EU GDPR C4P Overview

EU GPDR Compliance Criteria - Cybersecurity For Privacy (C4P) Overview
Kick Off
START
Key Articles To Consider For CYBERSECURITY Framework Alignment:

 Article 5 – Principles relating to personal data
Cybersecurity
Pick The Best Framework For Your Needs:  Article 25 – Data protection by design and by default
AS NECESSARY – ADJUST TO CHANGES TO CYBERSECURITY & PRIVACY FRAMEWORKS
DEFINE - ISO 27002  Article 28 – Processor

CYBERSECURITY - NIST 800-53  Article 30 – Processing activities
FRAMEWORK - NIST Cybersecurity Framework  Article 32 – Security of processing
- Other  Article 33 – Notification of a personal data breach
 Article 35 – Data Protection Impact Assessment (DPIA)
 Article 45 – Transfers on the basis of adequacy decision
Key Articles To Consider For PRIVACY Framework Alignment:

Pick The Best Framework For Your Needs:  Article 5 – Principles relating to personal data
- ISO 29100  Article 6 – Lawfulness of processing
- US Privacy Shield  Article 9 – Processing of special categories of personal data
DEFINE
Privacy
- Generally Accepted Privacy Principles (GAPP)  Article 17 – Right to erasure (right to be forgotten)
PRIVACY
- Service Organization Control (SOC 2)  Article 20 – Right to data portability
FRAMEWORK
- Asia-Pacific Economic Cooperation (APEC)
 Article 25 – Data protection by design and by default
- Organization for Economic Co-Operation & Development (OECD)
 Article 30 – Processing activities
- Other
 Article 35 – Data Protection Impact Assessment (DPIA)
Operational Expectations:
 Publish & manage policies, standards & procedures that cover applicable cybersecurity & privacy requirements.
Data Lifecycles
 Implement ongoing risk management practices (e.g., Data Protection Impact Assessment (DPIA) or other risk
OPERATIONALIZE FRAMEWORKS assessments)
 Formalize a Secure Development Lifecycle (SDLC) program that helps ensure both cybersecurity & privacy principles
THROUGH STANDARDIZED
are designed and implemented by design and default.
OPERATING PROCEDURES (SOP) &  Perform Control Validation Testing (CVT) to validate the existence and effectiveness of cybersecurity & privacy
DOCUMENTED SDLC PROCESSES controls. CVT should be done prior to “go live” or after significant changes.
 Maintain a mature Incident Response (IR) capability.
EU GDPR Compliance Criteria (EGCC) 4/24/2018
AICPA ISO ISO NIST NIST US EMEA

Secure Controls Framework (SCF) Target NIST NIST Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art Art
SCF Domain SCF Control SCF # Methods To Comply With SCF Controls SOC 2 GAPP 27002 29100 800-53 800-171 Privacy EU
Control Description Audience 800-160 CSF 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
(2017) v2013 v2011 rev4 rev 1 Shield GDPR
Mechanisms exist to facilitate the implementation of - Steering committee Art 32.1

5.1
Security & Privacy Security & Privacy Governance cybersecurity and privacy governance controls. - Digital Security Program (DSP) Art 32.2
GOV-01 Management 8.2.1 5.1.1 5.10 PM-1 x
Governance Program - Written Information Security Program (WISP) Art 32.3
5.11
Art 32.4
Mechanisms exist to establish, maintain and disseminate - Steering committee
cybersecurity and privacy policies, standards and - Digital Security Program (DSP)
Art 32.1
procedures. - Written Information Security Program (WISP)
Security & Privacy Art 32.2
Publishing Security Policies GOV-02 - Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Management 8.2.1 5.1.1 PM-1 ID.GV-1 x
Governance Art 32.3
Archer, RSAM, Metric stream, etc.)
Art 32.4
- Wiki
- SharePoint
Mechanisms exist to review cybersecurity and privacy - Governance, Risk and Compliance Solution (GRC) tool (ZenGRC,
Art 32.1
policies, standards and procedures at planned intervals Archer, RSAM, Metric stream, etc.)
Security & Privacy Periodic Review & Update of Art 32.2
GOV-03 or if significant changes occur to ensure their continuing - Steering committee Management CC7.2 8.2.1 5.1.2 PM-1 x
Governance Security Documentation Art 32.3
suitability, adequacy and effectiveness.
Art 32.4
Mechanisms exist to identify and document appropriate - Threat intelligence personnel Art 31
contacts within relevant law enforcement and regulatory - Integrated Security Incident Response Team (ISIRT) Art 36.1
bodies. Art 36.2
Art 36.3
Security & Privacy
Contacts With Authorities GOV-06 Management 6.1.3 IR-6 Art 37.7 x x x x x x x
Governance
Art 40.1
Art 41.1
Art 42.2
Art 50
Mechanisms exist to establish contact with selected - SANS
groups and associations within the cybersecurity & - CISO Executive Network
privacy communities to: - ISACA chapters
▪ Facilitate ongoing cybersecurity and privacy education - IAPP chapters
Art 40.2
and training for organizational personnel; - ISAA chapters
Art 41.1
Security & Privacy Contacts With Groups & ▪ Maintain currency with recommended cybersecurity AT-5
GOV-07 Management 6.1.4 Art 42.2 x x x x
Governance Associations and privacy practices, techniques and technologies; and PM-15
Art 42.3
▪ Share current security-related information including
Art 43.2
threats, vulnerabilities and incidents.
Mechanisms exist to facilitate the implementation of - Generally Accepted Accounting Principles (GAAP)
Art 32.1
Asset Management Asset Governance AST-01 asset management controls. - ITIL - Configuration Management Database (CMDB) Management PM-5 x
Art 32.2
Mechanisms exist to maintain network architecture - High-Level Diagram (HLD)

