ID.
Identify data privacy universe
ID.IM
Identify scope of privacy program
•
Understand your organization’s data processing environment.
•
Understand your organization’s process owners and operators.
•
Understand your organization’s personal data sources and uses.
•
Understand your organization’s data processing activities.
ID.IM-1
Identify data processing activities
•
Establish an inventory of your data processing activities.
ID.IM-2
Identify process owners and operators
•
Establish an inventory of data processing owners and
operators.
ID.IM-3 Identify
providers of personal data
•
Establish an inventory of people who provide personal data to
your organization.
ID.IM-4
Identify data processing actions
•
Establish an inventory of data processing actions that your
organization performs.
ID.IM-5
Identify the purpose of each action
•
Establish the purpose of each data processing action
performed.
•
Establish the purpose of each data action performed by each
data processing system.
•
Establish the purpose of each data action performed by each
data processing product.
•
Establish the purpose of each data action performed by each
data processing service.
ID.IM-6
Identify the elements of each action
•
Establish an inventory of data elements within each data
action.
•
Establish an inventory of data elements within data actions
performed by each system.
•
Establish an inventory of data elements within data actions
performed by each product.
•
Establish an inventory of data elements within data actions
performed by each service.
ID.IM-7
Identify data processing environment
•
Establish where data processing is being carried out.
ID.IM-8
Identify data processing flows and roles
•
Establish data maps for data processing systems.
•
Establish data maps for data processing products.
•
Establish data maps for data processing services.
ID.BE
Identify your business environment
•
Clarify your organization's business environment.
•
Use this knowledge to clarify business requirements.
ID.BE-1
Identify data processing ecosystem
•
Identify your organization's role in the data processing
ecosystem.
•
Communicate your organization's role in the data processing
ecosystem.
ID.BE-2
Identify your organization’s priorities
•
Establish business priorities for your organization.
•
Communicate your organization's business priorities.
ID.BE-3
Identify organization’s requirements
•
Identify data processing functions that support your
organization's priorities.
ID.RA Identify
privacy risks and responses
•
Carry out data privacy risk assessments for your organization.
•
Identify and understand the privacy risks individuals could
encounter.
•
Identify and understand the impacts potential privacy problems
could have.
•
Consider high priority privacy risks and develop a suitable
set of responses.
ID.RA-1
Identify your data privacy context
•
Consider each data processing system and identify all related
contextual factors.
•
Consider each data processing product and identify all related
contextual factors.
•
Consider each data processing service and identify all related
contextual factors.
ID.RA-2
Identify privacy risks by finding bias
•
Identify data inputs and outputs for each data processing
function.
•
Identify bias by evaluating data processing inputs and
outputs.
ID.RA-3
Identify problematic data actions
•
Identify potential problematic data actions that data
processing systems carry out.
•
Identify potential problematic data actions that data
processing products carry out.
•
Identify potential problematic data actions that data
processing services carry out.
ID.RA-4
Identify and prioritize privacy risks
•
Consider problematic data actions and assess likelihoods and
potential impacts.
•
Assess the likelihood that potential problematic data actions
will actually occur.
•
Assess the impact that problematic data actions could have if
they actually occur.
•
Use knowledge about problematic data action likelihoods and
impacts to determine risk.
ID.RA-5
Identify and prioritize responses
•
Consider your organization's high priority privacy risks.
•
Identify responses to address high priority privacy risks.
•
Prioritize responses to address your high priority risks.
•
Implement your organization's privacy risk responses.
ID.DE Identify
risk management processes
•
Plan how you intend to manage privacy risks within your data
processing ecosystem.
•
Develop processes to manage privacy risks within your data
processing ecosystem.
ID.DE-1
Identify ways of managing privacy risks
•
Establish policies to manage privacy risks within your data
processing ecosystem.
•
Establish processes to manage privacy risks within your data
processing ecosystem.
•
Establish procedures to manage privacy risks within your data
processing ecosystem.
ID.DE-2
Identify data processing ecosystem parties
•
Inventory the parties that make up your organization’s data
processing ecosystem.
•
Use your privacy risk assessment process to assess and to
prioritize these parties.
ID.DE-3
Identify objectives for your ecosystem parties
•
Formulate data privacy objectives for your organization’s data
privacy program.
