Six Principles for Security and Privacy Management Success in Today's Digital World
Rob Roe, Managing Director of ANZ, OneTrust
Rob Roe, Managing Director of ANZ, OneTrust
Keeping the data safe is one thing but managing how we use and control the data avoids process-based gaps.
3/ Data Mapping
Today, it is difficult to know where data is stored and what actual fields are being captured. With SaaS applications, cloud storage, laptops, and USB devices it is difficult to know what and where our data is stored. Privacy management uses data mapping to keep track of what and where data is being stored and who is accountable. Identification of shadow IT, spreadsheets, cloud storage, department database is important to complete the data mapping.
When data mapping is held in multiple spreadsheets management oversight is lost. When a data breach occurs knowing what data has been compromised is near to impossible.
4/ Process Mapping
It is one thing to know what and where our data is, but we also need to know which business processes and users are accessing that data and for what purpose. This goes beyond access controls because a new process may combine data from multiple sources. Applying data analytics can remove the pseudonymization and this new process is contrary to the permissions received for the original purpose. Process mapping takes the lessons learned from Privacy by Design to avoid the gaps created when human mistakes are possible or data is shared inappropriately.
5/ Third-Party Vendor Risk
For all the protections we put in place for our own company, our vendors need to do the same. Today, third-party vendor risk management is grossly underdone. Companies send out spreadsheets (notice the theme here?) for vendors to fill in, and hours are spent chasing these vendors to complete the documentation. But that is usually where it stops. Even for our critical vendors that have multi-year contracts, we rarely go back to check if they are still complying with the security, privacy and management practices we expect and require. We don’t even check if they are viable as a company. Managing vendor risk needs to be an ongoing process just like own internal checks and balances. As the saying goes, a chain is only as strong as its weakest link.
6/ Incident Notifications, Near Misses and Ideas
When Security and Privacy officers are surveyed about their biggest issue for implementing required practices, the answer is “Staff Awareness.” This helps explain why the most vulnerable attack surface is people. To make it easier for staff to notify any potential incidents, companies are adding the ability to submit “near misses” and “ideas.” The strategy here is to broaden what is reported to capture all incidents. The subject matter experts can then determine if it is a “near miss” or in fact a “data breach.” As staff awareness increases people can submit “ideas” on how to improve Security and Privacy by Design. The worst data breach is the one that is not reported.
In today’s digital world we can no longer just think Security. We need to combine this with Privacy Management. The increase and spread of the data we collect and store is driving this need to adopt both Security and Privacy Management practices. Together these practices help us avoid being in the next Office of the Australia Information Commission’s Data Breach Report.
Weekly Brief
Read Also