diagrams that: - Low-Level Diagram (LLD) PL-2 Art 30.1
▪ Contain sufficient detail to assess the security of the - Data Flow Diagram (DFD) SA-5(1) Art 30.2
Network Diagrams & Data
Asset Management AST-04 network's architecture; - SolarWinds Technical SA-5(2) ID.AM-3 Art 30.3 x
Flow Diagrams (DFDs)
▪ Reflect the current state of the network environment; - Paessler SA-5(3) Art 30.4
and - PRTG SA-5(4) Art 30.5
▪ Document all sensitive data flows.
Mechanisms exist to facilitate the implementation of - Business Continuity Plan (BCP)
CP-1
contingency planning controls. - Disaster Recovery Plan (DRP)
Business Continuity & CP-2 Art 32.1
Contingency Plan BCD-01 - Continuity of Operations Plan (COOP) Management A1.3 17.1.2 RC.RP-1 x
Disaster Recovery IR-4(3) Art 32.2
- Business Impact Analysis (BIA)
PM-8
- Criticality assessments
Mechanisms exist to facilitate the implementation of - Splunk
Capacity & Performance Capacity & Performance capacity management controls to ensure optimal system - Resource monitoring SC-5 Art 32.1
CAP-01 Management A1.1 12.1.3 PR.DS-4 x
Planning Management performance for future capacity requirements. SC-5(3) Art 32.2
Mechanisms exist to facilitate the implementation of - VisibleOps methodology

change management controls. - ITIL infrastructure library
- NNT Change Tracker
- ServiceNow 3.4.10 Art 32.1
Change Management Change Management Program CHG-01 All Users CC7.3 12.1.2 CM-3 x
- Remedy 3.4.13 Art 32.2
- Tripwire
- Chef
- Puppet
Mechanisms exist to facilitate the implementation of - Data Protection Impact Assessment (DPIA)
cloud management controls to ensure cloud instances Art 32.1
Cloud Security Cloud Services CLD-01 Technical x
are secure and in-line with industry practices. Art 32.2
www.securecontrolsframework.com 1 of 10

Mechanisms exist to facilitate the implementation of - Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Art 1.2
relevant legislative statutory, regulatory and contractual Archer, RSAM, Metric stream, etc.) Art 2.1
controls. - Steering committee Art 2.2
Art 3.1
Art 3.2
Art 3.3
Art 6.1
Art 17.3
Art 20.3
Art 23.1
Art 23.2
Art 24.1
3.3 Art 24.2
3.3.3 Art 24.3
3.3.4 Art 25.1
Statutory, Regulatory & ID.GV-3
Compliance CPL-01 All Users 18.1.1 5.1 PM-8 3.4 Art 25.2 x x x x x x x x x x x x x x x
Contractual Compliance PR.IP-5
3.4.1 Art 25.3
3.4.2 Art 27.1
3.4.3 Art 27.2
Art 27.3
Art 27.4
Art 27.5
Art 32.1
Art 32.2
Art 32.3
Art 32.4
Art 40.1
Art 40.2
Art 42.2
Art 43
Art 50
Mechanisms exist to provide a security controls - Governance, Risk and Compliance Solution (GRC) tool (ZenGRC,
oversight function. Archer, RSAM, Metric stream, etc.) 3.12.1
- Steering committee 5.10 CA-7 3.12.2
DE.DP-5
Compliance Security Controls Oversight CPL-02 - Formalized SDLC program Management 8.2.7 5.11 CA-7(1) 3.3.8 3.12.3 Art 5.2 x
PR.IP-7
- Formalized DevOps program 5.12 PM-14 3.12.4
- Control Validation Testing (CVT) NFO
- Security Test & Evaluation (STE)
Mechanisms exist to ensure managers regularly review - Control Validation Testing (CVT)
the processes and documented procedures within their - Security Test & Evaluation (STE)
area of responsibility to adhere to appropriate security - Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Art 5.2
Compliance Security Assessments CPL-03 Technical P8.1 10.2.4 18.2.2 5.12 CA-2 3.4.9 x x
policies, standards and other applicable requirements. Archer, RSAM, Metric stream, etc.) Art 32.3
Mechanisms exist to utilize independent assessors at - Control Validation Testing (CVT) Art 40.2
planned intervals or when the system, service or project - Security Test & Evaluation (STE) Art 42.1
undergoes significant changes. Art 42.2
Art 42.3
Compliance Independent Assessors CPL-03.1 Technical 18.2.1 3.4.9 x x x
Art 42.4
Art 42.6
Art 42.7
Art 43.2
Mechanisms exist to facilitate the implementation of - NNT Change Tracker
configuration management controls. - Change Management Database (CMDB)
3.3.5
Configuration Configuration Management - Baseline hardening standards CM-1 Art 32.1
CFG-01 Management 3.4.7 NFO x
Management Program - Formalized DevOps program CM-9 Art 32.2
3.4.8
- Control Validation Testing (CVT)
- Security Test & Evaluation (STE)
Mechanisms exist to facilitate the implementation of - Splunk DE.CM-1
enterprise-wide monitoring controls. AU-1 DE.DP-1 Art 32.1
Monitoring Continuous Monitoring MON-01 Technical 12.4.1 NFO x
SI-4 DE.DP-2 Art 32.2
PR.PT-1
Mechanisms exist to facilitate the implementation of - Key and certificate management solutions SC-8(2)
Art 5.1
Cryptographic cryptographic protections controls using known public - BitLocker and EFS SC-13
Use of Cryptographic Controls CRY-01 All Users 10.1.1 3.13.11 Art 32.1 x x
Protections standards and trusted cryptographic technologies. - dm- crypt, LUKS SC-13(1)
Art 32.2
SI-7(6)
Cryptographic mechanisms are utilized to protect the - SSL / TLS protocols
Cryptographic confidentiality of data being transmitted. - IPSEC Tunnels SC-8
Transmission Confidentiality CRY-03 Technical C1.3 8.2.5 13.2.3 PR.DS-2 Art 5.1 x
Protections - Native MPLS encrypted tunnel configurations SC-9
- Custom encrypted payloads
Cryptographic mechanisms are utilized to protect the SC-8 3.8.6
Cryptographic
Transmission Integrity CRY-04 integrity of data being transmitted. Technical 14.1.3 SC-16(1) 3.13.8 PR.DS-8 Art 5.1 x
Protections
SC-28(1) 3.13.16
Cryptographic mechanisms are utilized on systems to
Cryptographic SC-13
Encrypting Data At Rest CRY-05 prevent unauthorized disclosure of information at rest. All Users 10.1.1 PR.DS-1 Art 5.1 x
Protections SC-28(2)
Mechanisms exist to facilitate the implementation of Art 5.1

