The current global crisis is disrupting and disabling many core business functions. 对于许多, in-office work has transitioned to remote work, requiring virtual conferencing tools and the sharing of sensitive information with a dispersed workforce. As this shift continues indefinitely, your organization must consider the risk associated with the digital privacy of personal information—your customers, 员工, contractors and prospects expect privacy.
为了满足这些期望, you must understand the state of your organization's privacy program in this current crisis. A solid privacy framework, such as the US National Institute of Standards and Technology (NIST) 隐私框架, can help you evaluate your program and develop a clear path to maturity. 我们最近的 ISACA® 杂志 article discusses ways you can couple your existing audit principles with this framework to unify your privacy and audit efforts.
Since it was released in January, we have seen a number of organizations embrace the NIST 隐私框架 because of its integration with the widely adopted NIST 网络安全 Framework (CSF). Together, they enable enterprises to evaluate and address both security and privacy controls.
But another reason this framework has grown in popularity is its simple approach to privacy and compliance. The 隐私框架 is built upon what it calls “the Core,” a set of fundamental privacy activities and their associated outcomes. Organizations are instructed to build a Current Profile that identifies their current privacy activities and outcomes. Say your organization created an inventory of all systems that process personal information to increase its understanding of privacy risk. The outcome of that activity would be documented in your organization’s Current Profile as a centralized record of those systems.
But knowing where you are is just the first step. You also need to know where you are going. Using the Core, the 隐私框架 helps you map out a Target Profile for privacy outcomes. 例如, your organization may have a standard privacy awareness training, which results in a basic understanding of privacy concepts. 但是对于你的目标档案, you could aim for more detailed privacy trainings for specific functions, e.g., human resources or marketing, to better equip 员工 when handling personal information. This helps you build an action plan and involve the necessary parties.
Image Source: NIST 隐私框架
Right now, it is hard for anyone to know what each day or week holds, making planning a challenge. But a strong privacy framework can help you understand where you are and where you want to go, 即使在不确定的时期.
编者按: For further insights on this topic, read the 最近的期刊文章: “Aligning COSO and 隐私框架s to Manage 隐私 in a Post-GDPR World” ISACA 期刊,2020年第2卷. And for additional privacy resources from ISACA, visit http://vrbs.zq-shop.net/credentialing/certified-data-privacy-solutions-engineer.
