当前位置:网站首页>Data security -- 14 -- Analysis of privacy protection governance
Data security -- 14 -- Analysis of privacy protection governance
2022-07-05 04:32:00 【Follow also】
One 、GRC brief introduction
GRC Governance 、 Risk management and compliance , By addressing uncertainty and acting with integrity , The ability set to ensure that the enterprise can reliably achieve its goals , It is a framework model of enterprise risk governance .
government (G) The main work of this project includes :
● Establish strategies and boundaries .
● Organizational structure and division of rights and responsibilities .
● Policy formulation and process control .
● Performance monitoring .
Risk management (R) The main work of this project includes :
● The classification of risks .
● Risk assessment method .
● Risk management .
● Risk reporting mechanism .
compliance (C) The main work of this project includes :
● Documentation of various non-compliance risks .
● Define and document compliance control points in the process .
● Evaluate the effectiveness of control points .
● Solve the compliance problems found .
Two 、 Introduction to privacy protection governance
If the enterprise faces greater compliance pressure , We can learn from the relevant practices of data security management and compliance requirements , Build a management system for privacy protection , Include :
● Establish the general outline of privacy protection policy , And reach a consensus in the management .
● Establish organizations and teams for privacy protection 、 Division of responsibilities , Be responsible for privacy protection supervision 、 Audit and communication with regulators .
● Establish policies and frameworks for privacy protection ( Establish a document system and apply it to practice ).
● Determine the list of applicable laws and regulations , And convert it into internal documents .
● Establish a Privacy Impact Assessment (PIA) Or data protection impact assessment (DPIA) Methodology and operation process .
● Management and implementation of privacy lifecycle ( Such as privacy statement 、 collect 、 The data subject agrees 、 Circulation approval process 、 Validity management and data cleaning ).
● Establish data directory and privacy operation support system , Used to measure privacy risk , Support the routine implementation of privacy protection , It can also be used to prove its compliance to regulators .
● Establish relevant processes and systems for data subject requests ( Used to support user queries 、 modify 、 Delete 、 Withdrawal of consent, etc ).
● Response and reporting mechanism for privacy data leakage events .
3、 ... and 、 Data protection governance GRC practice
Here we will GRC Integration of risk governance methodology PDCA Loop to discuss specific practices of privacy compliance .
3.1、 plan (P)
The main tasks in the planning stage include :
G: Set a goal 、 Organizational responsibility and Accountability Policy 、 Formulate overall policies .
R: Risk identification .
C: Determine compliance requirements , Decomposition and reorganization , Establish internal compliance benchmarks .
3.2、 perform (D)
The main tasks of the implementation phase include :
G: Refine the policy 、 supervise .
R: risk assessment 、 Risk control matrix 、 Integrate into the process 、 Risk management .
C: The internal compliance benchmark is transformed into a compliance control matrix 、 establish / Integrate into the process 、 Compliance improvement 、 Establish compliance records .
3.3、 Check (C)
The main tasks of the inspection phase include :
G: For the results of the team's efforts 、 The process 、 Attitude to performance appraisal .
R: Measurement of risk , It is to quantify risks with data , It can be used for comparison among business teams , Commend the advanced .
C: Inspection of compliance effectiveness 、 Inspection of compliance records ; Effectiveness here , Including but not limited to whether the privacy statement has been self checked 、 Whether there are data flow approval records 、 Whether there are due diligence records of suppliers 、 Whether the data subject request has been processed .
3.4、 Handle (A)
The main tasks of the processing phase include :
G: According to the results of compliance inspection 、 The result of risk measurement 、 Results of performance measurement , Implement decision-making and accountability .
R: Risk summary , Residual risks continue to move to the next round PDCA loop .
C: Compliance summary , The remaining non-compliance issues continue to move to the next round PDCA loop .
Four 、 Maturity of privacy protection capability
The commonly used capability maturity evaluation model in the field of privacy protection is AICPA/CICA PMM
, It is from American and Canadian Institute of accountants
To formulate the , Is based on GAPP( Accepted privacy guidelines ) and CMM( Capability Maturity Model ) And the developed privacy maturity model , It can be used to evaluate the current level of enterprise privacy protection system .
But in practice , It is generally not recommended to directly use external specifications , We need to transform it internally . In the process of internal transformation , Generally, the selected indicators need not be complete ( Indicators that do well in all businesses can be removed , Only include indicators with high risks ), The main purpose is to drive the compliance improvement of each business line . The result after transformation is Internal capability maturity model
.
The following are general recommendations , In practice , It should be formulated according to the actual situation of its own enterprise .
