Question
Project 4 - Privacy Compliance Strategy Description For this project, you will leverage your research from Projects #1, #2, and #3 to develop a privacy
Project 4 - Privacy Compliance Strategy
Description
For this project, you will leverage your research from Projects #1, #2, and #3 to develop a privacy compliance strategy for your chosen company. The deliverable for this project will be a Privacy Compliance Strategy that includes a legal and regulatory analysis for privacy laws and regulations. The scope for this project will be laws and regulations from the United States (federal and state) and the European Union.
Research
- Begin your research by reviewing the privacy concepts and requirements presented in the (ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide (the course textbook).
- Review your selected company's Form 10-K to identify privacy related risks which the company disclosed to investors and shareholders. You will use these and additional privacy-related risks, identified through your readings and research, to construct a privacy compliance profile.
- Read Chapters 1 and 2 of the NIST Privacy Framework: A tool for improving privacy through enterprise risk management. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pdf
- Review the Audit and Compliance control family in NIST SP 800-53 (section 3.3).
- Review one or more reports written by privacy analysts about privacy issues affecting global businesses:
- 2010 Ponemon Report: How Global Organizations Approach the Challenge of Protecting Personal Datahttps://www.ponemon.org/local/upload/file/ATC_DPP%20report_FINAL.pdf
- 2019 Thomson Reuters GDPR Report Business' struggle with data privacy: Regulatory environment continues to evolve rapidlyhttps://legalsolutions.thomsonreuters.co.uk/blog/wp-content/uploads/sites/14/2019/12/Thomson-Reuters-GDPR-Report.pdf
- 2021 blog from PrivacyPolicies.com Global Privacy Laws Explainedhttps://www.privacypolicies.com/blog/global-privacy-laws-explained/
- Review existing and proposed privacy legislation for U.S. jurisdictions (states): Association of Privacy Professionals (IAPP)https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
- Review the privacy guidance for the European Union's General Data Protection Regulationhttps://gdpr.eu/
- Review the Fact Sheet for the Trans-Atlantic Data Privacy Frameworkhttps://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-united-states-and-european-commission-announce-trans-atlantic-data-privacy-framework/
- Find and review additional authoritative sources which discuss (a) specific privacy-related legal or regulatory non-compliance events (lawsuits, fines, etc.) impacting large, global companies and (b) the business and financial impacts arising from compliance failures (violations) for privacy laws and regulations.
Analyze Privacy Compliance Issues, Risks, and Mitigations
- Identify the five most important privacy issues which your chosen company must address as part of its enterprise risk management program. You should focus on strategic issues, e.g. lack of management support, lack of resources, rapidly changing external politico-legal privacy environment, lawsuits and fines arising from non-compliance, etc. For each issue, identify the legal and regulatory drivers from both the U.S. (federal and state) and the European Union.
- Identify 10 or more privacy-related legal or regulatory compliance risks arising from your identified privacy issues. For each risk, identify the specific law or regulation that imposes privacy requirements upon your selected company. You may reuse privacy-related risks from your previous projects. Present your risks using the Table 1 template found at the end of this file.
- For each identified compliance risk, identify one or more security controls (from NIST SP 800-53) which could be implemented to reduce or mitigate the compliance risk. Audit and Compliance Controls should be included in your mitigation profile. Remember that you need one or more controls that will be the audit targets. You may reuse work from your previous projects but you should make sure that the selected controls actually address mitigations for PRIVACY COMPLIANCE risks. If they do not, you must select controls which do address compliance. Enter this information into Table 2 found at the end of this file.
Write
- An introduction section which identifies the company being discussed and provides a brief introduction to the company (you may reuse some of your narrative from Project #1 and/or Project #2). Your introduction should include a brief overview of the company's business operations and include a description of the purpose and contents of this Privacy Compliance Strategy deliverable.
- A separate analysis section (Privacy Issues Impacting [company]) in which you present 10 or more Privacy Issues which you identified from your reading and research. For each issue, you should present your analysis of why this issue is important for your selected company. You should also discuss the legal and regulatory drivers which make this issue important for your company. What are the non-compliance risks associated with these issues? (Discuss at least 3.)