•
Develop privacy contracts to ensure that your data privacy
objectives will be met.
ID.DE-4
Identify how to manage ecosystem privacy risks
•
Manage the data privacy risks that permeate your data
processing ecosystem.
ID.DE-5
Identify how well data processing parties perform
•
Evaluate the privacy performance of parties that make up data
processing ecosystem.
GV.
Establish governance structure
GV.PO
Establish privacy governance methods
•
Identify and understand the governance structures used to meet
requirements.
•
Identify and understand the policies your organization uses to
meet requirements.
•
Identify and understand the processes your organization uses
to meet requirements.
•
Identify and understand the procedures your organization uses
to meet requirements.
•
Use knowledge of governance structures to manage your privacy
risks and priorities.
GV.PO-1
Establish your privacy values and policies
•
Develop your organization’s privacy values and policies.
•
Communicate your organization’s privacy values and policies.
GV.PO-2
Establish processes to instill privacy values
•
Develop processes to instill privacy values within your
organization.
•
Implement processes to instill privacy values within your
organization.
GV.PO-3
Establish privacy roles and responsibilities
•
Develop privacy roles and responsibilities for your
organization’s workforce.
•
Implement privacy roles and responsibilities for your
organization’s workforce.
GV.PO-4
Establish privacy management ecosystem
•
Coordinate and align privacy roles and responsibilities with
third-party stakeholders.
GV.PO-5
Establish external privacy requirements
•
Identify your organization’s external privacy requirements.
•
Use this knowledge to manage external privacy requirements.
GV.PO-6
Establish privacy management practices
•
Establish management methods to address your organization’s
privacy risks.
GV.RM
Establish privacy management strategy
•
Consider your organization’s priorities, constraints, and
assumptions.
•
Use this information to establish your privacy risk management
strategy.
•
Use your strategy to guide all operational risk management
decisions.
GV.RM-1
Establish your risk management processes
•
Establish your organization’s risk management processes.
•
Share these processes with your organization’s stakeholders.
•
Gain the support and participation of these stakeholders.
GV.RM-2
Establish your organization's risk tolerance
•
Consider how much data privacy risk your organization can
tolerate.
•
Consider your privacy values as you consider how much risk you
can tolerate.
GV.RM-3
Establish your tolerance for ecosystem risks
•
Consider your data processing ecosystem and the role you play
in this ecosystem.
•
Use this information to determine how much privacy risk your
organization can tolerate.
GV.AT
Establish privacy skills and competence
•
Consider your organization’s approach to privacy risk
management.
•
Establish privacy risk training and awareness programs for
your organization.
•
Establish training and awareness programs that discuss your
privacy values.
•
Establish training and awareness programs that discuss your
privacy policies.
•
Establish training and awareness programs that discuss your
privacy processes.
•
Establish training and awareness programs that discuss your
privacy procedures.
GV.AT-1
Establish awareness programs for your workforce
•
Establish privacy training and awareness programs for data
processing workers.
GV.AT-2
Establish awareness programs for your executives
•
Establish privacy training and awareness programs for senior
executives.
GV.AT-3
Establish awareness programs for privacy people
•
Establish privacy training and awareness programs for your
privacy personnel.
GV.AT-4
Establish awareness programs for third parties
•
Establish privacy training and awareness programs for third
parties.
GV.MT
Establish privacy monitoring program
•
Establish privacy monitoring policies, processes, and
procedures.
•
Establish privacy review policies, processes, and procedures.
•
Establish privacy evaluation policies, processes, and
procedures.
•
Establish privacy assessment policies, processes, and
procedures.
•
Establish privacy communication policies, processes, and
procedures.
•
Establish privacy improvement policies, processes, and
procedures.
GV.MT-1
Establish data privacy evaluation program
•
Establish a data privacy evaluation program for your
organization.
•
Use this program to re-evaluate your data privacy risk on an
ongoing regular basis.
•
Use this program re-evaluate your data privacy risk whenever
key changes occur.
GV.MT-2
Establish data privacy review program
•
Establish a data privacy review program for your organization.
•
Review your data privacy values whenever major changes occur.
•
Review your data privacy policies whenever major changes
occur.
