Key Ingredients to Information
CAP, CBCP, CCSP,
CDP, CIPM, CISSP,
ITIL v3, PMP
Is a senior associate
at Coalfire Systems
LLC. He has more
than 18 years of
experience in IT
security and privacy.
Wlosinski has been
a speaker on a
variety of IT security
and privacy topics
at US government
he has written
Do you have
to say about
Visit the Journal
pages of the ISACA®
website ( www.isaca.
org/journal), find the
article and click on
the Comments link to
share your thoughts.
and techniques that need to be employed include
data identification, protective measures, intrusion
detection monitoring and reporting, responding to
privacy events and incidents, and recovery of the
organization to normalcy (when possible).
Governance of privacy-related information requires
that a custom strategy be developed for any
organization. Governance activities should include:
• Identifying the stakeholders and internal
• Developing vision, mission and value statements
with goals and objectives. This information would
be a reference and resource for a privacy charter
that can be used throughout the course of the
• Establishing connections within the organization
to ensure cooperation and efficiency.
section) to address warning banners; system
compromise alerts; key persons to contact; and
response, containment, and recovery processes
• Developing a data governance strategy that
includes data collection, authorized use, access
controls, information security and destruction of
the data/information. The key functional aspects
are assessment, protection, sustaining privacy
operations and responding to compromises.
• Establishing a privacy budget that includes outreach
activities and a contingency reserve for recovery
and emergency expenditures. The expenditures
would include forensic investigations, victim
notification, call center support, outside counsel
(e.g., litigation costs), security enhancements, lost
revenue and stock value, insurance, remediation
actions, punitive costs (e.g., civil penalties and
fines), customer retention, card replacement, victim
damages, and opportunity costs.
The metrics associated with privacy data breaches
are astounding. In 2016, 554,454,942 records were
breached from 974 reported incidents. 1 To break
down the type of data affected, 48 percent of data
breach incidents were for personally identifiable
information (PII), 27 percent were for credit and
debit card data, and 11 percent were for physical
health information (PHI). 2
The root causes of privacy incidents include the
outsourcing of data, malicious insiders, system
glitches, cyberattacks, and the failure to shred or
dispose of privacy data properly. The human element
of data breaches is the result of social engineering,
financial pretexting (the practice of obtaining personal
information under false pretenses), digital extortion,
insider threat and partner misuse. 3 Conduit devices
used include Universal Serial Bus (USB) infection,
rogue network connections, manipulation of
account balances and backdoor access accounts.
Configuration exploitation and malicious software are
also causes of data compromises.
This article will review many aspects of privacy
and is intended as a primer for information privacy.
Topics to be reviewed are categories of privacy,
privacy officer (PO) concerns, governance strategy,
privacy controls and the privacy plan.
Categories of Privacy
ISACA® has identified seven categories of privacy
that every enterprise must address, as shown in
figure 1. 4
Privacy Information Concerns
To address the personal and organizational
concerns of data privacy, the position of PO was
created. Figure 2 shows data concerns, areas of
risk and questions the PO must ask.
All of these concerns help to identify the scope and
complexity of the work. Data governance methods