Ensure continuous alignment to applicable laws and regulations to support the development of an organizational privacy program framework i. Understand applicable national laws and regulations ii. Understand applicable local laws and regulations iii. Understand penalties for noncompliance with laws and regulations iv. Understand the scope and authority of oversight agencies (e.g., Data Protection Authorities, Privacy Commissioners, Federal Trade Commission, etc.) v. Understand privacy implications of doing business in or with countries with inadequate, or without, privacy laws vi. Maintain the ability to manage a global privacy function vii. Maintain the ability to track multiple jurisdictions for changes in privacy law viii. Understand international data sharing arrangements agreements

Page 3 of 7 D. Metrics a. Identify intended audience for metrics b. Define reporting resources c. Define privacy metrics for oversight and governance per audience i. Compliance metrics (examples, will vary by organization) 1. Collection (notice) 2. Responses to data subject inquiries 3. Use 4. Retention 5. Disclosure to third parties 6. Incidents (breaches, complaints, inquiries) 7. Employees trained 8. PIA metrics 9. Privacy risk indicators 10. Percent of company functions represented by governance mechanisms ii. Trending iii. Privacy program return on investment (ROI) iv. Business resiliency metrics v. Privacy program maturity level vi. Resource utilization d. Identify systems/application collection points II. Privacy Operational Life Cycle A. Assess Your Organization a. Document current baseline of your privacy i. Education and awareness ii. Monitoring and responding to the regulatory environment iii. Internal policy compliance iv. Data, systems and process assessment 1. Map data inventories, flows and classification 2. Create record of authority of systems processing personal information within organization 3. Map and document data flow in systems and applications 4. Analyze and classify types and uses of data v. Risk assessment (PIAs, etc.) vi. Incident response vii. Remediation viii. Determine desired state and perform gap analysis against an accepted standard or law ix. Program assurance, including audits b. Processors and third-party vendor assessment i. Evaluate processors and third-party vendors, insourcing and outsourcing privacy risks 1. Privacy and information security policies 2. Access controls 3. Where personal information is being held 4. Who has access to personal information ii. Understand and leverage the different types of relationships 1. Internal audit

Page 4 of 7 B. Protect 2. Information security 3. Physical security 4. Data protection authority iii. Risk assessment 1. Type of data being outsourced 2. Location of data 3. Implications of cloud computing strategies 4. Legal compliance 5. Records retention 6. Contractual requirements (incident response, etc.) 7. Establish minimum standards for safeguarding information iv. Contractual requirements v. Ongoing monitoring and auditing c. Physical assessments i. Identify operational risk 1. Data centers 2. Physical access controls 3. Document destruction 4. Media sanitization (e.g., hard drives, USB/thumb drives, etc.) 5. Device forensics 6. Fax machine security 7. Imaging/copier hard drive security controls d. Mergers, acquisitions and divestitures i. Due diligence ii. Risk assessment e. Conduct analysis and assessments, as needed or appropriate i. Privacy Threshold Analysis (PTAs) on systems, applications and processes ii. Privacy Impact Assessments (PIAs) 1. Define a process for conducting Privacy Impact Assessments a. Understand the life cycle of a PIA b. Incorporate PIA into system, process, product life cycles a. Data life cycle (creation to deletion) b. Information security practices i. Access controls for physical and virtual systems 1. Access control on need to know 2. Account management (e.g., provision process) 3. Privilege management ii. Technical security controls iii. Implement appropriate administrative safeguards c. Privacy by Design i. Integrate privacy throughout the system development life cycle (SDLC) ii. Establish privacy gates/pias-data Protection Impact Assessments (DPIAs) as part of the standard process, system development framework C. Sustain a. Measure i. Quantify the costs of technical controls

Page 5 of 7 ii. Manage data retention with respect to the organization s policies iii. Define the methods for physical and electronic data destruction iv. Define roles and responsibilities for managing the sharing and disclosure of data for internal and external use b. Align i. Integrate privacy requirements and representation into functional areas across the organization 1. Information security 2. IT operations and development 3. Business continuity and disaster recovery planning 4. Mergers, acquisitions and divestitures 5. Human resources 6. Compliance and ethics 7. Audit 8. Marketing/business development 9. Public relations 10. Procurement/sourcing 11. Legal and contracts 12. Security/emergency services 13. Finance 14. Others c. Audit i. Align privacy operations to an internal and external compliance audit program 1. Knowledge of audit processes 2. Align to industry standards ii. Audit compliance with privacy policies and standards iii. Audit data integrity and quality iv. Audit information access, modification and disclosure accounting v. Communicate audit findings with stakeholders d. Communicate i. Awareness 1. Create awareness of the organization s privacy program internally and externally 2. Ensure policy flexibility in order to incorporate legislative/regulatory/market requirements 3. Develop internal and external communication plans to ingrain organizational accountability 4. Identify, catalog and maintain documents requiring updates as privacy requirements change ii. Targeted employee, management and contractor training 1. Privacy policies 2. Operational privacy practices (e.g., standard operating instructions), such as a. Data creation/usage/retention/disposal b. Access control c. Reporting incidents d. Key contacts e. Monitor i. Environment (e.g., systems, applications) monitoring ii. Monitor compliance with established privacy policies iii. Monitor regulatory and legislative changes iv. Compliance monitoring (e.g. collection, use and retention)

Page 6 of 7 1. Internal audit 2. Self-regulation 3. Retention strategy 4. Exit strategy D. Respond a. Information requests i. Access ii. Redress iii. Correction iv. Managing data integrity b. Privacy incidents i. Legal compliance 1. Preventing harm 2. Collection limitations 3. Accountability 4. Monitoring and enforcement ii. Incident response planning 1. Understand key roles and responsibilities a. Identify key business stakeholders 1. Information security 2. Legal 3. Audit 4. Human resources 5. Marketing 6. Business development 7. Communications and public relations 8. Other b. Establish incident oversight teams 2. Develop a privacy incident response plan 3. Identify elements of the privacy incident response plan 4. Integrate privacy incident response into business continuity planning iii. Incident detection 1. Define what constitutes a privacy incident 2. Identify reporting process 3. Coordinate detection capabilities a. Organization IT b. Physical security c. Human resources d. Investigation teams e. Vendors iv. Incident handling 1. Understand key roles and responsibilities 2. Develop a communications plan to notify executive management v. Follow incident response process to ensure meeting jurisdictional, global and business requirements 1. Engage privacy team 2. Review the facts 3. Conduct analysis 4. Determine actions (contain, communicate, etc.) 5. Execute

Page 7 of 7 6. Monitor 7. Review and apply lessons learned vi. Identify incident reduction techniques vii. Incident metrics quantify the cost of a privacy incident

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information