•
Review your data privacy training services whenever major
changes occur.
GV.MT-3
Establish data privacy assessment program
•
Establish a data privacy compliance assessment program for
your organization.
•
Establish policies to control how compliance assessments are
carried out.
•
Establish processes to control how compliance assessments are
carried out.
•
Establish procedures to control how compliance assessments are
carried out.
GV.MT-4
Establish data privacy communications program
•
Establish a data privacy communications program for your
organization.
•
Establish policies to control how data privacy communications
are carried out.
•
Establish processes to control how data privacy communications
are carried out.
•
Establish procedures to control how data privacy
communications are carried out.
GV.MT-5
Establish data privacy response control program
•
Establish a data privacy response control program for your
organization.
•
Establish policies to control how problematic data actions are
managed.
•
Establish processes to control how problematic data actions
are managed.
•
Establish procedures to control how problematic data actions
are managed.
GV.MT-6
Establish data privacy change management program
•
Establish a data privacy change management program for your
organization.
•
Establish policies to control how to apply lessons learned
from risky data actions.
•
Establish processes to control how to apply lessons learned
from risky data actions.
•
Establish procedures to control how to apply lessons learned
from risky data actions.
GV.MT-7
Establish data privacy complaint resolution program
•
Establish a data privacy complaint resolution program for your
organization.
•
Establish policies to control how privacy complaints and
questions are managed.
•
Establish processes to control how privacy complaints and
questions are managed.
•
Establish procedures to control how privacy complaints and
questions are managed.
CT.
Control how risks are managed
CT.PO
Control how data privacy is protected
•
Develop a data processing program to control how privacy is
protected.
•
Use it to show that management is committed to protecting
privacy.
CT.PO-1
Control how data processing is authorized
•
Protect privacy by controlling how corporate data processing
is authorized.
•
Establish privacy policies to control corporate data
processing authorizations.
•
Establish privacy processes to control corporate data
processing authorizations.
•
Establish privacy procedures to control corporate data
processing authorizations.
CT.PO-2
Control how data processing is managed
•
Protect privacy by controlling how data processing is managed.
•
Establish privacy policies to control how data processing is
managed.
•
Establish privacy processes to control how data processing is
managed.
•
Establish privacy procedures to control how data processing is
managed.
CT.PO-3
Control how data processing is enabled
•
Protect privacy by controlling how personal data processing
preferences are enabled.
•
Establish privacy policies to control how preferences and
requests are enabled.
•
Establish privacy processes to control how preferences and
requests are enabled.
•
Establish privacy procedures to control how preferences and
requests are enabled.
CT.PO-4
Control how data processing is changed
•
Protect privacy by controlling your organization’s data
processing life cycles.
•
Protect privacy by controlling how data is managed during its
life cycle.
•
Protect privacy by controlling how systems are managed during
their life cycle.
CT.DM
Control how data privacy is handled
•
Control how your data processing activities are carried out.
•
Protect personal privacy by controlling how data is processed.
•
Protect personal privacy by complying with your privacy
values.
•
Protect personal privacy by complying with your risk policies.
•
Protect personal privacy by complying with your risk strategy.
•
Protect personal privacy by implementing your privacy
principles.
CT.DM-1
Control your organization's data reviews
•
Protect personal privacy by controlling how data elements are
reviewed.
•
Protect privacy by controlling how data elements are accessed
for review.
CT.DM-2
Control your organization's data disclosures
•
Protect personal privacy by controlling how data elements are
disclosed and transmitted.
•
Protect privacy by controlling how data is accessed for
disclosure and transmission.
CT.DM-3
Control your organization's data alterations
•
Protect personal privacy by controlling how data elements are
altered.
•
Protect privacy by controlling how data elements are accessed
for alteration.
CT.DM-4
Control your organization's data deletions
•
Protect personal privacy by controlling how data elements are
deleted.
•
Protect privacy by controlling how data elements are accessed
for deletion.
CT.DM-5
Control your organization's data destruction
•
Protect personal privacy by controlling how data elements are
destroyed.
• Protect privacy by controlling how data
elements are accessed for destruction.
CT.DM-6
Control your organization's data transmission
•
Protect personal
privacy by controlling how data are transmitted.
