Scribd
Upload
659 views

Implementing A Privacy Protection Program

Uploaded by

Maya M
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
659 views

Implementing A Privacy Protection Program

Uploaded by

Maya M
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

ISACA GUIDE

Implementing a
Privacy Protection
Program:
Using COBIT® 5 Enablers
With the ISACA Privacy Principles
Implementing a Privacy Protection Program:
Using COBIT® 5 Enablers With the ISACA Privacy Principles

ISACA®
ISACA® (isaca.org) helps professionals around the globe realize the positive potential of technology in an evolving
digital world. By offering industry-leading knowledge, standards, credentialing and education, ISACA enables
professionals to apply technology in ways that instill confidence, address threats, drive innovation and create positive
momentum for their organizations. Established in 1969, ISACA is a global association serving more than 500,000
engaged professionals in 188 countries. ISACA is the creator of the COBIT® framework, which helps organizations
effectively govern and manage their information and technology. Through its Cybersecurity Nexus™ (CSX), ISACA
helps organizations develop skilled cyber workforces and enables individuals to grow and advance their cyber careers.

Disclaimer
ISACA has designed and created Implementing a Privacy Protection Program: Using COBIT® 5 Enablers With the ISACA
Privacy Principles (the “Work”) primarily as an educational resource for information assurance, information security,
governance and technology risk professionals. ISACA makes no claim that use of any of the Work will assure a successful
outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other
information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety
of any specific information, procedure or test, practitioners should apply their own professional judgment to the specific
circumstances presented by the particular systems or information technology environment.

Reservation of Rights
© 2017 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed,
displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying,
recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions
of this publication are permitted solely for academic, internal and noncommercial use and for consulting/advisory
engagements, and must include full attribution of the material’s source. No other right or permission is granted with
respect to this work.

ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008, USA
P: +1.847.660.5505
F: +1.847.253.1755
Support: support.isaca.org
Website: www.isaca.org

Provide feedback: www.isaca.org/cobitprivacybook


Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ

ISBN 978-1-60420-636-4
Implementing a Privacy Protection Program: Using COBIT® 5 Enablers With the ISACA Privacy Principles

2
Implementing a Privacy Protection Program:
Using COBIT® 5 Enablers With the ISACA Privacy Principles Table of Contents

TABLE OF CONTENTS
Introduction.......................................................................................................................................................................... 7
Publication Purpose........................................................................................................................................................... 7
Scope.................................................................................................................................................................................. 8
Audience............................................................................................................................................................................ 8

Chapter 1. Implementing Privacy Using COBIT 5’s Enablers.....................................................................................11


Program Life Cycle......................................................................................................................................................... 11
Using COBIT 5............................................................................................................................................................... 13
Using Enablers.................................................................................................................................................................15

Chapter 2. Guidance: Privacy Processes Enabler..........................................................................................................17


Evaluate, Direct and Monitor (EDM).............................................................................................................................18
Align, Plan and Organize (APO)....................................................................................................................................24
Build, Acquire and Implement (BAI)..............................................................................................................................50
Deliver, Service and Support (DSS)............................................................................................................................... 68
Monitor, Evaluate and Assess (MEA).............................................................................................................................79

Chapter 3. Guidance: Organizational Structures Enabler...........................................................................................85


Chief Privacy Officer (CPO)/Data Privacy Officer (DPO)............................................................................................86
Privacy Steering Committee (PSC).................................................................................................................................87
Privacy Manager (PM)....................................................................................................................................................89
Enterprise Risk Management Committee....................................................................................................................... 91
Data Controller................................................................................................................................................................ 92
Data Processors............................................................................................................................................................... 92
Business Unit Managers.................................................................................................................................................. 93

Chapter 4. Guidance: Culture, Ethics and Behavior Enabler......................................................................................95


Behaviors......................................................................................................................................................................... 95
Leadership....................................................................................................................................................................... 96

Chapter 5. Guidance: Information Enabler................................................................................................................... 99