Data Classification & 8.2
Data Protection DCH-01 data protection controls. All Users C1.1 MP-1 3.3.6 NFO Art 32.1 x x
Handling 8.3.3
Art 32.2
Mechanisms exist to facilitate the destruction of - De-identifying PII
Data Classification & Destruction of Personally
DCH-09.3 Personal Information (PI). Management MP-6(9) Art 5.1 x
Handling Identifiable Information (PII)
Mechanisms exist to retain media and data in - Data Protection Impact Assessment (DPIA) PI1.4
Data Classification & 8.3 MP-7
Media & Data Retention DCH-18 accordance with applicable statutory, regulatory and All Users PI1.5 Art 5.1 x
Handling 18.1.3 SI-12
contractual obligations. PI1.6

Mechanisms exist to limit Personal Information (PI) - Data Protection Impact Assessment (DPIA) Art 35.1
being processed in the information lifecycle to elements Art 35.2
Limit Personally Identifiable identified in the Data Protection Impact Assessment Art 35.3
Data Classification &
Information (PII) Elements In DCH-18.1 (DPIA). Management Art 35.6 x
Handling
Testing, Training & Research Art 35.8
Art 35.9
Art 35.11
Mechanisms exist to minimize the use of Personal - Data Protection Impact Assessment (DPIA) Art 5.1
Information (PI) for research, testing, or training, in Art 35.1
accordance with the Data Protection Impact Assessment Art 35.2
Data Classification & Minimize Personally (DPIA). Art 35.3
DCH-18.2 Management 5.5 x x
Handling Identifiable Information (PII) Art 35.6
Art 35.8
Art 35.9
Art 35.11
Mechanisms exist to identify and document the location - Data Flow Diagram (DFD) Art 6.1
of information and the specific system components on Art 26.1
which the information resides. Art 26.2
Art 27.3
Art 28.1
Art 28.2
Art 28.3
Art 28.4
Art 28.5
Art 28.6
Art 28.9
Art 28.10
Data Classification &
Information Location DCH-24 Technical Art 29 x x x x x x x x x x x
Handling
Art 44
Art 45.1
Art 45.2
Art 46.1
Art 46.2
Art 46.3
Art 47.1
Art 47.2
Art 48
Art 49.1
Art 49.2
Art 49.6
Mechanisms exist to restrict and govern the transfer of - Model contracts Art 44
data to third-countries or international organizations. - Privacy Shield Art 45.1
- Binding Corporate Rules (BCR) Art 45.2
Art 46.1
Art 46.2
Data Classification & Transfer of Personal Art 46.3
DCH-25 Management x x x x x x
Handling Information Art 47.1
Art 47.2
Art 48
Art 49.1
Art 49.2
Art 49.6
Mechanisms exist to facilitate the implementation of
Embedded Technology Art 32.1
Embedded Technology EMB-01 embedded technology controls. All Users x
Security Program Art 32.2
Mechanisms exist to facilitate the implementation of - Group Policy Objects (GPOs)

endpoint security controls. - Antimalware technologies
Art 32.1
Endpoint Security Endpoint Security END-01 - Software firewalls All Users 11.2.9 MP-2 x
Art 32.2
- Host-based IDS/IPS technologies
- NNT Change Tracker
Mechanisms exist to utilize organization-defined
measures so that data or information collected by
Endpoint Security Authorized Use END-13.1 Management SC-42(2) Art 5.2 x
sensors is only used for authorized purposes.
Mechanisms exist to notify individuals that Personal - Visible or auditory alert

Endpoint Security Notice of Collection END-13.2 Information (PI) is collected by sensors. - Data Protection Impact Assessment (DPIA) Management SC-42(4) Art 5.1 x
Mechanisms exist to utilize sensors that are configured

Endpoint Security Collection Minimization END-13.3 to minimize the collection of information about Management 5.5 SC-42(5) Art 5.1 x
individuals.
Human Resources Human Resources Security
HRS-01 personnel security controls. All Users PS-1 3.2.4 NFO PR.IP-11 Art 32.2 x
Security Management
Art 32.4
Mechanisms exist to manage personnel security risk by - Criminal, education and employment background checks Art 32.1
Human Resources 3.9.1
Personnel Screening HRS-04 screening individuals prior to authorizing access. All Users 7.1.1 PS-3 Art 32.2 x
Security 3.9.2
Art 32.4
Mechanisms exist to facilitate the implementation of AC-1
Identification & Identity & Access Art 32.1
IAC-01 identification and access management controls. All Users CC5.1 8.2.2 9.1.1 IA-1 NFO x
Authentication Management (IAM) Art 32.2
SI-9
Mechanisms exist to generate pairwise pseudonymous
Identification & Pairwise Pseudonymous identifiers with no identifying information about a
IAC-09.6 Technical Art 11.1 x
Authentication Identifiers subscriber to discourage activity tracking and profiling of
the subscriber.
Management of Security Mechanisms exist to facilitate the implementation of Art 32.1
Incident Response IRO-01 Management 1.2.7 16.1.1 IR-1 NFO PR.IP-9 x
Incidents incident response controls. Art 32.2

