在当今的数字时代,隐私比以往任何时候都更加重要. 因为信息是可以复制的, 在几秒钟内被泄露或删除, 消费者和组织需要实施预防措施, 检测, 响应和修复数据泄露.
These steps are becoming increasingly complicated as more and more states enact their own unique data privacy regulation. 结果是, organizations must have the proper compliance and risk practices in place to ensure adherence to new and changing legislation, 这让许多人质疑他们如何才能跟上. 幸运的是, 这个问题有一个简单的解决办法, 以一个想法为中心:对隐私采取风险优先的方法. A risk-first approach enables organizations to identify and protect against the highest organizational risk while reducing threats to the organization and remaining compliant with changing regulations.
Even though the volume of new and changing regulations coupled with more sophisticated threat actors can be intimidating, 关于隐私的未来,有很多事情可以预测, compliance and taking a risk-first approach simply by looking at the past.
从那时到现在
虽然数据隐私似乎是一个现代问题, 美国的隐私立法可以追溯到美国宪法. 根据第四修正案, US citizens have the right to secure themselves and their property from unreasonable searches and seizures.1 从那时起, 各种法庭案件都维护了隐私, 给予公民更多的保护——尤其是在科技进步的今天. 隐私 rights have been established through the Family Education Rights and 隐私 Act (FERPA), 健康保险流通与责任法案(HIPAA), 全国不来电登记和, 重要的是, 电子政务法. 这个法案, 于2002年由美国国会通过, was set to modernize government IT resources and improve access to government services online. 有了它, the fundamental pillars of privacy evident in past legislation were formalized into clear guidelines.2 这些准则包括:
- 指定指定人员-数据隐私官维护合规性并保护数据.
- 进行私隐影响评估—A privacy impact assessment (PIA) evaluates organizational processes for accessing, 处理, 存储和传输个人身份信息(PII).
- 创建正式的隐私管理流程-这可以包括预防机制, 检测和纠正数据泄露,并应考虑管理, 技术和物理控制, 比如文件化的政策, 数据加密和徽章访问系统.
自从这些隐私的支柱建立以来,并没有太大的变化. Even as different state lawmakers enact unique privacy laws and regulations to protect their constituents and prevent bad actors from stealing personal information, these pillars remain foundational to how organizations approach privacy and security.
未来的步骤
Not only is it essential for security professionals to keep state and federal regulations in mind and follow them to ensure proper compliance, but it is also important that they keep updating their organizations’ standards for privacy, 安全性和风险缓解. 这样做, organizations should focus on four steps to maintain privacy: reducing risk, 找到最大的影响, automating core processes and enabling scalability to remain seamlessly compliant.
第一步:降低风险
经常, organizations are so focused on the state’s unique and specific language in their privacy requirements that they do not recognize that these laws are not entirely dissimilar. This can sometimes cause security executives to miss key ways to reduce risk. 例如, organizations can use software to cross-reference privacy frameworks and create a common control. This then enables organizations to reuse evidence from control assessments to demonstrate risk reduction while complying with multiple frameworks.
第二步:发现最大的影响
尽管隐私的支柱已经有20多年的历史了, 组织在识别风险时仍然应该引用它们. Thinking about risk in the context of these pillars enables organizations to ask themselves a key question: What is the risk associated with not maintaining an appointed data privacy officer, conducting privacy impact assessments or implementing sufficient safeguards to protect data? Taking this risk-first approach enables organizations to identify existing control gaps and create solutions that will have the greatest impact on risk reduction.
Even though organizations are changing alongside privacy rules and regulations, 隐私的核心原则保持不变.
步骤3:自动化核心流程
通过自动从外部系统收集证据, 比如托管提供商, 人力资源信息系统和软件开发工具, organizations can remove the manual process of collecting this information, simultaneously increasing the accuracy and frequency of the assessments and maintaining compliance. 自动化还使这些流程能够快速扩展, letting organizations consistently stay up to date on changes to risk or regulations.
步骤4:创建一个可扩展的程序
以隐私为支柱作为每个州最新法律的核心, automation enables these changes to be securely implemented long into the future. 因为任何更新都可以快速实现, risk reduction programs can be rapidly built out across the entire organization. 具有易于扩展的隐私程序, organizations can better communicate the risk and outcomes of the remediation efforts, 在此过程中维护遵从性并降低风险.
结论
Even though organizations are changing alongside privacy rules and regulations, 隐私的核心原则保持不变. 通过了解隐私的过去, organizations can become better equipped for the privacy needs of the future. Taking a risk-first approach to data and privacy is imperative to an organization’s overall security and compliance. 通过可扩展的自动化风险管理程序, 组织可以在任何可能发生的事情上保持领先地位.
尾注
1 美国宪法注释"第四修正案”
2 博尔顿,J. B.; “OMB Guidance for Implementing the 隐私 Provisions of 电子政务法 of 2002,美国管理和预算局,2003年9月26日
梅根·Maneval
他是RiskOptics的产品策略和宣传副总裁吗. 在管理安保超过15年之后, 审计, 和治理, 风险和合规(GRC)计划在高度管制的行业, Maneval joined RiskOptics in 2022 to help drive product innovation and empower the GRC community to achieve their objectives. She is a passionate security and risk evangelist; a champion of diversity, inclusion and belonging; and a home-renovation enthusiast specializing in process improvement and program iteration. Meghan enjoys giving back to the security and risk community through blogs, 白皮书, 在线研讨会, 会议演示和播客.