- A separate analysis section (Privacy Compliance Risk Profile) in which you present your privacy-related compliance risks. Provide an introductory paragraph that explains the relationship between the previously identified privacy issues and your privacy compliance risk profile. You should discuss the type of information presented in Table #1 Privacy Compliance Risk Profile (use the template at the end of this file - this is a different table than used in previous projects) and what sources were used to obtain this information. Your completed table should have 10 or more entries. Describe the process and documents used to construct Privacy Compliance Risk Profile. Place Table #1 at the end of this section (remember to delete the sample text).
- A separate analysis section (Privacy Compliance Controls Profile) in which you present your Privacy Compliance Controls Profile. Provide an introductory paragraph that explains the privacy compliance controls profile, e.g., what information is contained in the table and what sources were used to obtain this information. Describe the process and documents used to construct the Privacy Compliance Controls Profile. Your profile should have 10 or more rows entered into Table #2. Place Table #2 at the end of this section (remember to delete the sample text).
- A separate section (Privacy Compliance Risk Mitigation Strategy) in which you present a high-level strategy for implementing the risk mitigations (security controls) presented earlier in this deliverable. This section should include a summary of the business problem (reduce privacy-related risks arising from legal and regulatory requirements for privacy protections), the general types of privacy-related risks to be mitigated (focus on the CIA triad and summarize the risks you previously identified), the timeframe for implementing each element of your strategy, and the benefits of implementing an enterprise strategy for reducing privacy-related compliance risks.
- A separate Recommendations and Conclusions section which provides a summary of the information contained in this deliverable and presents your concluding statements regarding the business need and business benefits which support implementing your Privacy Compliance Risk Mitigation Strategyand the allocation of resources by the company.
Table 1. Risk Profile for [company]
Risk ID | Risk Title | Description | Risk Category | Impact Level |
001 | Unauthorized disclosure of customer information. | Disclosure of or access to customer information must be restricted to authorized individuals with a need to know. Unauthorized disclosure or access could result in harm to customers and financial liabilities for the company. | People | Medium |
002 | ||||
003 | ||||
004 | ||||
005 | ||||
006 | ||||
007 | ||||
008 | ||||
009 | ||||
010 | ||||
011 | ||||
012 | ||||
013 | ||||
014 | ||||
015 |
Table 2. Risk Mitigation Strategy Security Controls Profile
Risk ID | Risk Title | Risk Mitigation Strategy | CSF Category ID | Security Controls |
001 | Unauthorized disclosure of customer information. | Implementation of role-based access controls will reduce the risk of unauthorized access to customer information by controlling which individuals are granted access to the systems and software used to collect, process, transmit, and store this information. | PR.AC Identity Management, Authentication, and Access Control: PR.AC-4 | AC-3 (7) Access Enforcement | Role Based Access Control; AC-3 (11) Access Enforcement | Restrict Access to Specific Information Types |
002 | ||||
003 | ||||
004 | ||||
005 | ||||
006 | ||||
007 | ||||
008 | ||||
009 | ||||
010 | ||||
011 | ||||
012 | ||||
013 | ||||
014 | ||||
015 |
Table 1. Privacy Compliance Risk Profile for [company]
Risk ID | Privacy Risk Title | Description | Risk Category | Impact Level |
001 | Unauthorized disclosure of privacy-related customer information. | Unauthorized disclosure or access to privacy-related customer data could result in non-compliance with [law], [law], [regulation: section]. | People | Medium |
002 | ||||
003 | ||||
004 | ||||
005 | ||||
006 | ||||
007 | ||||
008 | ||||
009 | ||||
010 |
Table 2. Privacy Compliance Controls Profile
Risk ID | Risk Title | Compliance Risk Mitigation Strategy | Security Controls |
001 | Unauthorized disclosure of privacy-related customer information. | Implementation of role-based access controls will reduce the compliance related risk arising from failure to control access to privacy-related customer information. Compliance will be improved by (a) auditing access and access permissions to ensure that least privilege is implemented and enforced and (b) review of audit records and external sources to detect unauthorized disclosures of privacy-related information. | AC-3 (7) Access Enforcement | Role Based Access Control; AC-3 (11) Access Enforcement | Restrict Access to Specific Information Types; AU-2 Event Logging; AU-6 Audit Record Review, Analysis, and Reporting; AU-13 Monitoring for information Disclosure |
002 | |||
003 | |||
004 | |||
005 | |||
006 | |||
007 | |||
008 | |||
009 | |||
010 |
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started