Incident response mechanisms include processes Art 33.1

involving Personal Information (PI). Art 33.2
Personally Identifiable 1.2.7
Incident Response IRO-04.1 Management SE-2 Art 33.3 x
Information (PII) Processes 7.2.4
Art 33.4
Art 33.5
Mechanisms exist to establish an integrated team of - Full-time employees only RC.CO-1
Art 34.1
cybersecurity, IT and business function representatives RC.CO-2
Integrated Security Incident Art 34.2
Incident Response IRO-07 that are capable of addressing cybersecurity and privacy Technical 16.1.4 IR-10 RC.CO-3 x
Response Team (ISIRT) Art 34.3
incident response operations. RS.CO-1
Art 34.4
RS.CO-4
Mechanisms exist to report incidents: Art 33.1
▪ Internally to organizational incident response Art 33.2
personnel within organization-defined time-periods; and Art 33.3
▪ Externally to regulatory authorities and affected RS.CO-2 Art 33.4
16.1.2 3.6.1
Incident Response Incident Reporting IRO-10 parties, as necessary. All Users CC2.5 1.2.7 IR-6 RS.CO-3 Art 33.5 x x
16.1.3 3.6.2
RS.CO-5 Art 34.1
Art 34.2
Art 34.3
Art 34.4
Mechanisms exist to establish a direct, cooperative Art 34.1
Coordination With External relationship between the organization's incident Art 34.2
Incident Response IRO-11.2 Technical IR-7(2) x
Providers response capability and external service providers. Art 34.3
Art 34.4
Mechanisms exist to maintain incident response
Regulatory & Law Enforcement
Incident Response IRO-14 contacts with applicable regulatory and law enforcement Technical 6.1.3 IR-6 Art 31 x
Contacts
agencies.
Mechanisms exist to facilitate the implementation of - Information Assurance (IA) program Art 32.1
Information Assurance (IA) CA-1
Information Assurance IAO-01 cybersecurity and privacy assessment and authorization - VisibleOps security management All Users NFO Art 32.2 x
Operations PM-10
controls. Art 32.3
Mechanisms exist to develop, disseminate, review &
update procedures to facilitate the implementation of Art 32.1
Maintenance Maintenance Operations MNT-01 All Users 11.2.4 MA-1 3.4.13 NFO x
maintenance controls across the enterprise. Art 32.2
Mechanisms exist to develop, govern & update

Network Security 13.1.1 Art 32.1
Network Security NET-01 procedures to facilitate the implementation of network All Users SC-1 NFO PR.PT-4 x
Management 13.1.2 Art 32.2
security controls.
Mechanisms exist to facilitate the operation of physical
Physical & Physical & Environmental 8.2.3 Art 32.1
PES-01 and environmental protection controls. All Users A1.2 PE-1 NFO x
Environmental Security Protections 8.2.4 Art 32.2
Mechanisms exist to facilitate the implementation and Art 32.1

operation of privacy controls. 5.1 Art 32.2
Privacy Privacy Program PRI-01 All Users x
5.10 Art 32.3
Art 32.4
Mechanisms exist to appoints a Chief Privacy Officer 1.1.0
(CPO) or similar role, with the authority, mission, 1.1.2
accountability and resources to coordinate, develop and 1.2.1
Art 37.1
implement, applicable privacy requirements and manage 1.2.2
Art 38.1
Privacy Chief Privacy Officer (CPO) PRI-01.1 privacy risks through the organization-wide privacy All Users 1.2.8 18.1.4 5.10 AR-1 x x x
Art 39.1
program. 1.2.9
Art 39.2
2.1.0
4.2.3
8.2.1
Mechanisms exist to appoint a Data Protection Officer Art 35.2
(DPO): Art 37.1
▪ Based on the basis of professional qualities; and Art 37.2
▪ To be involved in all issues related to the protection of Art 37.3
personal data. Art 37.4
Art 37.5
Art 37.6
Art 37.7
Privacy Data Protection Officer (DPO) PRI-01.4 Management 5.10 x x x x
Art 38.1
Art 38.2
Art 38.3
Art 38.4
Art 38.5
Art 38.6
Art 39.1
Art 39.2