•
Protect privacy by ensuring that data transmissions use
standardized formats.
CT.DM-7
Control your organization's data permissions
•
Protect privacy by controlling the transmission of processing
permissions.
CT.DM-8
Control your organization's data audit logs
•
Protect personal privacy by controlling how audit logs are
implemented.
•
Protect personal privacy by controlling how audit log records
are reviewed.
CT.DM-9
Control your organization's data assessments
•
Protect privacy by controlling how technology is used to
manage data processing.
•
Protect privacy by controlling how data processing activities
are assessed.
CT.DM-10
Control your organization's data preferences
•
Protect privacy by controlling how stakeholder privacy
preferences are managed.
•
Protect privacy by controlling how preferences are included in
design objectives.
•
Protect privacy by controlling how design outputs are
evaluated against preferences.
CT.DP
Control how data privacy is achieved
•
Control how data processing solutions comply with your risk
strategy.
•
Control how data processing solutions comply with your risk
policies.
•
Control how data processing solutions comply with your privacy
values.
•
Control how data processing solutions comply with your privacy
principles.
CT.DP-1
Control how easy it is to observe personal data
•
Protect privacy by limiting observability and linkability of
data.
•
Protect personal privacy by using privacy preserving
cryptography.
•
Protect personal privacy by using local devices to carry out
data actions.
CT.DP-2
Control how easy it is to identify specific people
•
Protect privacy by limiting how easy it is to identify
individual people.
•
Protect personal privacy by using de-identification techniques
to conceal identity.
•
Protect personal privacy by using tokenization privacy
techniques to conceal identity.
CT.DP-3
Control how easy it is to infer personal details
•
Protect privacy by limiting how easy it is to infer details
about traits and activities.
•
Limit how easy it is to make personal inferences by
decentralizing data processing.
•
Limit how easy it is to make personal inferences by using
distributed architectures.
CT.DP-4
Control how easy it is to hoard personal data
•
Protect privacy by controlling how easy it is to collect
personal data elements.
•
Protect privacy by controlling how easy it is to disclose
personal data elements.
CT.DP-5
Control how easy it is to see personal identifiers
•
Protect privacy by ensuring that personal identifiers comply
with risk strategy.
•
Protect privacy by ensuring that personal identifiers comply
with risk policies.
•
Protect privacy by ensuring that personal identifiers comply
with privacy values.
•
Protect privacy by ensuring that personal identifiers comply
with privacy principles.
CM.
Develop
communication program
CM.PO.
Develop communication capability
•
Develop a privacy communications program for your
organization.
•
Use your program to show that management is committed to
transparency.
•
Implement your organization’s privacy communications program.
•
Use your program to share information about your data
processing activities.
•
Use your program to share information about your
organization’s privacy risks.
•
Use your program to share information about your data
processing ecosystem.
CM.PO-1
Develop your privacy communication controls
•
Develop transparency policies to control your organization’s
privacy communications.
•
Develop transparency processes to control your organization’s
privacy communications.
•
Develop transparency procedures to control your organization’s
privacy communications.
CM.PO-2
Develop your privacy communication functions
•
Develop communication roles to control your privacy
communications.ed.
•
Allocate communication responsibilities to guide privacy
communications.
CM.AW
Develop communication techniques
•
Determine how you’re going to share information about data
privacy.
•
Determine how you’re going to obtain feedback about data
privacy.
•
Determine how you’re going to ensure data processing
visibility.
•
Determine how you’re going to monitor data sharing activities.
•
Determine how you’re going to communicate with data ecosystem.
•
Determine how you’re going to determine data provenance and
lineage.
•
Determine how you’re going to notify people about data privacy
breaches.
•
Determine how you’re going to manage the impact privacy
problems could have.
CM.AW-1
Develop ways of sharing information about privacy
•
Establish mechanisms for sharing information about data
processing.
•
Share information about your organization’s data processing
activities.
•
Share information about your organization’s data processing
purposes.
•
Share information about your organization’s data processing
practices.
•
Share information about your organization’s data processing
privacy.
CM.AW-2
Develop ways of obtaining feedback about privacy
•
Establish mechanisms for obtaining feedback from individuals.
