By David Vincent
As a Certified Data Privacy Solution Engineer, I have led hundreds of data privacy risk assessment and remediation services across many industries. Maintaining effective data privacy can be challenging for organizations. According to the 2021 Thomson Reuters Regulatory Intelligence Cost of Compliance annual report, two of the top compliance challenges that organizations face each year have been the ever-increasing amount of new regulations and the cost to comply with regulations. Unfortunately, some organizations see only the cost associated with implementing effective data privacy risk management programs rather than the opportunity to invest in effective programs to avoid incidents in the first place.
PwC says that it can cost 10 times more to resolve an issue than it would to proactively manage it. In that spirit, summarized below are eight data privacy leading practices that I have seen numerous organizations invest their time and money into that dramatically improved their capability to safeguard their data, reduce the audit risk and compliance cost, and proactively avoid becoming a victim to threats.
Automated Policy Enforcement:
Most organizations use a manual process to manage their data privacy policies, which has proven ineffective and costly. Automated policy enforcement has been a considerable audit, risk, and compliance cost reducer for many organizations, with an average ROI within the first 9 months. Key to this automation is replacing the static Role-Based Access Control (RBAC) security model native to most ERP applications and implementing an Attribute-Based Access Control (ABAC) security model instead. Organizations that implement ABAC can enable the automation of policy enforcement into their access controls and prevent violations of policy requirements.
Identification and Classification of Data:
You cannot effectively protect your data if you do not use a risk-based approach to identify and classify the data. Data classification helps you prioritize your data protection efforts, improves data security and regulatory compliance, and reduces costs by eliminating unneeded control measures.
Understand Data Protection Requirements:
Understanding your data’s specific laws and regulatory obligations is a critical step in your data privacy compliance efforts. Regulations can change rapidly, and you must maintain an effective regulatory change management process to keep up with the changes. Also, understanding your data’s laws and regulatory obligations avoids redundant, excessive, unnecessary, and ineffective policies and internal controls that lead to excessive compliance costs.
Transition from Static to Dynamic Data Privacy Controls:
The more static RBAC security model can restrict access to certain actions in your system but not to specific data. This is a significant disadvantage when organizations need to ensure effective data security and privacy controls for regulations like GDPR, HIPAA, PCI-DSS, etc. On the other hand, the more dynamic ABAC security model uses “contextual control attributes” (i.e., date, time, location, IP address, max # of transactions allowed, max dollar amounts allowed, to name a few). This will enable you to configure policy-based controls to restrict critical transactions and data access. The ABAC security model also allows you to effectively implement defense-in-depth and zero-trust security.
Constantly Monitoring Residual Risk Exposure:
After you understand the regulatory requirements for protecting the data, an essential part of the risk-based approach is to understand your current residual risk levels for data privacy. (Residual Risk = Inherent Risk – Control Effectiveness). Mature organizations will constantly monitor their residual risk levels against their maximum risk appetite level. This will ensure the operating effectiveness of their internal controls intended to mitigate the inherent risk to an acceptable level.
Vulnerabilities Identification and Resolution Program:
The key to avoiding threats is a highly effective vulnerability detection and remediation program that includes both self-assessment and independent assessments performed throughout the year. An effective program gives your organization the information needed to understand your security weaknesses, assess the risk exposure associated with those weaknesses, and implement policies and internal controls that reduce the likelihood of a breach. In addition, mature organizations leverage automation to constantly evaluate their application vulnerabilities, increasing efficiency and reducing audit, risk, and compliance costs.
Threat Detection & Prevention Program:
Threat management is a framework often used to manage the life cycle of a threat to identify and respond to it with speed and accuracy. The key to an effective threat management program is to rely on more preventative controls that prevent the threats from becoming incidents rather than reactive controls that inform you that an incident occurred. The ABAC security model can enable dynamic data security and privacy controls to effectively prevent threats and incidents.
Enable A Common Control Framework:
Many organizations have leveraged the 17 guiding principles of the COSO’s Internal Control Framework to implement a common control framework across all business applications. This reduces redundant, ineffective, and manual controls that lead to excessive audit, risk, and compliance costs.
An Investment in Data Privacy Is an Investment in Data Security
In my experience, organizations that added these investments to their overall cybersecurity budget centralized their security, risk, and compliance program across all business applications. In addition, these capabilities will help you manage your data privacy risks and comply with your audit, risk, and compliance obligations more cost-effectively.
About the Author
David has over twenty-one years of experience delivering Security, Audit, Risk, & Compliance services while employed with some of the largest professional service providing firms in the world – Arthur Andersen, KPMG, PwC, and IBM. He has delivered hundreds of ERP Security Risk & Compliance Assessments & Remediation services, and over 100 GRC technology solution implementations. Additionally, he was the North America GRC Practice Leader for IBM, PwC, and Corporater. He is currently the VP of Product Strategy and the chief security evangelist at Appsain (www.appsian.com)