Privacy Management Strategy.......................................................................................................................................100
Personal Information Inventories..................................................................................................................................102
Privacy Enhancing Technologies (PETs)......................................................................................................................102
Privacy Management Budget........................................................................................................................................103
Privacy Management Plan.............................................................................................................................................104
Privacy Policies..............................................................................................................................................................105
Privacy Notices..............................................................................................................................................................105
Privacy Principles..........................................................................................................................................................105
Privacy Services Catalog...............................................................................................................................................105
Privacy Standards..........................................................................................................................................................105
Privacy Procedures........................................................................................................................................................106
Privacy Forms................................................................................................................................................................106
Privacy Protection Requirements..................................................................................................................................107
Training and Awareness Material..................................................................................................................................107
Privacy Management Review Reports..........................................................................................................................109
Privacy Management Dashboard..................................................................................................................................110

3
Implementing a Privacy Protection Program:
Using COBIT® 5 Enablers With the ISACA Privacy Principles Table of Contents

TABLE OF CONTENTS (cont.)


Chapter 6. Guidance: Services, Infrastructure and Applications Enabler...............................................................113
Privacy Management Architecture................................................................................................................................114
Privacy Training and Awareness Communications.......................................................................................................116
Individual Access to Personal Information...................................................................................................................117
Privacy Protection Development ..................................................................................................................................119
Privacy Assessments......................................................................................................................................................120
Legal Resources for Privacy Protections......................................................................................................................121
Privacy Protections and Configurations.......................................................................................................................122
Data Processor Access and Access Rights to Personal Information ...........................................................................127
Adequate Protection Against Inappropriate Sharing, Misuse, Unauthorized Access, Malware,
External Attacks and Intrusion Attempts...................................................................................................................129
Privacy Incident Response............................................................................................................................................130
Privacy Protection Testing.............................................................................................................................................131
Monitoring and Alert Services for Privacy-impacting Events.....................................................................................132

Chapter 7. Guidance: People, Skills and Competencies Enabler..............................................................................135


Privacy Management Governance................................................................................................................................135
Privacy Management Strategy Formulation.................................................................................................................137
Privacy Risk and Harms Management..........................................................................................................................138
Privacy Management Architecture Development.........................................................................................................139
Privacy Management Operations..................................................................................................................................140
Privacy Auditing, Assessment, Testing and Compliance..............................................................................................141

Acknowledgments.............................................................................................................................................................143

4
Implementing a Privacy Protection Program:
Using COBIT® 5 Enablers With the ISACA Privacy Principles List of Figures

LIST OF FIGURES
Figure 1—Book Sections....................................................................................................................................................... 8
Figure 2—The Seven Phases of the Implementation Life Cycle........................................................................................ 12
Figure 3—Privacy Program Implementation Life Cycle.................................................................................................... 13
Figure 4—Privacy Principles’ Support of COBIT 5 Principles.......................................................................................... 14
Figure 5—Specific Information Provided for Each Enabler............................................................................................... 16
Figure 6—COBIT 5 Process Reference Model................................................................................................................... 17
Figure 7—Characteristics of the CPO/DPO........................................................................................................................ 86
Figure 8—High-level RACI Chart for the CPO/DPO ........................................................................................................ 86
Figure 9—Inputs and Outputs for the CPO/DPO................................................................................................................ 87
Figure 10— Roles of PSC Members................................................................................................................................... 87
Figure 11—Mandate, Operating Principles, Span of Control and Authority Level of the PSC......................................... 88
Figure 12—High-level RACI Chart for the PSC................................................................................................................. 88
Figure 13—Inputs and Outputs of the PSC......................................................................................................................... 89
Figure 14—Mandate, Operating Principles, Span of Control and Authority Level of the PM.......................................... 89
Figure 15—High-level RACI Chart for the PM.................................................................................................................. 90
Figure 16—Inputs and Outputs of the PM.......................................................................................................................... 90
Figure 17—Composition of the ERM Committee ............................................................................................................. 91
Figure 18—High-level RACI Chart for the ERM Committee............................................................................................ 91
Figure 19—High-level RACI Chart for the Data Controllers............................................................................................. 92
Figure 20—High-level RACI Chart for the Data Processors ............................................................................................. 92
Figure 21—High-level RACI Chart for Business Unit Managers...................................................................................... 93
Figure 22—Capability of Plan Services ........................................................................................................................... 114
Figure 23—Attributes of Plan Services ............................................................................................................................ 114
Figure 24—Goals of Plan Services ................................................................................................................................... 115
Figure 25—Description of the Service Capability for Privacy Training and Awareness Services .................................. 116
Figure 26—Attributes of Privacy Training and Awareness Services ............................................................................... 116
Figure 27—Goals of Privacy Training and Awareness Services ...................................................................................... 117
Figure 28—Description of the Service Capability for Individual Access to Personal Information ................................ 117
Figure 29—Attributes of Individual Access to Personal Information............................................................................... 118
Figure 30—Goals of Individual Access to Personal Information..................................................................................... 118
Figure 31—Description of the Service Capability for Privacy Protection Development Services.................................. 119
Figure 32—Attributes of Privacy Protection Development Services................................................................................ 119
Figure 33—Goals of Privacy Protection Development Services...................................................................................... 119
Figure 34—Description of the Service for Privacy Assessment Services........................................................................ 120
Figure 35—Attributes of Privacy Assessment Services.................................................................................................... 120
Figure 36—Goals of Privacy Assessment Services........................................................................................................... 121
Figure 37—Description of the Service Capability for Privacy Legal Resources Services.............................................. 121
Figure 38—Attributes of Privacy Legal Resources Services............................................................................................ 122
Figure 39—Goals of Privacy Legal Resources Services .................................................................................................. 122
Figure 40—Description of the Service Capability for Adequate Privacy Protections and Configurations Services...... 122
Figure 41—Attributes of Adequate Privacy Protections and Configurations Services.................................................... 124

