Truvantis Blog

The Five-Step Adaptable Risk-based Privacy Program

Written by John MacInnis | Dec 7, 2022 4:00:00 PM

In today's data-driven economy, an organization's data is its most valuable asset. The landscape of privacy regulations is vast and continuously evolving, forcing organizations to select and track applicable requirements for collecting and managing that valuable data. Many organizations are subject to regulations from multiple jurisdictions (e.g., GDPR, CCPA, HIPAA, GLBA) requiring a central privacy program capable of supporting the entire matrix of international, federal, and rapidly changing state laws and regulations. These organizations should strive to implement a privacy program that is adaptable and able to keep up with frequent changes. Many regulations demand a "reasonable" standard for an organization's privacy and security programs. The best way to defend that you have met this threshold is by having a formal risk management program. 

Since the early 2000s, HIPPA and the Gramm Leach Bliley Act (GLBA) have recognized that reasonable privacy & security begins with an appropriate risk assessment. For example, in its guidance for the HIPAA Security Rule, the Office for Civil Rights (OCR) noted that: "Conducting a risk assessment is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule." 

If you can effectively demonstrate that you've made efforts to comply with privacy and security laws, you can lower your risk of legal or administrative action. This is when it can be advantageous to earn a certification like ISO 27001 and 27701.  

No matter what regulations apply or which standards you choose to measure your privacy & security program against, we recommend a five-step approach. 
  1. Privacy Workshop 
  2. Attack Surface Analysis 
  3. Privacy Risk Assessment 
  4. Remediation Plan 
  5. Program Maintenance 

One: Privacy Workshop 

A quality privacy workshop solution will walk you through the early decision-making and planning process, deliver tools that will get you started, and customize the process to fit your organization's business requirements. It should also provide training so that stakeholders understand their roles and responsibilities.  

Two: Attack Surface Analysis 

An Attack Surface Analysis (ASA) replicates the techniques of a real-world attacker in searching for unexpected ingress vectors. Start with what you think your attack surface is. Then the ASA provider will solicit information about your organization using OSINT (Open-Source Intelligence) sources just as an attacker would.‌ 

Attack Surface Analysis Steps: 

  1. The Perceived Attack Surface
    Begin with your perceived attack surface. This usually is also the scope of what you would expect to test. 
  2. Open-Source Intelligence Reconnaissance 
    The ASA team crawls through surface, deep and dark web to identify attack surfaces that you did not know you had. 
  3. Data Reconciliation 
    Review the difference between your perceived attack surface and the discovered attack surface to confirm your ownership of those assets and services. 
  4. The Resulting Attack Surface Statement 
    You can now use the resulting understanding of your attack surface as the scope for your penetration test. 

Three: Privacy Risk Assessment 

Risk assessments apply not only to reasonable security measures but also to how sensitive information is processed. For example, California will require organizations to submit risk assessments to the California Privacy Protection Agency related to how information is processed. Both Colorado and Virginia have similar requirements for Data Protection Assessments. Combining the privacy risk of processing data with the security risk, organizations can establish a firm foundation for an adaptable program. Done right, the result of a risk assessment is an actionable plan that allows organizations to make informed decisions regarding what steps are required to address the identified privacy risks.  

Elements of a privacy risk assessment: 

  1. Review the previous or existing risk assessment 
  2. Perform a gap analysis against changes in the threat landscape  
  3. Evaluation and scoring of risk 
  4. Development of a prioritized risk treatment plan

Four: Remediation Plan 

Unfortunately, sometimes organizations execute a risk assessment but fail to act on the results. Failing to act can be dangerous as it leaves critical vulnerabilities exposed. In addition to a business-oriented explanation, you should produce a mitigation plan and roadmap based on your budget and risk tolerance. 

Five: Program Maintenance 

Privacy risks constantly evolve and should be periodically reviewed. You should assess the risk impacts whenever there is a change in what or how information is collected or used. For example, some laws require a data protection assessment when new processing of sensitive personal information arises. This doesn't have to be a new separate assessment. Combining the data protection assessment with the existing risk assessment using an established methodology can aid in quickly identifying risks based on the entire risk surface.  

 

The Truvantis Privacy Risk Program 

Your Truvantis consulting team is a legal, security, and privacy expert all in one and can help align internal resources. Truvantis knows security, privacy, and the risk frameworks' ins and outs. As a result, we can help make sure combined assessments are efficient. In addition, we are experienced in standardization through popular frameworks and applying those standards across various organization types. 
The landscape of privacy regulations is vast and continuously evolving. Truvantis can help you select and track which requirements are applicable. In addition, we can help build a solid central privacy program capable of supporting the entire matrix of international, federal, and rapidly changing state laws and regulations. 

Ready to move forward? Contact Truvantis schedule a privacy workshop 

About Truvantis 

Truvantis is a cybersecurity consulting organization providing best-in-class cybersecurity services to secure your organization's infrastructure, data, operations and products. We specialize in helping our clients improve their cybersecurity posture by implementing testing, auditing and operating information security programs – balancing budget with risk appetite.