In today’s digital era, privacy is more important than ever before. Because information can be replicated, exfiltrated or deleted in a matter of seconds, consumers and organizations need to implement steps to prevent, 检测, respond to and remediate data breaches.
随着越来越多的州颁布自己独特的数据隐私法规,这些步骤正变得越来越复杂. 结果是, 组织必须有适当的遵从性和风险实践,以确保遵守新的和不断变化的法规, leaving many questioning how they can keep up. 幸运的是, there is a simple solution to this problem, centered on one idea: adopting a risk-first approach to privacy. 风险优先的方法使组织能够识别并防范最高的组织风险,同时减少对组织的威胁,并保持对不断变化的法规的遵从.
尽管大量新的和不断变化的法规加上更复杂的威胁行为者可能会令人生畏, there is a lot that can be predicted about the future of privacy, 遵从和采取风险优先的方法只是通过回顾过去.
从那时到现在
Although data privacy seems like a modern problem, US privacy legislation dates back to the US Constitution. According to the 第四修正案, 美国公民有权保护自己和财产不受无理搜查和扣押.1 从那时起, various court cases have upheld privacy, giving citizens more protections—especially as technology has increased. 隐私权是通过《澳门赌场官方软件》确立的。, the Health Insurance Portability and Accountability Act (HIPAA), the National Do Not Call Register and, 重要的是, 电子政务法. 这个法案, passed by US Congress in 2002, ,使政府资讯科技资源现代化,并改善网上政府服务的使用. 有了它, 在过去的立法中明显的隐私的基本支柱被正式化为明确的指导方针.2 These guidelines consist of:
- Appointing a designated individual—A data privacy officer maintains compliance and secures data.
- Conducting privacy impact assessment-隐私影响评估(PIA)评估访问的组织流程, 处理, storing and transmitting personally identifiable information (PII).
- Creating formal privacy management processes—This can include mechanisms to prevent, 检测 and correct data breaches and should consider administrative, technical and physical controls, such as documented policies, data encryption and badge access systems.
Since these pillars of privacy were established, not much has changed. 尽管不同州的立法者制定了独特的隐私法律和法规来保护他们的选民,防止不法分子窃取个人信息, 这些支柱仍然是组织如何处理隐私和安全的基础.
未来的步骤
对于安全专业人员来说,牢记州和联邦法规并遵循它们以确保适当的合规性是至关重要的, 但同样重要的是,他们要不断更新组织的隐私标准, security and risk mitigation. 这样做, 组织应该关注四个步骤来维护隐私:降低风险, finding the greatest impact, 自动化核心流程并使可伸缩性保持无缝兼容.
第一步:降低风险
经常, 组织如此关注各州在隐私要求方面的独特和具体的语言,以至于他们没有认识到这些法律并非完全不同. 这有时会导致安全管理人员错过降低风险的关键方法. 例如, 组织可以使用软件来交叉引用隐私框架并创建公共控制. 这使组织能够重用来自控制评估的证据,以证明在遵守多个框架的同时降低了风险.
Step 2: Finding the Greatest Impact
Although the pillars of privacy are more than 20 years old, organizations should still reference them when identifying risk. 在这些支柱的背景下考虑风险,使组织能够问自己一个关键问题:不保留指定的数据隐私官会带来什么风险, 进行隐私影响评估或实施足够的保障措施来保护数据? 采用这种风险优先的方法使组织能够识别现有的控制差距,并创建将对降低风险产生最大影响的解决方案.
尽管组织也在随着隐私规则和条例的变化而变化, the core principles of privacy remain the same.
Step 3: Automating Core Processes
By automatically collecting evidence from outside systems, such as hosting providers, HR information systems and software development tools, 组织可以删除收集这些信息的手动过程, 同时增加评估的准确性和频率,并保持遵从性. Automation also enables these processes to quickly scale, 让组织始终保持最新的风险或法规变化.
Step 4: Creating a Scalable Program
With the pillars of privacy as the core of each state’s updated laws, 自动化使这些更改能够在未来很长一段时间内安全地实现. Because any updates can be quickly implemented, 风险降低计划可以在整个组织中迅速建立起来. With an easily scalable privacy program, 组织可以更好地沟通修复工作的风险和结果, maintaining compliance and mitigating risk along the way.
结论
尽管组织也在随着隐私规则和条例的变化而变化, the core principles of privacy remain the same. By understanding privacy’s past, 澳门赌场官方下载可以更好地满足未来的隐私需求. 对数据和隐私采取风险优先的方法对于组织的整体安全性和合规性至关重要. Through a scalable and automated risk management program, organizations can stay on top of whatever may come their way.
尾注
1 US Constitution Annotated, “第四修正案”
2 博尔顿,J. B.; “OMB实施2002年电子政府法案隐私条款指南,” US Office of Management and Budget, 26 September 2003
梅根·Maneval
Is the vice president of product strategy and evangelism at RiskOptics. After more than 15 years managing security, 审计, 和治理, risk and compliance (GRC) programs in highly regulated industries, Maneval于2022年加入RiskOptics,帮助推动产品创新,并使GRC澳门赌场官方下载能够实现其目标. She is a passionate security and risk evangelist; a champion of diversity, inclusion and belonging; and a home-renovation enthusiast specializing in process improvement and program iteration. 梅根喜欢通过博客回馈安全和风险澳门赌场官方下载, 白皮书, 在线研讨会, conference presentations and podcasts.
