privacy framework developed by the AICPA and the CICA.
The privacy-risk assessment should be completed by privacy professionals who have a good understanding of privacy laws and regulations, privacy best practices, business operations, risk assessments, and current privacy practices and controls within the organization. External privacy consultants could be used for additional support and depth if internal resources are insufficient or unavailable. The assessment tool asks each assessor (it can accommo- date up to 10) to assess the following, against each of the criteria in GAPP: • Likelihood of control failure — whether the organization’s practices and controls are in place and working as intended;
• Business impact – the effect on the or- ganization of an actual breach; and
• Cost to mitigate or prevent – consid- ering factors, such as people effort, time to implement, complexity of com- puting environment, capital expendi- ture and cultural resistance. Once completed, the tool documents the scoring for all GAPP criteria and
summarizes the results under the relevant GAPP principle. The results are graphed to help illustrate the results and commu- nicate to management areas that may re- quire further review and follow-up. The assessment team reviewing the results should especially note those with wide scoring variations to determine whether consensus can be reached. The team should also focus on high- and low-risk areas to validate agreement on those areas. Examples of action items from a risk assessment include: • Meeting with management to discuss results of the privacy-risk assessment;
• Documenting practices and controls around the criteria;
• Determining whether adequate re- sources and controls are in place to ad- dress high-risk areas;
• Evaluating whether resources could be reallocated or controls streamlined for low-risk areas;
• Determining whether remediation ef- forts are necessary to mitigate any un- necessary risks;
• Assigning responsibility to identify ap- propriate remediation efforts;
seeing is believing
• Performing a privacy audit of a selected area; and
• Engaging privacy professionals to help address the most significant pri- vacy risks.
The outcome of a privacy-risk assess- ment should provide an organization with a good understanding of the privacy risks they face and the suitability of the controls in place to help mitigate those risks. The assessment should also identify areas where controls are missing or inadequate to address significant privacy risks. By taking action early, organizations can address areas of significant potential risk and help avoid the tremendous cost and effort associated with responding to a breach.
Nicholas F . Cheung, CA, CIPP/C
(
nicholas.cheung@
cica.ca) is a principal with the Canadian Institute of Chartered Accountants and a contributing author of The Canadian Privacy and Data Security Toolkit for Small and Medium-Sized Enter- prises. The Privacy Risk Assessment Tool is available free of charge at
www.cica.ca/privacy.
Ready to see and believe? Honeywell’s MAXPRO®
Video Management System
offers seamless integration with IP and analog technology as well as our popular Pro-Watch® security management suite. It’s a powerful all-in- one video surveillance and access control solution.
Visit
www.honeywellvideo.com or call 800-796-2288 and see it for yourself!
© 2010 Honeywell International Inc.
WWW.SECURITYMATTERSMAG.COM
FOLLOW US ON
AND
• SECURITY MATTERS 15
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32