Upload
trinhnhan
View
221
Download
3
Embed Size (px)
Citation preview
Overview
• Our unique perspective as federal
regulator
• Privacy impact assessment
• Threat and risk assessment
• Technology & privacy can co-exist
Technological Innovations
“We got more than we bargained for…”
matchoncard.com
Privacy Impact Assessments
• Making Good Decisions
• Privacy Risk Management
• Accountability
• Compliance
TRA Terminology Term Definition
Assets Tangible or intangible things
Threats Potential event that could cause injury
Vulnerabilities An attribute that increases the likelihood of a
threat, compromise or severity of injury
Safeguards Decreases the likelihood of a threat,
compromise or severity of injury
Residual Risk Remaining risk after applying safeguards
Confidentiality Information must not be disclosed to
unauthorized individuals
Integrity Accuracy and completeness of assets
Availability Usable on demand to support program delivery
Enterprise Risk Management
Project Management Framework
Software Development Lifecycle
others…
TRA Process
identify
ASSETS
1
identify
THREATS
to
2
which have
VULNERABILITIES
but also existing
SAFEGUARDS
3
Calculate
RESIDUAL
RISKS
4 RECOMMEND
actions to MITIGATE
unacceptable
RESIDUAL RISKS
5
TRA
Risk Assessment
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Info & Communication
Monitoring
Entity
-level
Div
ision
Busin
ess U
nit
Subsid
iary
X PIA
TRA
Activity
COSO Enterprise Risk
Management Framework
PIA & TRA – how do they work together?
PIA TRA
Overview and PIA
Initiation
Preparation Phase
Analyse PI flows Identify assets
Identify privacy risks
Assess privacy
compliance
Assess threats
Assess vulnerabilities
Calculate residual
risk
Summarize analysis
Make
recommendations
Make
recommendations
PIA TRA
Safeguards
Overlap Process – GoC Example
Assessing privacy & security risks
Partners
Third-
parties
Clients
SysA
SysB
Remote
End-to-end data flow
Clients
Multiple output
channels
Multiple input
channels
Manual
Process
Manual
Process
Assessing privacy & security risks
Partners
Third-
parties
Clients
Remote
Employees
Secure File
Transfer
SysA Web
portal
Employees
SysB
PIA & TRA Scope
TRA PIA
1 to 1
TRA PIA
1 to many
PIA
TRA PIA
many to 1
TRA PIA
many to
many
TRA TRA PIA
New technology – assessing risks
How does it work?
How do we implement it?
How do we integrate it?
How do we secure it?
What does it do?
What are we going to do with it?
Should we do it? (4 part test)
How do we do it in a privacy-
sensitive & compliant way?
How do we protect the data?
We want to use Technology A to ….
BUSINESS
PRIVACY IT & SECURITY
Key Takeaways
• Work with business, privacy, security and
technical experts
• Coordinate risk management activities
• Define scope
• Leverage work already done
• Consolidate risk action plan