•
Consider using surveys to obtain information from individuals.
•
Consider using focus groups to obtain information from
individuals.
CM.AW-3
Develop ways of ensuring data processing visibility
•
Enable ways of ensuring the visibility of your data processing
activities.
•
Establish ways of ensuring that data processing activities can
be easily monitored.
CM.AW-4
Develop ways of monitoring data sharing activities
•
Establish a record of all data sharing and disclosure
activities.
•
Establish ways of monitoring data sharing and disclosure
activities.
CM.AW-5
Develop ways of communicating with data ecosystem
•
Establish ways of communicating with your data processing
ecosystem.
•
Establish ways of communicating about data corrections and
deletions.
CM.AW-6
Develop ways of determining provenance and lineage
•
Establish detailed data processing histories for each single
data element.
•
Establish ways of monitoring data processing histories for
each data element.
•
Establish ways of determining the specific lineage of each
data element.
•
Establish ways of determining the provenance of each data
element.
CM.AW-7
Develop ways of notifying people about privacy breaches
•
Establish ways of notifying individuals about data privacy
issues.
•
Establish ways of notifying organizations about data privacy
issues.
CM.AW-8
Develop ways of managing the impact of privacy problems
•
Establish mitigation mechanisms that individuals can use to
address adverse impacts.
PR.
Implement processing protections
PR.PO.
Implement data protection policies
•
Develop a security program to manage and control how data is
protected.
•
Use your program to show that management is committed to data
security.
•
Develop a privacy program to manage and control how privacy is
protected.
•
Use your program to show that management is committed to data
privacy.
PR.PO-1
Implement baseline configurations for information technologies
•
Establish a baseline configuration for your information
technologies.
•
Incorporate data security principles into your information
technologies.
•
Incorporate data privacy principles into your information
technologies.
PR.PO-2
Implement configuration management for information
technologies
•
Establish configuration change control processes for
information technologies.
•
Test and validate information technology changes before you
approve them.
PR.PO-3
Implement appropriate information backup processes and
procedures
•
Establish information backup processes and procedures for your
organization.
•
Make regular backup copies in accordance with your processes
and procedures.
PR.PO-4
Implement policies and regulations to protect your information
assets
•
Identify policies that affect how physical environments are
used to protect IT assets.
•
Identify regulations that affect how physical environments are
used to protect IT assets.
PR.PO-5
Implement methods to identify protection improvement
opportunities
•
Identify processes used to protect your organization’s
information technologies.
•
Improve processes used to protect your organization’s
information technologies.
PR.PO-6
Implement ways of sharing information about protection
technologies
•
Share information about the effectiveness of privacy and
security protection technologies.
•
Specify what types of privacy and security information may be
shared with others.
•
Specify how privacy and security information should be
approved for publication.
•
Specify who may receive information about your privacy and
security information.
PR.PO-7
Implement incident response, continuity, recovery, and
restoration plans
•
Implement incident response and business continuity plans and
procedures.
•
Implement incident recovery and business restoration plans and
procedures.
PR.PO-8
Implement incident response, continuity, recovery, and
restoration tests
•
Test your incident response and business continuity plans and
procedures.
•
Test your incident recovery and business restoration plans and
procedures.
PR.PO-9
Implement privacy procedures and ask human resources to
include them
•
Build privacy procedures into your organization's personnel
recruitment practices.
•
Build privacy procedures into your organization's personnel
management practices.
•
Build privacy procedures into your organization's personnel
termination practices.
PR.PO-10
Implement a management plan to address your privacy
vulnerabilities
•
Develop a privacy vulnerability management plan for your
organization.
•
Implement your organization's privacy vulnerability management
plan.
PR.AC
Implement access control measures
•
Limit access to your organization’s data and devices.
•
Allow only authorized devices to have access to data and
devices.
•
Allow only authorized processes to have access to data and
devices.
•
Allow only authorized individuals to have access to data and
devices.
PR.AC-1
Implement measures to control identities of authorized
entities
•
Control identities and credentials for authorized individuals.
•
Control identities and credentials for authorized devices.
•
Control identities and credentials for authorized processes.
PR.AC-2
Implement measures to control access to your data and devices
•
Control access to your organization’s data and devices.
