我即将在 ISACA 2024虚拟会议 will cover some of the most important elements of privacy that a cybersecurity professional should know and understand. I’ll wager that most readers will say that those elements are GDPR or CCPA or HIPAA, 等. I would, however, argue that while legislation is important, privacy extends far beyond it. We need to think about privacy beyond mere legislation and understand it more deeply than just compliance responsibility.
隐私可以被归类为一种经济责任, as organizations processing information inappropriately can be subject to regulatory fines, reputational damage and/or increased regulatory supervision. 隐私 can be classified as a legal responsibility as privacy legislation mandates strict governance over the processing of personal data. 隐私 can also be classified as an ethical responsibility as legislation lags ethics, 道德开始发挥作用.
The intersection between privacy and cybersecurity is ever increasing and the boundaries between the two ever blurring. By way of example – data breaches lived firmly in the realm of cybersecurity for many years. 然而, since the adoption of GDPR and mandatory disclosure requirements of several data protection and privacy laws around the world, the balance of responsibility and ownership of data breaches has become blurred.
此外,隐私的语言也非常不同 从网络安全 – cybersecurity professionals talk about penetration tests, 漏洞评估, ransomware攻击, 防火墙, 操作系统, 恶意软件, 反病毒, 等. 与此同时, privacy professionals talk about data protection impact assessments, 判例法判决, 设计和默认的隐私, 合法权益评估, 比例, 等. 事实上, the language of privacy is not even consistent in its own right, with much confusion between the fundamental differences between data protection and privacy and its definitions across jurisdictions.
To support cybersecurity professionals’ ability to connect with, 理解并支持隐私团队, my presentation begins by highlighting the key terms that cybersecurity professionals should understand to be able to talk the language of privacy more fluently. Having spent the first 20 years of my career working at a senior level in cybersecurity and over a decade working in privacy at similar levels, along with completing a PhD in privacy and writing a best-selling book about privacy leadership, I have learned the language of cybersecurity and the language of privacy. While a common language is not available (and would be nice), frameworks that address both privacy and cybersecurity present an excellent solution to this challenge, e.g., the NIST frameworks for cybersecurity and for privacy or the ISO 27001/27701 standards.
My presentation will also outline key processes in privacy legislation that are associated with the typical risk-based approach adopted by most data protection legislation, e.g.、数据保护影响评估. 然而, this presentation also describes other important characteristics of privacy that are important to understand beyond legislation: such as privacy as a commodity, 一个资产, 一种文化态度和一种控制形式. Also outlined are factors influencing our privacy behaviors and attitudes and how important it is to consider these when 1) recruiting people to your team and 2) developing training and awareness programs for your organization.
Finally, the presentation will bring to light some challenges with certain privacy terms, e.g.即GDPR定义的“数据保护官”或DPO. Using this term to describe a role means that you must comply with the requirements as described by GDPR. 然而, 如果您没有强制要求指定DPO, then in certain situations it may be prudent to consider using other titles – such as 隐私 Champion or 隐私 Leader.
How did I select the 10 things that every cybersecurity professional should know? 八项经合组织隐私原则, 七个隐私设计原则, GDPR中的99条, 173场GDPR独奏会, at least 20 significant pieces of data protection legislation, 处理的六个主要法律依据, 至少有10个缩写词,等等, I distilled “all things privacy” down to 10 key things based on the questions that I am most frequently asked or those domains from clients. I look forward to exploring them with you in more detail at the 会议!