5
Implementing a Privacy Protection Program:
Using COBIT® 5 Enablers With the ISACA Privacy Principles List of Figures

Figure 42—Goals for Adequate Privacy Protections and Configurations Services......................................................... 126
Figure 43—Description of the Service Capability for Data Processor Access and Access Rights to
Personal Information Services........................................................................................................................................ 127
Figure 44—Attributes of Data Processor Access and Access Rights to Personal Information Services......................... 128
Figure 45—Goals for Data Processor Access and Access Rights to Personal Information Services.............................. 128
Figure 46—Description of the Service Capability for Adequate Protection Against Inappropriate Sharing,
Misuse, Unauthorized Access, Malware, External Attacks and Intrusion Attempts Services....................................... 129
Figure 47—Attributes of Adequate Protection Against Inappropriate Sharing, Misuse, Unauthorized Access,
Malware, External Attacks and Intrusion Attempts Services......................................................................................... 129
Figure 48—Goals for Adequate Protection Against Inappropriate Sharing, Misuse, Unauthorized Access,
Malware, External Attacks and Intrusion Attempts Services......................................................................................... 130
Figure 49—Description of the Service Capability for Privacy Incident Response Services .......................................... 130
Figure 50—Attributes of Privacy Incident Response Services......................................................................................... 131
Figure 51—Goals for Privacy Incident Response Services............................................................................................... 131
Figure 52—Description of the Service Capability for Privacy Testing Services.............................................................. 131
Figure 53—Attributes of Privacy Testing Services........................................................................................................... 132
Figure 54—Goals for Privacy Testing Services................................................................................................................. 132
Figure 55—Description of the Service Capability for Privacy Monitoring and Alert Services
for Privacy-impacting Events ......................................................................................................................................... 132
Figure 56—Attributes of Privacy Monitoring and Alert Services for Privacy-impacting Events.................................... 133
Figure 57—Goals for Privacy Monitoring and Alert Services for Privacy-impacting Events ........................................ 133
Figure 58—Experience, Education and Qualifications for Privacy Governance............................................................. 136
Figure 59—Knowledge, Technical Skills and Behavioral Skills for Privacy Governance............................................... 136
Figure 60—Experience, Education and Qualifications for Privacy Management Strategy Formulation........................ 137
Figure 61—Knowledge, Technical Skills and Behavioral Skills for Privacy Management Strategy Formulation.......... 137
Figure 62—Experience, Education and Qualifications for Privacy Risk and Harms Management................................ 138
Figure 63—Knowledge, Technical Skills and Behavioral Skills for Privacy Risk and Harms Management.................. 138
Figure 64—Experience, Education and Qualifications for Privacy Management Architecture Development................ 139
Figure 65—Knowledge, Technical Skills and Behavioral Skills for Privacy Management Architecture Development .139
Figure 66—Experience, Education and Qualifications for Privacy Management Operations......................................... 140
Figure 67—Knowledge, Technical Skills and Behavioral Skills for Privacy Management Operations.......................... 140
Figure 68—Experience, Education and Qualifications for Privacy Auditing and Compliance....................................... 141
Figure 69—Knowledge, Technical Skills and Behavioral Skills for Privacy Auditing and Compliance......................... 141