Mechanisms exist to: 2.1.1

▪ Make privacy notice(s) available to individuals upon 2.2.1
first interacting with an organization and subsequently 2.2.2
as necessary. 2.2.3
▪ Ensure that privacy notices are clear and easy-to- 3.1.0
understand, expressing information about Personal 3.1.1
Art 11.2
Information (PI) processing in plain language. 3.1.2
Art 12.1
4.1.0
Art 13.1
4.1.1
Art 13.2
4.2.4
5.2 Principle 1 Art 13.3
Privacy Notice PRI-02 All Users P1.1 5.1.0 TR-1 x x x x x
5.8 Principle 3 Art 14.1
5.1.1
Art 14.2
6.1.0
Art 14.3
7.1.0
Art 26.1
7.1.1
Art 26.2
8.1.0
8.1.1
9.1.0
9.1.1
10.1.0
10.1.1
Mechanisms exist to identify and document the
Art 13.1
purpose(s) for which Personal Information (PI) is
Privacy Purpose Specification PRI-02.1 Management P2.1 4.2.1 5.3 AP-2 Art 14.1 x x
collected, used, maintained and shared in its privacy
Art 14.2
notices.
Automated mechanisms exist to support records Art 14.2
management of authorizing policies and procedures for Art 22.1
Privacy Automation PRI-02.2 Personal Information (PI). Technical Art 22.2 x x
Art 22.3
Art 22.4
Mechanisms exist to authorize the processing of their - "opt in" vs "opt out" user selections Art 6.1
Personal Information (PI) prior to its collection that: Art 7.1
▪ Uses plain language and provide examples to illustrate Art 7.2
3.2.1
the potential privacy risks of the authorization; and Art 7.3
3.2.2
Privacy Choice & Consent PRI-03 ▪ Provides a means for users to decline the All Users P3.2 5.2 IP-1 Principle 2 Art 7.4 x x x x x
3.2.3
authorization. Art 8.1
3.2.4
Art 8.2
Art 12.6
Art 14.3
Mechanisms exist to allow data subjects to tailor use Art 7.1
permissions to selected attributes. Art 7.2
Art 7.3
Art 7.4
Art 12.2
Privacy Attribute Management PRI-03.1 Technical Art 12.3 x x x
Art 12.4
Art 22.1
Art 22.2
Art 22.3
Art 22.4
Mechanisms exist to present authorizations to process Art 7.1
Personal Information (PI) in conjunction with the data Art 7.2
action, when: Art 7.3
▪ The original circumstances under which an individual Art 7.4
gave consent have changed; or Art 8.1
▪ A significant amount of time has passed since an Art 8.2
Privacy Just-In-Time Notice & Consent PRI-03.2 Technical Principle 2 x x x x x x
individual gave consent. Art 12.2
Art 12.3
Art 12.4
Art 13.3
Art 14.3
Art 21.4
Mechanisms exist to collect Personal Information (PI)
4.1.2
Privacy Collection PRI-04 only for the purposes identified in the privacy notice. All Users P3.1 5.4 AP-1 Art 5.1 x
9.2.2
Mechanisms exist to determine and document the legal

authority that permits the collection, use, maintenance 1.2.5
Privacy Authority To Collect PRI-04.1 and sharing of Personal Information (PI), either generally Management 1.2.11 5.4 AP-1 Art 5.1 x
or in support of a specific program or system need. 4.2.2
Mechanisms exist to:

▪ Retain Personal Information (PI), including metadata,
for an organization-defined time period to fulfill the
purpose(s) identified in the notice or as required by law; Art 5.1
▪ Disposes of, destroys, erases, and/or anonymizes the Art 18.1
4.1.2
PI, regardless of the method of storage; and Art 18.2
Privacy Use, Retention & Disposal PRI-05 All Users 5.2.2 5.6 DM-2 3.4.14 Principle 5 x x x
▪ Uses organization-defined techniques or methods to Art 21.1
5.2.3
ensure secure deletion or destruction of PI (including Art 21.2
originals, copies and archived records). Art 21.3

Mechanisms exist to address the use of Personal

Information (PI) for internal testing, training and
research that:
4.1.2 Art 5.1
▪ Takes measures to limit or minimize the amount of PI
7.2.2 DM-1 Art 11.1
Privacy Internal Use PRI-05.1 used for internal testing, training and research purposes; Technical x x x
9.2.1 DM-3 Art 18.1
and
9.2.2 Art 18.2
▪ Authorizes the use of PI when such information is
required for internal testing, training and research.
Mechanisms exist to confirm the accuracy and relevance

of Personal Information (PI), as data is obtained and
Privacy Data Integrity PRI-05.2 Technical 9.2.1 5.7 DI-2 Principle 5 Art 5.1 x
used across the information lifecycle.
Mechanisms exist to mask sensitive information that is

Privacy Data Masking PRI-05.3 Technical Art 5.1 x
displayed or printed.
Mechanisms exist to restrict the use of Personal Art 5.1
Information (PI) to only the authorized purpose(s) Art 9.1
Usage Restrictions of consistent with applicable laws, regulations and in Art 9.2
Privacy Personally Identifiable PRI-05.4 privacy notices. Management 5.2.1 UL-1 Principle 5 Art 10 x x x x x
Information (PII) Art 11.1
Art 18.1
Art 18.2
Mechanisms exist to provide individuals the ability to Art 12.1
access their Personal Information (PI) maintained in Art 12.2
organizational systems of records. 6.2.1 Art 13.2
6.2.2 Art 14.2
P5.1 6.2.3 Art 15.1
Privacy Right of Access PRI-06 Management 5.9 IP-2 Principle 6 x x x x x x
P6.8 6.2.4 Art 15.2
6.2.5 Art 15.3
6.2.6 Art 15.4
Art 16
Art 26.3
Mechanisms exist to establish and implement a process
for: Art 12.3
6.2.5
▪ Individuals to have inaccurate Personal Information Art 14.2
P5.2 6.2.6
Privacy Redress PRI-06.1 (PI) maintained by the organization corrected or Management 5.9 IP-3 Principle 7 Art 16 x x x x x
P8.1 10.2.1
amended; and Art 18.1
10.2.2
▪ Disseminating corrections or amendments of PI to Art 26.3
other authorized users of the PI.
Mechanisms exist to notify affected individuals if their Art 12.3
Notice of Correction of Personal Information (PI) has been corrected or Art 18.3
Privacy PRI-06.2 Management 5.9 x x x x
Amendment amended. Art 19
Art 26.3
Mechanisms exist to provide an organization-defined Art 21.1
process for individuals to appeal an adverse decision and Art 21.2
Privacy Appeal PRI-06.3 Management 5.9 Principle 7 x x
have incorrect information amended. Art 21.3
Art 26.3
Mechanisms exist to implement a process for receiving Art 18.1
and responding to complaints, concerns or questions Art 18.2
6.2.5
from individuals about the organizational privacy Art 18.3
6.2.6
practices. P5.2 Art 19
Privacy User Feedback Management PRI-06.4 Management 7.1.2 5.9 IP-4 Principle 7 x x x x x
P8.1 Art 21.1
10.2.1
Art 21.6
10.2.2
Art 22
Art 26.3
Mechanisms exist to erase personal data of an Art 17.1
Privacy Right to Erasure PRI-06.5 individual, without delay. Management Art 17.2 x
Art 17.3
Mechanisms exist to export Personal Information (PI) in
Art 20.1
a structured, commonly used and machine-readable
Art 20.2
Privacy Data Portability PRI-06.6 format that allows the data subject to transmit the data Management x
Art 20.3
to another controller without hindrance.
Art 20.4
Mechanisms exist to discloses Personal Information (PI) Art 6.1

