How to Improve Privacy as a Component of Your Cyber Governance Program
Many businesses are looking to reap the benefits of digital transformation, evolving new services that provide value to and forge closer relationships with partners and customers.
Trust and responsible information management practices are becoming business differentiators as consumers become more aware of the impact of data breaches and the potential for misuse of personal information. With the proliferation of the Internet of Things, increasing quantities of personal or sensitive information are being collected through a wider variety of distributed devices. Digital transformation is leading to that information becoming a commodity. As that information is processed by more complex interconnected technology architectures and shared through a variety of channels, there is greater potential for impacts to the data subjects themselves.
Regulators around the world and sector-specific governance bodies are enacting increasingly stringent measures that require more mature and verifiable programs to protect personal information. For example, with the enactment of the European General Data Protection Regulation (GDPR), requirements to implement and demonstrate effective information management practices are becoming more stringent and accompanied by significant penalties (of up to 4% of Global Turnover). Other regions, countries, states and even some industries are implementing their own rules, making the compliance landscape appear to be a complex and sometimes seemingly contradictory minefield.
For an effective privacy plan in today’s cybersecurity environment, we need to think differently about information management practices:
- Consider the controls over the business processes themselves, not just the systems that manage the data records.
Many privacy practice requirements address the need to provide transparency to the data subject, processing for legitimate purposes, access and recourse.
- Understand that information assets have different meanings, purposes and potential uses as they cross business process and organizational boundaries.
For example, the same information record may be used for order fulfillment, billing, warranty, supply chain management, product research, behavioral analysis for recommendations for other products and market research. Our medical information may be used for treatment, billing, insurance payments, epidemiology studies, research and even to obtain incentives through a health management program.
- Evolve from being data controllers or processors to information service managers.
Users may request the sharing of personal information in order to efficiently obtain other services (such as opening financial records to tax preparers or fitness data to obtain health evaluations or the payment of health incentives).
This change in perspective requires a focus on the information assets themselves, an understanding of the information lifecycle and permitted uses as they cross existing business and technology boundaries. The flow of information assets may follow a lengthy chain that crosses a number of technology domains that may include:
- Collection by smart devices (including embedded processors or smart phones)
- Transport via a number of different networking technologies
- Processing on premise or in the cloud
- Aggregation or enrichment by other sources
- Integration with business partners’ systems
- Sharing with third parties
The traditional security model that many organizations have adopted – focused on the security of the individual systems, networks and applications – may not be able to meet the full requirements of this new focus on information assets. Consideration must be given to:
- Ensuring that that same level of protection is provided to the information assets throughout their lifecycle, requiring consistent protection across a number of different technology domains, development practices and ownership.
- Considering access management that includes, in addition to the established subject and object rules, the legitimate purpose for access and the consents provided. Access management models need to be much more closely aligned to the information management practices of the information custodians required by the privacy program.
- Augmenting accountability and logging to align the business rules that are derived from privacy policies.
- Expanding the System Development Lifecycle to include consideration of privacy requirements in application design, protection profiles and access models.
- Including tests to demonstrate traceability of privacy obligations into effective operational practices, as a way for the assurance function of an organization to respond to a greater emphasis by the regulators on proving compliance.
In my role on the Cisco Security Services team, I work with clients to improve their security, privacy, and cybersecurity management solutions. As our team has worked with organizations to establish or evolve successful privacy programs, we have learned that there are a number activities that will help you form a flexible privacy program and are critical to the quality of the outcome:
1. Gain a clear understanding of the drivers for the program:
- Obligations that arise, not only from regulations, but also from published policies, internal standards and agreements with other parties
- Data lifecycle, including information assets, flows, collection, use and sharing
- Business purposes or use cases for the information assets and how they align with published legitimate scenarios
- Technical architecture and the domains that handle information assets
2. Select an effective framework to manage the program that:
- Maps to foundational principles and existing regulations
- Addresses the needs of your business model
- Is flexible enough to accommodate growth
- Decouples the requirements from the tools to achieve them
- Provide traceability from requirements, through implementation to assurance
3. Prioritize activities based on consideration of the obligations and business model. Accept that this is an evolving program, not a point in time compliance project and there is no ‘single standard solution’ that fits all cases:
- Select framework element and maturity goals that are realistic to meet the organization’s specific needs and obligations
- Identify the most essential elements of the framework to address identified obligations
- Consider the goals of the program against current and future business models
- Objectively understand gaps in maturity to prioritize an improvement roadmap
- Include measurement (assurance) and traceability at the earliest possible stage
- Develop an effective end state vision and roadmap
4. Establish effective program governance:
- Establish clear roles and responsibilities, along with education & training
- Mandate traceability and assurance measurement into program activities to establish an ongoing, ‘audit ready’, assessment of program effectiveness against identified goals
- Manage changes as regulations, business models, operating geographies and use of technology evolve
5. Develop solutions at a strategic level:
- Develop protection standards that are independent of technology and implement these standards uniformly across in-scope technology domains
- Build and implement an access management model that respects both the nature of the information assets and the agreed purposes for use
- Define and implement, where possible, process controls at a global level for consistency, traceability and efficiency
- Include metrics and assurance testing into each control and process
With the deluge of data breaches, effective information management programs are becoming foundational in establishing trust with customers and consumers, demonstrating compliance with applicable regulations as well as reducing the likelihood or impact of an incident. Establishing a program for responsible information management can build reputations and levels of confidence that can be a both a differentiator and business enabler, balancing creativity and trustworthiness.
If you are not sure your organizations’ privacy program is effective or flexible to meet your business and customer requirements, enlist help from experts like the Cisco Security Services team. Our security advisors will work with you to understand your unique requirements, assess your current capabilities and develop a custom framework for evolving the privacy function. Our aim is to help you create a privacy program that will maintain customer trust and evolve with your business as it moves to a digital business foundation influenced by the Internet of Things.
Cisco is a Champion Sponsor of Data Privacy Day which will be recognized on Thursday, January 26, with a daylong event live from Twitter in San Francisco, CA, featuring exciting TED-style talks, segments and interviews focusing on the latest privacy issues for consumers and business. The event will be available online for the world to watch on Livestream, Periscope and Facebook Live. Learn more and register to watch the event live here.
Read “Privacy is a Basic Human Right and it’s Good for Business Too” by Michelle Dennedy, Chief Privacy Officer, Cisco.