6
Implementing a Privacy Protection Program:
Using COBIT® 5 Enablers With the ISACA Privacy Principles Introduction

INTRODUCTION
At one time, a formal, organized privacy program within an enterprise was just a “nice to have” function, not a
necessity. In eras when less information was gathered about users and that information was retained on hard-copy
forms in file cabinets, illegal use or inadvertent loss of personal information was relatively unlikely. As long as the file
cabinets were locked each evening, the enterprise could feel comfortable that it was doing its duty to protect the privacy
of individuals whose personal information they possessed.

Those days are in the past. With massive amounts of personal information being gathered or derived, stored, processed
and transported in digital format, the opportunities for data breaches are expanding exponentially. Companies that do
not take privacy seriously risk facing financial and reputational loss and failing to comply with an ever-growing number
of (not always globally consistent) privacy-related regulations and legislation.

Equally of concern, they may alienate their customers, who are increasingly aware of the harms that may befall them if
their personal information falls into malicious hands, or is used in ways that they did not expect. Individuals are mindful
of their right to determine if, when, how and to what extent data about themselves may be collected, stored, transmitted,
used and shared with others. Enterprises that fail to respect this right do so at their own peril.

This book continues the work begun in ISACA’s publication ISACA Privacy Principles and Program Management
Guide. That volume laid the groundwork for understanding the critical need for and the purpose, roles and
responsibilities of an effective enterprise privacy program. It explained how to identify privacy risk, privacy harms and
relevant legal requirements, and proposed 14 privacy principles to use as a guide for establishing control over privacy,
with associated privacy protections. It addressed the role COBIT® 5 can play in implementing a privacy program within
the construct of COBIT’s governance and management framework. It described the enterprisewide need to recognize
and appropriately mitigate privacy risk and harms and offered tools and techniques to achieve privacy management
program success.

This publication, which functions as a “volume 2” to ISACA Privacy Principles and Program Management Guide, takes
the implementation phase of establishing a privacy program one step further by focusing on the role of the COBIT 5
enablers in the implementation process. Enablers support a holistic approach to identifying, implementing and
monitoring all the components in processes and systems. COBIT 5 groups the enablers into seven categories:
1. Principles, policies and frameworks
2. Processes
3. Organizational structures
4. Culture, ethics and behavior
5. Information
6. Services, infrastructure and applications
7. People, skills and competencies

This book is based on COBIT 5’s explanation of enablers but it modifies the original language, where needed, to focus
specifically on privacy activities, roles and responsibilities. Those adaptations render this publication extremely useful for
those practitioners who are charged with bringing a privacy program to life. When enablers are competently implemented
within a privacy program, they can enhance the maturity, capability and performance of enterprise privacy management.

Publication Purpose
The primary purpose of Implementing a Privacy Protection Program: Using COBIT 5® Enablers with ISACA Privacy
Principles is to offer practical guidance on using COBIT 5’s enablers to support and satisfy the privacy principles,
thereby achieving enterprisewide protection of personal information. It builds on the understanding of privacy and the
guidance for using COBIT 5 to establish a privacy management program as described in ISACA Privacy Principles and
Program Management Guide.

7
Implementing a Privacy Protection Program:
Using COBIT® 5 Enablers With the ISACA Privacy Principles Introduction

This publication provides an additional layer of detail, without which a privacy-program implementation based on COBIT 5
cannot be complete. COBIT defines enablers as “factors that, individually and collectively, influence whether something
will work”1 —in this case, privacy management. Since the enablers play such a strong role in determining the success of the
program, it is important for those implementing the program to understand them in depth. This book provides that necessary
level of detail: It defines each enabler in terms of its common dimensions (stakeholders, goals, life cycle and good practices)
and management performance metrics (lead and lag indicators), expressed in privacy-specific language. By so doing, it
describes the processes and information critical to privacy management, and the roles, responsibilities and educational/
experiential requirements of those directly involved in maintaining privacy protections in the enterprise.