to third-parties only for the purposes identified in the Art 6.4
privacy notice and with the implicit or explicit consent of Art 15.2
the individual. Art 20.2
Art 26.1
Art 26.2
Art 26.3
Art 44
7.2.1 Art 45.1
Information Sharing With Third
Privacy PRI-07 All Users 7.2.2 UL-2 Principle 3 Art 45.2 x x x x x x x x x x
Parties
7.2.3 Art 46.1
Art 46.2
Art 46.3
Art 47.1
Art 47.2
Art 48
Art 49.1
Art 49.2
Art 49.6

Mechanisms exist to includes privacy requirements in Art 6.1

contracts and other acquisition-related documents that Art 6.4
establish privacy roles and responsibilities for Art 26.1
contractors and service providers. Art 26.2
Art 26.3
Art 28.1
Privacy Requirements for
4.2.3 Art 28.2
Privacy Contractors & Service PRI-07.1 Management AR-3 Principle 3 x x x x
7.2.4 Art 28.3
Providers
Art 28.4
Art 28.5
Art 28.6
Art 28.9
Art 28.10
Art 29
Mechanisms exist to implement a process for ensuring
that organizational plans for conducting security and
1.2.6
privacy testing, training and monitoring activities
P6.5 10.2.3 18.2.2 Art 32.1
Privacy Testing, Training & Monitoring PRI-08 associated with organizational systems are developed All Users AR-4 x
P8.1 10.2.4 18.2.3 Art 32.2
and performed.
10.2.5
Mechanisms exist to utilize a System of Records Notices Art 30.1

(SORN), or similar record of processing activities, to Art 30.2
System of Records Notice
Privacy PRI-09 maintain a record of processing Personal Information Management Art 30.3 x
(SORN)
(PI) under the organization's responsibility. Art 30.4
Art 30.5
Mechanisms exist to issue guidelines ensuring and
maximizing the quality, utility, objectivity, integrity,
Privacy Data Quality Management PRI-10 impact determination and de-identification of Personal Management 5.7 Art 5.1 x
Information (PI) across the information lifecycle.
Automated mechanisms exist to support the evaluation Art 5.1

Privacy Automation PRI-10.1 of data quality across the information lifecycle. Management Art 21.5 x x x
Art 22
Mechanisms exist to develop processes to identify and
Updating Personally record the method under which Personal Information
Privacy PRI-12 Management 5.7 Art 5.1 x
Identifiable Information (PII) (PI) is updated and the frequency that such updates
occur.
Mechanisms exist to establish a written charter for a - Data Management Board (DMB) Art 5.1
Data Management Board (DMB) and assigned Art 30.1
organization-defined roles to the DMB. Art 30.2
Privacy Data Management Board PRI-13 Management x x
Art 30.3
Art 30.4
Art 30.5
Mechanisms exist to develop, disseminate and update
reports to internal senior management, as well as
external oversight bodies, as appropriate, to 10.2.3
Privacy Privacy Reporting PRI-14 Management AR-6 Art 31 x
demonstrate accountability with specific statutory and 10.2.5
regulatory privacy program mandates.
Mechanisms exist to develop and maintain an Art 30.1

accounting of disclosures of Personal Information (PI) Art 30.2
7.2.1
Privacy Accounting of Disclosures PRI-14.1 held by the organization and make the accounting of Management AR-8 Art 30.3 x
7.2.4
disclosures available to the person named in the record, Art 30.4
upon request. Art 30.5
Mechanisms exist to register databases containing
Privacy Register Database PRI-15 Personal Information (PI) with the appropriate Data Management Art 30.4 x
Authority, when necessary.
Mechanisms exist to facilitate the implementation of 3.2
security and privacy-related resource planning controls. 3.2.1
3.2.2
3.2.3
Project & Resource Security Portfolio 3.2.4 Art 32.1
PRM-01 All Users 6.1.5 PL-1 NFO x
Management Management 3.2.5 Art 32.2
3.2.6
3.3
3.3.1
3.3.2
Mechanisms exist to facilitate the implementation of risk - Risk Management Program (RMP) ID.GV-4
5.10
management controls. PM-9 ID.RM-1 Art 32.1
Risk Management Risk Management Program RSK-01 All Users 11.1.4 5.11 3.3.4 NFO x
RA-1 ID.RM-2 Art 32.2
5.12
ID.RM-3
Mechanisms exist to conduct an annual assessment of - Risk Management Program (RMP) Art 35.1
risk that includes the likelihood and magnitude of harm, Art 35.2
from unauthorized access, use, disclosure, disruption, Art 35.3
Risk Management Risk Assessment RSK-04 modification or destruction of the organization's All Users 1.2.4 11.1.4 5.12 RA-3 3.11.1 ID.RA-5 Art 35.6 x
systems and data. Art 35.8
Art 35.9
Art 35.11
Mechanisms exist to maintain a risk register that - Risk Management Program (RMP)
facilitates monitoring and reporting of risks. - Risk register
Risk Management Risk Register RSK-04.1 Management 5.12 Art 35.1 x
- Governance, Risk and Compliance Solution (GRC) tool (ZenGRC,
Archer, RSAM, Metric stream, etc.)