•
Allow only authorized individuals to access these data and
devices.
•
Use entry controls to allow only authorized people to have
access.
PR.AC-3
Implement measures to control remote access to data and
devices
•
Establish remote access control policies and procedures for
your organization.
•
Establish remote access restriction, connection, and
configuration requirements.
•
Establish appropriate usage restrictions and requirements for
mobile devices.
PR.AC-4
Implement measures to control access permissions and
authorizations
•
Control how access permissions and authorizations are managed.
•
Incorporate “separation of duties” and “least privilege”
principles.
PR.AC-5
Implement measures to control and protect the integrity of
networks
•
Protect and control the integrity of your organization's
networks.
•
Consider using network segregation to control network access
and integrity.
•
Consider using network segmentation to control network access
and integrity.
PR.AC-6
Implement measures to control identity authentication methods
•
Control how specific identities are proofed, bound, and
asserted.
•
Control authentication commensurate with the risk of the
transaction.
PR.DS
Implement data security mechanisms
•
Protect the confidentiality, integrity, and availability of
your organization’s data.
PR.DS-1
Implement methods and techniques to control data-at-rest
•
Protect the confidentiality, integrity, and availability of
data-at-rest.
•
Protect data-at-rest using methods that are consistent with
privacy risk strategy.
PR.DS-2
Implement methods and techniques to control data-in-transit
•
Protect the confidentiality, integrity, and availability of
your data-in-transit.
•
Use transfer policies and procedures to protect and preserve
data-in-transit.
•
Use trusted communication paths to protect and preserve
data-in-transit.
•
Use cryptographic technologies to protect and preserve
data-in-transit.
PR.DS-3
Implement methods and techniques to control data movements
•
Protect data during transfer, removal, and disposition.
•
Use methods that are consistent with your privacy risk.
PR.DS-4
Implement methods and techniques to control data availability
•
Protect the availability of your data by maintaining adequate
capacity.
•
Establish redundant features if data availability cannot be
guaranteed.
PR.DS-5
Implement methods and techniques to control data disclosure
•
Protect the availability of data by preventing unauthorized
disclosures and leaks.
•
Use leak and disclosure prevention methods that are consistent
with risk.
PR.DS-6
Implement methods and techniques to control data integrity
•
Protect the integrity of your software, firmware, and
information.
•
Use integrity protection methods that are consistent with your
risk.
PR.DS-7
Implement methods and techniques to control data habitat
•
Protect your development, testing, and production
environments.
•
Use environment protection methods that are consistent with
your risk.
PR.DS-8
Implement methods and techniques to control data devices
•
Protect the integrity of your organization’s data processing
devices.
•
Use integrity protection measures that are consistent with
your risk.
PR.MA
Implement maintenance procedures
•
Protect the maintenance and repair of data processing systems
and related assets.
•
Maintain and repair your organization’s data processing
systems and related assets.
PR.MA-1
Implement methods to control maintenance and repair
•
Control the maintenance and repair of data processing systems
and related assets.
• Control your organization’s system repair and maintenance
tools and technologies.
PR.MA-2
Implement methods to control remote maintenance work
•
Control remote maintenance and repair of data processing
systems and assets.
• Establish your remote maintenance and repair policies,
plans, and procedures.
PR.PT
Implement protective technologies
•
Use protective technologies that implement your organization’s
risk strategy.
•
Use technologies to protect the security and resilience of
data processing assets.
PR.PT-1
Implement measures to control removable media
•
Prevent the unauthorized and uncontrolled use of removable
media.
•
Establish a policy to restrict and control the use of
removable media.
PR.PT-2
Implement measures to strengthen configurations
•
Configure your systems so that only essential capabilities are
provided.
•
Apply the “principle of least functionality” when systems are
established.
PR.PT-3
Implement measures to safeguard network systems
•
Protect your organization’s communications and control
networks.
•
Establish a policy to protect communications and control
networks.
•
Establish procedures to implement your network protection
policy.
•
Establish controls to implement your network protection
policy.
PR.PT-4
Implement measures to ensure operational resilience
•
Implement mechanisms to meet operational resilience
requirements in normal situations.
•
Implement mechanisms to meet operational resilience
requirements in adverse situations.
|