For an enhanced understanding of the overall approach, a review of ISACA Privacy Principles and Program
Management Guide is suggested.2 COBIT® 5 Implementation will also be a useful publication in this context. It is also
recommended to confer with the enterprise’s legal resources, as a significant component of a privacy management
program involves complying with (and documenting that compliance) local, regional, national and international laws,
regulations, standards and other legal or contractual requirements.

Scope
The guidance in this publication is specifically focused on the COBIT 5 enablers and how they can be used to implement
and sustain a successful privacy management program. It delves into each enabler in detail, describing as appropriate the
stakeholders involved and their varying roles; the enabler’s quality goals and associated benefits; its life cycle (including
escalation and delegation); related good practices; and example measurements to determine the level of performance.

The specific sections of the book are described in figure 1.

Figure 1—Book Sections


Section Description
Introduction Provides a high-level overview of the purpose, scope, audience and other general information
relating to the publication
Chapter 1. Implementing Privacy Using Discusses the reasons for a privacy program and the use of COBIT 5 in establishing a program,
COBIT 5’s Enablers and introduces the enablers
Chapter 2. Guidance: Privacy Processes Lists the privacy-specific processes in COBIT 5’s Processes enabler, describes each, and provides
Enabler related principles, goals and metrics
Chapter 3. Guidance: Organizational Identifies the key privacy management decision-making entities in an enterprise and describes
Structures Enabler their composition, mandate and operating principles
Chapter 4. Guidance: Culture, Ethics Presents desirable privacy management behaviors and discusses relevant attributes
and Behavior Enabler
Chapter 5. Guidance: Information Lists goals, life cycle and good practices for privacy-related information types
Enabler
Chapter 6. Guidance: Services, Lists examples of privacy-protection services, providing for each a detailed description, goals
Infrastructure and Applications Enabler and attributes
Chapter 7. Guidance: People, Skills and Identifies six privacy-related skills and competencies and provides a definition and required
Competencies qualifications/skills for each

Audience
The target audience for this publication is similar to that for ISACA Privacy Principles and Program Management
Guide. In both cases, the primary audience covers a broad range of information-assurance practitioners (information
security, privacy, risk management, audit, etc.) and those with a need for information integrity (legal, human resources
[HR], etc.). All these individuals have a vested interest in establishing and maintaining an enterprise privacy strategy
and supporting a privacy-governance and -management program and integrating it within the overall operational
framework of an enterprise.
1
ISACA, COBIT® 5 (the framework), USA, 2012
2
Chapter 5. COBIT 5 and Privacy and Chapter 6. Establishing a Privacy Protection Program are likely to be of special interest.

8
Implementing a Privacy Protection Program:
Using COBIT® 5 Enablers With the ISACA Privacy Principles Introduction

However, the audience for this publication does not include executives, who were noted in the audience list for the
previous volume. It was appropriate for executives to be included in the intended audience for the first volume—those
executives need a high-level understanding of the ramifications of privacy within the enterprise. But this book is
focused on the implementers: those who will be performing the activities that transition privacy from the desired state
to the actual state. Specifically, the audience for this guide includes managers and professionals in the following areas:
• Internal audit
• Enterprise and IT governance
• HR
• Internal control
• IT
• IT compliance
• Information security
• Records management
• Public relations
• Customer relationship management
• Legal
• Business process owners
• Privacy
• Organizational change management
• Enterprise risk management
• Vendor management

As noted previously, some of these enterprise functions, such as legal and HR, are neither in the information-assurance
profession nor dedicated fully to privacy. However, these employees require privacy knowledge and skills to fulfill their
roles and responsibilities. Furthermore, the enterprise depends on their contribution of much-needed specialist expertise
to ensure the privacy program is comprehensive, thorough, accurate, relevant and up to date.