Mechanisms exist to conduct a Business Impact Analysis - Risk Management Program (RMP) Art 35.1
(BIAs). - Data Protection Impact Assessment (DPIA) Art 35.2
- Business Impact Analysis (BIA) Art 35.3
Business Impact Analysis Art 35.6
Risk Management RSK-08 All Users 5.12 ID.RA-4 x x
(BIAs) Art 35.8
Art 35.9
Art 35.11
Art 36.3
Mechanisms exist to assess supply chain risks associated - Risk Management Program (RMP) Art 35.1
with systems, system components and services. - Data Protection Impact Assessment (DPIA) Art 35.2
Art 35.3
Art 35.6
Risk Management Supply Chain Risk Assessment RSK-09.1 Management 5.12 x x
Art 35.8
Art 35.9
Art 35.11
Art 36.3
Mechanisms exist to conduct a Data Protection Impact - Risk Management Program (RMP) Art 35.1
Assessment (DPIA) on systems, applications and services - Data Protection Impact Assessment (DPIA) Art 35.2
to evaluate privacy implications. - Privacy Impact Assessment (PIA) Art 35.3
Art 35.6
Data Protection Impact 1.2.4 AR-2 Art 35.8
Risk Management RSK-10 All Users 5.12 x x
Assessment (DPIA) 4.2.3 PL-5 Art 35.9
Art 35.11
Art 36.1
Art 36.2
Art 36.3
industry-recognized security and privacy practices in the Art 24.1
specification, design, development, implementation and Art 24.2
AR-7
modification of systems and services. 4.2.3 2.1 Art 24.3
SA-8 3.13.1
Secure Engineering & 6.2.2 5.10 2.2 Art 25.1
Secure Engineering Principles SEA-01 All Users CC3.2 14.2.5 SA-13 3.13.2 Principle 4 x x x x x
Architecture 7.2.2 5.11 2.3 Art 25.2
SC-7(18) NFO
7.2.3 2.4 Art 25.3
SI-1
Art 32.1
Art 32.2
Art 40.2
Mechanisms exist to centrally-manage the organization- 3.4
wide management and implementation of cybersecurity 3.4.3
Art 5.2
and privacy controls and related processes. 3.4.4
Art 24.1
3.4.5
Art 24.2
3.4.6
Art 24.3
Centralized Management of 3.4.7
Secure Engineering & 5.10 Art 25.1
Cybersecurity & Privacy SEA-01.1 Management PL-9 3.4.8 x x x x x
Architecture 5.11 Art 25.2
Controls 3.4.9
Art 25.3
3.4.10
Art 32.1
3.4.11
Art 32.2
3.4.12
Art 40.2
3.4.13
3.4.14
Mechanisms exist to standardize technology and process Art 4.1
terminology to reduce confusion amongst groups and Art 4.2
departments. Art 4.3
Art 4.4
Art 4.5
Art 4.6
Art 4.7
Art 4.8
Art 4.9
Art 4.10
Art 4.11
Art 4.12
Secure Engineering & Art 4.13
Standardized Terminology SEA-02.1 Technical x
Architecture Art 4.14
Art 4.15
Art 4.16
Art 4.17
Art 4.18
Art 4.19
Art 4.20
Art 4.21
Art 4.22
Art 4.23
Art 4.24
Art 4.25
Art 4.26

Mechanisms exist to distribute processing and storage Art 6.1

across multiple physical locations. Art 26.1
Art 26.2
Art 26.3
Art 28.1
Art 28.2
Art 28.3
Art 28.4
Art 28.5
Art 28.6
Art 28.9
Art 28.10
Secure Engineering & Distributed Processing &
SEA-15 Technical SC-36 Art 29 x x x x x x x x x x
Architecture Storage
Art 44
Art 45.1
Art 45.2
Art 46.1
Art 46.2
Art 46.3
Art 47.1
Art 47.2
Art 48
Art 49.1
Art 49.2
Art 49.6
Mechanisms exist to facilitate the implementation of - Standardized Operating Procedures (SOP)
Art 32.1
Security Operations Operations Security OPS-01 operational security controls. - ITIL v4 Management 12.1.1 SC-38 3.4.12 x
Art 32.2
- COBIT 5
Mechanisms exist to facilitate the implementation of PR.AT-1 Art 32.1
Security Awareness & Security & Privacy-Minded AT-1
SAT-01 security workforce development and awareness All Users 7.2.2 NFO PR.AT-3 Art 32.2 x
Training Workforce PM-13
controls. PR.AT-4 Art 32.4
Mechanisms exist to facilitate the implementation of
Technology tailored development and acquisition strategies, 3.1
Technology Development & Art 32.1
Development & TDA-01 contract tools and procurement methods to meet All Users 3.1.1 x
Acquisition Art 32.2
Acquisition unique business needs. 3.1.2
Mechanisms exist to facilitate the implementation of - Procurement program Art 28.1

