CISSP Study Guide: Organizational Privacy Policies

Organizations establish and disclose privacy policies outlining their approach to handling PII. These usually entail:

• Statement of the organization’s commitment to privacy. The type of information the organization would collect. This could include names, addresses, credit card numbers, phone numbers, etc.
• Retaining and using e-mail correspondence.
• Information gathered through cookies and Web server logs and how that information is used.
• How information is shared with affiliates and strategic partners.
• Mechanisms to secure information transmissions, such as encryption and digital signatures.
• Mechanisms to protect PII stored by the organization.
• Procedures for review of the organization’s compliance with the privacy policy.
• Evaluation of information protection practices.
• Means for the user to access and correct PII held by the organization.
• Rules for disclosing PII to outside parties.
• Providing PII that is legally required.