9
Implementing a Privacy Protection Program:
Using COBIT® 5 Enablers With the ISACA Privacy Principles

Page intentionally left blank

10
Implementing a Privacy Protection Program:
Using COBIT® 5 Enablers With the ISACA Privacy Principles Chapter 1. Implementing Privacy Using COBIT 5’s Enablers

CHAPTER 1. IMPLEMENTING PRIVACY USING COBIT 5’s ENABLERS


Enterprises determine the need for a formal privacy program for a number of reasons. Some companies are proactive
and have monitored the business environment and marketplace so thoroughly that they have anticipated the need
for and benefits of a privacy program before experiencing any triggering event. Others may have noted that their
competitors and partners have implemented programs and realize that, to maintain their market position, they should
follow suit. Others have been ordered to create such a program after a data protection authority’s audit. In still others,
the enterprise’s executives have been involved in adverse situations affecting their own personal information and have
come to the swift conclusion that they want to ensure their enterprise does not put its stakeholders through the same
inconvenience or loss.

Regardless of the exact reason, most enterprises initiate a privacy program due to their experience with a pain point or
a triggering event. These actual, everyday issues provide a great deal of credibility and support to developing a business
case for a privacy program. They instill a sense of urgency to find a solution, help build buy-in at all levels of the
enterprise and assist in identifying quick wins that will sustain motivation through the work ahead.

Pain points are actual negative incidences the enterprise has experienced related to its use of personal information.
Some typical pain points that may spark a desire to augment privacy efforts include:
• Theft of personal information due to unauthorized users breaking into the systems; inappropriate or incorrect deletion
of information; and employee responses to email phishing attacks
• Noncompliance with existing legal, regulatory or contractual requirements relating to personal information
• Audit findings that indicate inadequate protection of personal information

Trigger events are not necessarily negative, but they do reflect a change that inspires a need for new, different or
enhanced efforts to protect privacy, such as:
• Introduction of new privacy-related regulations, legislation or contractual requirements
• Significant organizational changes, such as mergers or acquisitions
• Discovery of new privacy risk factors arising from the addition of new technology

Once an enterprise is inspired to take a new look at its privacy efforts, a plan is needed.

Program Life Cycle


The privacy program will likely be a complex initiative, covering the enterprise end to end and necessitating multiple
activities by a broad range of employees. To ensure a consistent focus on agreed outcomes, astute use of resources and
appropriate mitigation of risk, an overarching framework is needed.

COBIT 5 provides such a framework—a comprehensive structure that assists enterprises in achieving their objectives
for the governance and management of enterprise IT. Its organized and holistic approach supports the creation of
optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource
use. It lends itself quite effectively to a focus on privacy, as introduced in ISACA Privacy Principles and Program
Management Guide and elaborated further in this volume.

11
Implementing a Privacy Protection Program:
Using COBIT® 5 Enablers With the ISACA Privacy Principles Chapter 1. Implementing Privacy Using COBIT 5’s Enablers

COBIT 5 is based on the continuous improvement life cycle methodology, which provides a systematic road map to
implementation (figure 2).

Figure 2—The Seven Phases of the Implementation Life Cycle

omentu
m going? 1 What a
e m re th
p th ed
kee Initiat
ri e
we e pr rs?
do vie s
ow Re tivenes o gra
ec mm
eff
7H

e
Establ
is
ust
ain to ch h des
ang ire

2W
e

Def opport
re?

efits
6 Did we get the

ine
Recog

here a
tor
oni d need nise

orm team
an ate
• Programme management

probleities
Realise ben

act to
alu
es

re we now?
impl
approach e

ev
Embed n

(outer ring)

un
ementation
and e
e
perat

curr te

ms and
ssess
measur

• Change enablement
sta
ent

(middle ring)
I m p o ve m

rg n e

• Continual improvement life cycle


imp

De a
ta e t
fi
le m
r

e
te

t
en n t
m e te

s (inner ring)
co c a

ts u il d
i m pro
ut u ni

ve m e nts
pe us
an

ap
e
ra

m
d
E xe

e?
Co o
t

e
dm
5H

to b
cu

I d e n tif y r o l e
oa
ow

te

ant

la
er

pla ye rs
n fi n
p
do

ew

De
we

ow
ge

th e
ed

er
t

re ? P la n p ro g ra m m e Wh
3
4 W hat n eeds to be d one?
Source: ISACA, COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, 2012, figure17