third-party management controls. - Contract reviews Art 28.2
Art 28.3
Art 28.4
Third-Party Art 28.5
Third-Party Management TPM-01 All Users C1.5 15.1.1 SA-4 NFO ID.SC-1 x x
Management Art 28.6
Art 28.9
Art 28.10
Art 32.1
Art 32.2
Mechanisms exist to evaluate security risks associated - Data Protection Impact Assessment (DPIA) Art 28.1
with the services and product supply chain. Art 28.2
Art 28.3
Third-Party Art 28.4
Supply Chain Protection TPM-03 All Users 15.1.3 SA-12 ID.SC-4 x
Management Art 28.5
Art 28.6
Art 28.9
Art 28.10
Mechanisms exist to restrict the location of information Art 6.1
processing/storage based on business requirements. Art 6.4
Art 26.1
Art 26.2
Art 26.3
Art 28.1
Art 28.2
Art 28.3
Art 28.4
Art 28.5
Art 28.6
Art 28.9
Third-Party Third-Party Processing, Art 28.10
TPM-04.4 Management SA-9(5) x x x x x x x x x x
Management Storage and Service Locations Art 29
Art 44
Art 45.1
Art 45.2
Art 46.1
Art 46.2
Art 46.3
Art 47.1
Art 47.2
Art 48
Art 49.1
Art 49.2
Art 49.6

Mechanisms exist to identify, regularly review and - Non-Disclosure Agreements (NDAs) Art 28.1
document third-party confidentiality, Non-Disclosure Art 28.2
Agreements (NDAs) and other contracts that reflect the Art 28.3
organization’s needs to protect systems and data. Art 28.4
Third-Party Third-Party Contract 13.2.4
TPM-05 All Users C1.4 SA-9(3) ID.SC-3 Art 28.5 x x
Management Requirements 15.1.2
Art 28.6
Art 28.9
Art 28.10
Art 29
Mechanisms exist to implement a threat awareness
Art 32.1
Threat Management Threat Awareness Program THR-01 program that includes a cross-organization information- Management CC3.1 PM-16 ID.BE-2 x
Art 32.2
sharing capability.
Mechanisms exist to facilitate the implementation and - Vulnerability & Patch Management Program (ComplianceForge)
Vulnerability & Patch Vulnerability & Patch SI-2 ID.RA-1 Art 32.1
VPM-01 monitoring of vulnerability management controls. All Users CC6.1 12.6.1 x
Management Management Program (VPMP) SI-3(2) PR.IP-12 Art 32.2
Flaw Remediation with Mechanisms exist to identify and correct flaws related to
Vulnerability & Patch
Personally Identifiable VPM-04.2 the collection, usage, processing or dissemination of Management SI-2(7) Art 5.1 x
Management
Information (PII) Personal Information (PI).
Mechanisms exist to facilitate the implementation of an
enterprise-wide web management policy, as well as Art 32.1
Web Security Web Security WEB-01 Technical 13.1.3 x
associated standards, controls and procedures. Art 32.2
Mechanisms exist to utilize a Demilitarized Zone (DMZ)

Use of Demilitarized Zones to restrict inbound traffic to authorized devices on Art 32.1
Web Security WEB-02 Technical 13.1.3 x
(DMZ) certain services, protocols and ports. Art 32.2

EU GDPR C4P Overview

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

EU GDPR C4P Overview

Enviado por

Direitos autorais:

Formatos disponíveis

EU GPDR Compliance Criteria - Cybersecurity For Privacy (C4P) Overview

Key Articles To Consider For CYBERSECURITY Framework Alignment:

DEFINE - ISO 27002  Article 28 – Processor

Key Articles To Consider For PRIVACY Framework Alignment:

AICPA ISO ISO NIST NIST US EMEA

Mechanisms exist to facilitate the implementation of - Steering committee Art 32.1

Mechanisms exist to maintain network architecture - High-Level Diagram (HLD)

Mechanisms exist to facilitate the implementation of - VisibleOps methodology

AICPA ISO ISO NIST NIST US EMEA

Mechanisms exist to facilitate the implementation of Art 5.1

AICPA ISO ISO NIST NIST US EMEA

Mechanisms exist to facilitate the implementation of - Group Policy Objects (GPOs)

Mechanisms exist to notify individuals that Personal - Visible or auditory alert

Mechanisms exist to utilize sensors that are configured

AICPA ISO ISO NIST NIST US EMEA

Incident response mechanisms include processes Art 33.1

Mechanisms exist to develop, govern & update

Mechanisms exist to facilitate the implementation and Art 32.1

AICPA ISO ISO NIST NIST US EMEA

Mechanisms exist to: 2.1.1

Mechanisms exist to determine and document the legal

Mechanisms exist to:

AICPA ISO ISO NIST NIST US EMEA

Mechanisms exist to address the use of Personal

Mechanisms exist to confirm the accuracy and relevance

Mechanisms exist to mask sensitive information that is

Mechanisms exist to discloses Personal Information (PI) Art 6.1

AICPA ISO ISO NIST NIST US EMEA

Mechanisms exist to includes privacy requirements in Art 6.1

Mechanisms exist to utilize a System of Records Notices Art 30.1

Automated mechanisms exist to support the evaluation Art 5.1

Mechanisms exist to develop and maintain an Art 30.1

AICPA ISO ISO NIST NIST US EMEA

AICPA ISO ISO NIST NIST US EMEA

Mechanisms exist to distribute processing and storage Art 6.1

Mechanisms exist to facilitate the implementation of - Procurement program Art 28.1

AICPA ISO ISO NIST NIST US EMEA

Mechanisms exist to utilize a Demilitarized Zone (DMZ)

Você também pode gostar