Capability maturity standard reference :
Level | Ability brief |
---|---|
Level five | Continuous optimization level , Based on quantitative feedback 、 Continuous improvement of audit , A lot of records are needed as evidence |
Level Four | measurable ( Quantification of privacy compliance risks ) Or manageable ( Such as visual tracking ), Be able to pass the effectiveness Review |
Level three | Fully defined and documented |
second level | Repeatable activity process |
Class A | Single case , Basically no repetition |
Internal capability maturity reference :
Segments | Level three ( Fully documented definitions ) | Level Four ( measurable / Manageable ) |
---|---|---|
Organization and policy | One 、 Two 、 Organizational system design and appointment documents of the three lines of defense 、 accountability system ; Relatively perfect policy document system 、 technological process . | Accountability records 、 Review records of policy documents 、 A revision history 、 Audit records |
Privacy statement | Privacy statement / Management regulations of notice 、 Templates 、 Checklist ; Checklist self inspection record . | Quantify the self check , Show scores uniformly |
choice / agree! | Fully guarantee the option of data subjects , Important options need to be checked by the user , Do not implement the package agreement ; Record the user's consent to each version of the privacy statement . | Consent of the data subject , Optimize management , Visual or searchable |
Data directory / classification | Policy documents for data classification ; Data catalogue and classification identification of data . | Data statistics and visual management |
The data flow | Management regulations on data circulation ; Circulation audit records ; If suppliers are involved 、 Have due diligence records 、 Data processing agreement signing record ; If cross-border is involved , Have the signing record of data transmission protocol . | Data record statistics and visual management |
Privacy design | design code 、 Checklist ; Checklist self inspection record . | Self test result measurement Statistics and analysis |
Data subject request | Management regulations 、 Processing flow ; Processing records . | Quantity measurement ( Statistics by type , Such as account cancellation 、 Correction, etc ; Statistics of business request data by business ); SLA Measure ( Timely completion rate, etc ) |
risk assessment | Risk management regulations 、 Evaluation methods 、 Grading criteria ; Evaluation record . | Evaluation report statistics and analysis 、 Risk classification |
Consciousness education | Management regulations ( Qualification requirements for employees 、 Training requirements, etc ); train / Exam records . | train / Test data quantification and statistical analysis |
Event management | Management regulations 、 Event handling process 、 Processing records . | Statistics and analysis |
边栏推荐
- 如何优雅的获取每个分组的前几条数据
- Neural network and deep learning Chapter 1: introduction reading questions
- Rome chain analysis
- File upload bypass summary (upload labs 21 customs clearance tutorial attached)
- Study notes 7
- [illusory engine UE] method to realize close-range rotation of operating objects under fuzzy background and pit recording
- windows下Redis-cluster集群搭建
- 美国5G Open RAN再遭重大挫败,抗衡中国5G技术的图谋已告失败
- Neural networks and deep learning Chapter 5: convolutional neural networks reading questions
- 快手、抖音、视频号交战内容付费
猜你喜欢
User behavior collection platform
Official announcement! The third cloud native programming challenge is officially launched!
Pointer function (basic)
托管式服务网络:云原生时代的应用体系架构进化
level18
【虚幻引擎UE】实现测绘三脚架展开动画制作
揭秘技术 Leader 必备的七大清奇脑回路
【虛幻引擎UE】實現UE5像素流部署僅需六步操作少走彎路!(4.26和4.27原理類似)
美国5G Open RAN再遭重大挫败,抗衡中国5G技术的图谋已告失败
Key review route of probability theory and mathematical statistics examination
随机推荐
MacBook安装postgreSQL+postgis
Mxnet imports various libcudarts * so、 libcuda*. So not found
Hexadecimal to octal
How to get the first few pieces of data of each group gracefully
Network security - record web vulnerability fixes
Scope of package class package
Network layer - forwarding (IP, ARP, DCHP, ICMP, network layer addressing, network address translation)
windows下Redis-cluster集群搭建
蛇形矩阵
[phantom engine UE] package error appears! Solutions to findpin errors
FFmepg使用指南
Reading and visualization of DICOM, MHD and raw files in medical imaging
User behavior collection platform
[phantom engine UE] realize the animation production of mapping tripod deployment
Invalid bound statement (not found) in idea -- problem solving
[thingsboard] how to replace the homepage logo
Stage experience
Fonction (sujette aux erreurs)
NetSetMan pro (IP fast switching tool) official Chinese version v5.1.0 | computer IP switching software download
[uniapp] system hot update implementation ideas