The 5 Step Program to Managed Privacy Risk™

Attempting to reach the desired state of managed privacy risk without the right foundation in place is like constructing a building in random order – there is nothing solid to stand on.
 
Using our unique “5 Step Program to Managed Privacy Risk”, our experts will work with your organization to ensure that you have the necessary foundation to make good decisions about risk and execute a sustainable privacy risk management program. 

Here are the essential steps:

Create Governance
Privacy risk is business risk --- decisions need to be made by the business.  It is not sufficient to delegate this to the IT Department.  A committee of senior executives representing the stakeholder business areas should be formally charged by the CEO with the mission of ensuring that privacy risk is managed.

Establish a Security Program
The Security Program specifies your organization’s risk management and acceptance policy as well as defining organizational security roles and an information classification policy.

Assess Information Privacy Risk
Studies of data breaches have found that the majority of breaches have occurred on assets that the organization did not recognize as existing.  Vulnerabilities and threats to new and existing systems and processes need to be identified in order for risk to be mitigated and managed.

Implement a Control Framework
Risk is mitigated through the implementation of controls.  A comprehensive control framework will ensure that the appropriate policies, standards and procedures have been chosen to meet your organizations needs to cost effectively mitigate risk to an acceptable level. 

Measure Compliance
A compliance program to provide a dashboard of controls compliance will give your governance committee the information to answer the questions posed by the CEO and/or Board of Directors; “Are we secure? Are we in compliance with privacy laws and regulations?”

Privacy Risk Assessment

Studies of data breaches have found that the majority of security compromises have occurred on assets that the organization was not aware existed.  Vulnerabilities and threats to new and existing systems and processes need to be identified in order for risk to be mitigated and managed.

Assurance Point has developed a flexible engagement process based on Octave™  which enables your organization to use your own expert resources in a series of facilitated workshops to discover privacy assets and uncover both business process and technical vulnerabilities which might lead to compromise and risk.  The output documents created are permanent tools which enable your organization to periodically re-assess risk, satisfy regulatory requirements and report on risk to senior management. 

Here is the high level Risk Assessment process outline:

Phase I – Business View

• Establish the business scope of the risk assessment based on business process owner knowledge.

• Using a workshop format, identify the privacy assets and capture business knowledge of the processes and vulnerabilities.

• Through a custom developed survey, capture business knowledge of process vulnerabilities.  This is particularly effective in a distributed organization.

• Create threat profiles for the privacy assets and vulnerabilities identified.

Phase II – Technology View

• Using a workshop format, identify critical technology assets and relevant controls.

• Capture or perform vulnerability assessments on the technical components.

Phase III – Strategy and Risk Treatment Plan Development

Analyze Risk:
• Develop or review the set of security controls which should be in place to safeguard the class of protected information.
• Analyze the controls which are actually in place (or planned) which meet the Security Requirements.
• Assign a level of risk for each threat/vulnerability identified

Develop organizational protection strategies, risk treatment plans and an action list.  This is the final report to senior business management and information security governance.

Information Security Controls Assessment

Our Approach
Assessment of your organization’s security controls against a baseline standards framework will yield valuable benefits.  We have experience assessing an organization’s security controls against either NIST Special Publication 800-53 or ISO/IEC  27002 and to recommend cost-effective control mitigations to reduce risk.   The design and performance of your organizations’ controls assessment will take into account your organizations information asset classifications and security objectives and can be accomplished with cost-effectiveness as an important goal. 

You can expect the following outcomes:

Outcomes
• Identify potential problems or shortfalls in the organization’s implementation of security controls

• Identify information system weaknesses and deficiencies.

• Prioritize risk mitigation decisions and associated risk mitigation activities.

• Confirm that identified weaknesses and deficiencies in the information system have been addressed.

• Support information system authorization (i.e., security accreditation) decisions.

• Support budgetary decisions and the capital investment process.

Data Breach Incident Management

A security incident involving a breach of customer or employee information exposes your organization to the penalties of State and Federal privacy laws, loss of sales revenue due to reputational damage and the painful ordeal of possible litigation.  It is critical to prepare your organization before such an incident occurs so that the impact of the event and the resulting liabilities are minimized.  Assurance Point offers direct experience assisting organizations in managing such events, will work with your management team to put in place the following Data Breach Management Framework and will assist you in the event of such an incident.

Establish an Incident Management Team with responsibility for understanding the required actions of an incident and also managing the incident should it occur.  Organizational representatives from the following disciplines should be included on this team:

• Communications/Public Relations
• Legal/Regulatory Compliance
• Information Security
• Information Technology
• Law enforcement contact
• Privacy Asset Business Owners (e.g. Human Resources)

Prepare an Incident Management Plan that documents the policies and procedures to be followed which include:

• Incident detection
• Prioritization and Escalation
• Technical Response and Analysis
• Management response
• Legal Response including breach notification, non-disclosure, and prosecution

Prepare and Improve.  The Incident Management Plan is scenario tested and training provided to the incident management team.  Actual incidents are reviewed for the purpose of improving the process.

Security Education, Training and Awareness Services

One of the biggest threats to loss of information security in an organization are its employees or contractors who may not be aware of security policy or trained in privacy data handling standards and procedures.  We can deliver or help you develop a customized training program to meet your organization’s specific needs using our SETA Services Framework™ which tailors the education content and delivery media to the needs of the target audience.