The implementation life cycle has three interrelated components:


• The core continual improvement life cycle, which illustrates the ongoing nature of program management
• The enablement of change, which identifies the components required to address behavioral and cultural aspects of
managing the program on an ongoing basis
• The management of the program, which includes the full cycle of creating, implementing, managing, updating and
continuing the program

12
Implementing a Privacy Protection Program:
Using COBIT® 5 Enablers With the ISACA Privacy Principles Chapter 1. Implementing Privacy Using COBIT 5’s Enablers

This generic implementation life cycle can be customized to address the steps needed to initiate, plan and execute a
privacy-specific protection program, as shown in figure 3.

Figure 3—Privacy Protection Program Implementation Life Cycle Phases

Initiate
privacy
program

Establish Define
Review desire to privacy
privacy Sustain
change problems and
effectiveness opportunities

Embed new Make necessary Determine and Form


approaches changes to then monitor implementation
privacy program privacy context team
Privacy Program
Determine privacy Create and then
Realize
trigger events maintain privacy Define
environment road
benefits
map

Operate and use Communicate


outcome

Identify
role
Execute the
players Plan the
privacy plan privacy
project

Source: ISACA, ISACA Privacy Principles and Program Management Guide, USA, 2016, figure 41

These phases are addressed more fully in ISACA Privacy Principles and Program Management Guide. This
publication’s specific purpose is to provide further detail on the plan and execute phases, specifically in the use of the
COBIT 5 enablers to support implementation.

Using COBIT 5
COBIT’s comprehensive approach to project/program implementation makes it an ideal framework for many
applications within the enterprise. Its special suitability for guiding a privacy management program arises from the
interaction between the COBIT 5 principles and the ISACA privacy principles.3

COBIT 5 is built on five key principles for governance and management of enterprise IT:
1. Meeting stakeholder needs
2. Covering the enterprise end to end
3. Applying a single integrated framework
4. Enabling a holistic approach
5. Separating governance from management

3
See ISACA Privacy Principles and Program Management Guide for a full description of both sets of principles.

13
Implementing a Privacy Protection Program:
Using COBIT® 5 Enablers With the ISACA Privacy Principles Chapter 1. Implementing Privacy Using COBIT 5’s Enablers

The 14 ISACA privacy principles are:


Principle 1: Choice and consent
Principle 2: Legitimate purpose specification and use limitation
Principle 3: Personal information and sensitive information life cycle
Principle 4: Accuracy and quality
Principle 5: Openness, transparency and notice
Principle 6: Individual participation
Principle 7: Accountability
Principle 8: Security safeguards
Principle 9: Monitoring, measuring and reporting
Principle 10: Preventing harm
Principle 11: Third-party/vendor management
Principle 12: Breach management
Principle 13: Security and privacy by design4
Principle 14: Free flow of information and legitimate restriction

The activities undertaken to achieve the privacy principles support the objectives expressed in the COBIT 5 principles
in many different ways. Some examples of those interactions are illustrated in figure 4.

