|
Privacy Impact Assessments
|
|
|
|
A high-level privacy impact assessment (PIA) can identify the issues that
should be addressed and help prioritize them based upon information I collect
from the key stakeholders answering a PIA survey, along with follow-up questions,
a review of the privacy policies posted on your websites, and
research into any publicized incidents within companies within the same industry.
For more information, contact me
|
Comprehensive Privacy Impact Assessment
A comprehensive privacy impact assessment (PIA) is based upon empirical
research information obtained to determine current state of privacy within the
company, facilitated information gathering activities, stakeholder interviews
and communicating industry standard practices to achieve the in-depth
knowledge required to identify and measure risks related to obtaining,
handling, and maintaining employee, consumer, and customer/partner
personally identifiable information (PII).
The objective of a comprehensive PIA is to identify risks and impacts to
business processes, and their related technology, associated with employee
and consumer information privacy, data protection compliance, and customer
expectations.
For more information, contact me
|
Privacy Policy Privacy Impact Assessment
For more information, contact me
|
Defined Scope Privacy Impact Assessment
For more information, contact me
|
|
|
|
|
|
|
|
|
|
|
Other Services
|
|
Corporate Privacy Governance Plan and Information Security
Governance Plan Creation
All organizations that collect, store, process and otherwise handle PII need to
have a comprehensive privacy governance plan and information security
governance plan to ensure PII is appropriately used and protected.
For more information, contact me
|
PII Identification and Inventory
It is important to know what personally identifiable information (PII) exists within
the organization. You cannot protect PII if you do not know what PII you have or
where it is located! To do this you must first define PII, and then determine
where PII is collected and stored, assign responsibility for the PII, and determine
the risks for the PII. This is most efficiently accomplished by looking at each
application and system.
For more information, contact me
|
Create Information Security and Privacy Policies
Organizations need to have information security and privacy policies and
procedures for their personnel to follow based on the enterprise risk, gap
determination and international privacy leading practices, such as the
Organization for Economic Cooperation and Development (OECD) privacy
principles paired with the ISO27001 security standards.
For more information, contact me
|
Create Procedures to Support Information Security and Privacy
Policies
Procedures must exist to support each policy for each area for which the policy
applies. Procedures must be detailed and specific to the areas that must follow
them.
For more information, contact me
|
Vendor / Business Partner Security and Privacy Program Review
Organizations must perform due diligence activities to ensure business
partners, to whom they entrust PII, have appropriate security programs and
activities in place. My business partner security and privacy program review
uses a methodology based upon ISO27002 and the OECD privacy principles.
For more information, contact me
|
Create Information Security and Privacy Incident Response Plans
At least 45 privacy breach laws exist in the U.S. Organizations must be able to
resolve the issues as quickly as possible by following established incident
response procedures and then analyzing the incident to determine if privacy
breach notices are necessary, followed by updating and implementing changes
to prevent recurrences of the same type of incident.
For more information, contact me
|
Create Privacy Program and Information Security Maintenance
Plan
Your organization must continuously ensure compliance with the corporate
privacy policies as well as applicable laws and contractual requirements. This
can be accomplishing following a well-thought-out privacy program maintenance
plan.
For more information, contact me
|
Create Information Security and Privacy Awareness and Training
Strategy
Organizations need to have a formally documented information security and
privacy awareness and training program to make education efforts effective, as
well as to demonstrate compliance with the multiple laws and regulations that
require training and awareness.
For more information, contact me
|
Virtual Privacy Officer / Virtual Information Security Officer
All organizations are faced with unanticipated information security, privacy and
compliance issues on an ongoing basis beyond the specific projects previously
described. To understand these issues it is good to have an experienced and
trusted source to be able to meet with, do research, and provide opinions and
recommendations.
Many organizations also do not have personnel dedicated to addressing the
vast and growing information security, privacy and compliance issues that all
businesses must be concerned with. I will provide regular updates and
recommendations for an organization based not only upon general information
security and privacy issues, requirements and concerns, but also upon my
client's specific industry and risks. I also offer the option of providing monthly or
quarterly calls to discuss with business leaders their information security,
privacy and compliance issues, and let them know the types of actions that they
can take to address them.
For more information, contact me
|
Create Standards To Support Information Security and Privacy
Policies
Standards must exist to support each policy for each area for which the policy
applies. Standards must be detailed and apply to all the areas that use each of
the specific technology standard topic.
For more information, contact me
|
Create Guidelines To Support Information Security and Privacy
Policies
Guidelines are extremely useful in supporting each policy, procedure and
standard for each area where they apply.
For more information, contact me
|
Provide On-site Presentations
I can come on-site to speak with your executives, help desk personnel, or other
target group or general employee base. The cost depends upon the topic and
whether I use some of my existing training, or if I need to create some
customized training for based upon your learning goals. When you let me know
the specific topic you have in mind, the amount of time for the event, the
location(s) and numbers of people anticipated, I can give you the cost for an
event.
For more information, contact me
|
|
|
|
|
|
|
|
