Privacy Principles Lecture Material PDF

Additional Lecture Material on Chapter 2 Privacy Principles Slide/Page 3 Examples of global regulations related to privacy 1)European Union (EU) General Data Protection Regulation (GDPR) 2)Health Insurance Portability and Accountability Act (HIPAA) In The United States Slide/Page 4 Good practices to ensure consistent approach on privacy throughout the organization includes: a)Privacy should be considered from the outset and be built in by design. It should be systematically built into policies, standards and procedures from the beginning. b)Private data should be collected fairly in an open, transparent manner. Only the data required for the purpose should be collected in the first instance. Slide/Page 6 Processing of personal information includes: 1)Collection 2)Use 3)Disclosure 4)Destruction Requirements for privacy consist of: a)Legislative requirements b)Regulatory requirements c)Contractual requirements Slide/Page 9 Identify and understand compliance requirements regarding privacy from laws, regulations and contract agreements. Depending on the assignment, IS auditors may need to seek legal or expert opinion on these. Slide/Page 11 ISACA describes various/several privacy principles for audit objectives that can be used as framework to consider most privacy issues when planning an audit. Sample assurance considerations that are based on these privacy principles include: a)Choice and consent - Does the enterprise ensure that appropriate consent has been obtained prior to the transfer of personal information to other jurisdictions? b)Legitimate purpose specification and use limitation - Does the enterprise specify the purpose(s) for which personal information is collected? c)Personal information and sensitive information life cycle - Does the enterprise retain personal information for only as long as necessary? d)Accuracy and quality - Does the enterprise implement practices and processes to ensure that personal information is accurate, complete and up to date? e)Openness, transparency and notice - Does the enterprise provide clear and easily accessible information about its privacy policies and practices? Slide/Page 12 f)Individual participation - Does the enterprise provide data subjects a process to access their personal information? g)Accountability - Does the enterprise assign roles, responsibility, accountability and authority for performing privacy processes? h)Security safeguards - Does the enterprise ensure that appropriate security safeguards are in place for all personal information? i)Monitoring, measuring and reporting - Does the enterprise report compliance with policies, standards and laws? j)Preventing harm - Does the enterprise establish processes to mitigate any personal harms that may occur to data subjects? Slide/Page 13 k)Third-party/vendor management - Does the enterprise implement governance processes to ensure the appropriate protections and use of personal information that are transferred to third parties? l)Breach management - Has the enterprise established a documented policy and supporting procedure for identifying, escalating and reporting incidents? m)Security and privacy by design - Does the enterprise ensure executive support for the identification of personal information and privacy risk within enterprise events? n)Free flow of information and legitimate restriction - Does the enterprise follow the requirements of applicable data protection authorities for the transfer of personal information across country borders? Source: CISA Review Manual 27th Edition (Chapter 5 – Protection of Information Assets)

Privacy Principles Lecture Material PDF

Document Details

Tags

Related

Summary

Full Transcript