Figure 4—Privacy Principles’ Support of COBIT 5 Principles


COBIT 5 Principle Examples of Ways Privacy Principles Provide Support
1. Meeting stakeholder needs • Identifying and understanding the stakeholders’ needs for privacy
• Building customer, employee and patient trust by protecting their privacy
• Benefiting individuals by reducing their risk of identity fraud and other harms
2. Covering the enterprise end to end • Identifying where personal data exist within the enterprise environment and how they move
throughout the enterprise
• Implementing privacy protections within all functions and processes that impact privacy
within the enterprise
3. Applying a single integrated framework • Integrating enterprise IT, information security and privacy through COBIT 5’s alignment
with generally accepted standards and frameworks, including IT-specific standards and
frameworks
4. Enabling a holistic approach • Identifying privacy risk that is based on the identified processes, organizational structures,
information types, behaviors and cultures, services and applications, people involved, and
context within which the information is used
• Providing the privacy controls that need to be considered for each of the enabler factors
• Providing enterprises with the privacy protections to implement with the COBIT 5 enablers,
thus mitigating privacy risk to appropriate levels when the organization implements actions
to meet enterprise goals
5. Separating governance from management • Supporting the business (e.g., focusing on the business to ensure that privacy controls
and considerations are integrated into business activities that involve any type of personal
information; delivering quality and value to stakeholders to ensure that privacy supports
trust and brand value and meets business requirements)
• Defending the business (e.g., adopting a risk-based approach to ensure that privacy
risk is mitigated in a consistent and effective manner; concentrating on critical business
applications to prioritize limited privacy resources by protecting the business applications
in which a privacy breach would have the greatest business impact)
• Promoting responsible privacy behavior to protect the privacy of all individuals associated
with the business (e.g., acting in a professional and ethical manner to ensure that actions
to protect privacy are performed in a reliable, consistent, responsible and effective manner;
fostering a privacy-positive culture to provide a positive privacy-protection influence on the
behavior of all personnel)

4
 rivacy by design is the concept of identifying and establishing privacy protections from the point at which a business-process idea is first
P
considered through its entire life cycle of development, implementation, administration and termination.

14
Implementing a Privacy Protection Program:
Using COBIT® 5 Enablers With the ISACA Privacy Principles Chapter 1. Implementing Privacy Using COBIT 5’s Enablers

The interaction of the privacy principles with the COBIT 5 principles is especially apt because Principles, policies
and frameworks is the first of the COBIT 5 enablers. Principles, policies, standards, procedures and frameworks are
tested and approved documents that communicate the privacy rules of the enterprise in support of privacy-governance
objectives and enterprise values, as defined by the board of directors and executive management. They provide the
formal, practical guidance and details that staff (both internal and external) need to incorporate privacy into their daily
job activities.

ISACA Privacy Principles and Program Management Guide provides more detail on the Principles, policies and
frameworks enabler. The remainder of this publication targets the other six COBIT 5 enablers and explains how they
can be used to address the privacy principles and implement an enterprisewide privacy management program.

Using Enablers
Enablers are sometimes called “resources.” Regardless of the name, they support a holistic approach to identifying,
implementing and monitoring all components and systems for the purpose of embedding privacy in day-to-day activities.

Enablers are grouped into seven categories, the first of which—Principles, policies and frameworks—was discussed in
the preceding section. The remaining enablers, each of which has specific implications relevant to privacy, are:
• Processes
• Organizational structures
• Culture, ethics and behavior
• Information
• Services, infrastructure and applications
• People, skills and competencies

Competent and complete implementation of enablers can enhance the maturity, capability and performance of privacy
management within an enterprise.

Enablers have a set of common dimensions and performance-management metrics that serve several purposes. They
provide a simple and structured way to deal with the enablers, they support an entity’s efforts to manage complex
interactions among them and they facilitate successful outcomes of their use. The dimensions are:
• Stakeholders—The individuals and entities (internal and external) that play an active role and/or have an interest
in the enabler. They each have their own (sometimes conflicting) interests and needs, and those needs influence
enterprise goals, which must then be reflected in privacy goals.
• Goals—Expected outcomes that relate to intrinsic quality (the extent to which enablers provide accurate, objective
and reputable results); contextual quality (the extent to which outcomes of the enablers are fit for purpose within their
operating context); and access and security (the extent to which enablers are available when and if needed and access
is restricted to those authorized to use it)
• Life cycle—The “life” of the enabler, from inception through operational/useful business activities, to disposal or
retirement of the service, process or system
• Good practices—Tested examples and suggestions in support of accomplishing the enabler goals by indicating how
best to implement the enabler and the required work products or the inputs and outputs

Like any enterprise activity, enablers should be monitored and measured to ensure they are achieving the expected
outcomes and, if they are not, to determine the extent of the shortfalls and where they occur. Enabler performance
management metrics are grouped into two categories:
• Lag indicators, which reflect the actual outcome of the enabler and focus on whether stakeholder needs were
addressed and the enabler goals achieved
• Lead indicators, which deal with the actual functioning of the enabler and are intended to discover whether the enabler
life cycle is being managed, good practices are applied and the risk is managed to acceptable levels

15

You might also like