4 hours 7 minutes
Welcome to module four of 10. MS privacy framework Core control.
Here's the course outline for the course
this far. We've covered the introduction, we've gone through module one. The overview of the MS privacy framework
module to this privacy framework core identify. And then this three. Module three. This privacy framework core govern. We're now going into module four, which is that this privacy framework core control.
So welcome to less than 4.1. Control, data processing policies, processes and procedures.
So in this video we will cover the control function description. We're going to review the control function category, data processing policies, processes and procedures as well as what the data life cycle is.
So, as you can see here, we are now looking at the first category within the control function. So the control function focuses on developing and implementing appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
So really what this particular category for the control function is focusing on
is making sure that you have policies and processes in place um that describe how you handle data processing. And really the focus is the key word for this entire category is the data lifecycle because all of the uh
things that are mentioned here from data review to transfer sharing, disclosure
of data as well as maintaining and authorizations will all be encompassed within the data life cycle. And we're going to basically see um the subcategories that are mentioned here within that data lifecycle management on the next slide.
So I found this particular diagram online and I thought it spoke uh pretty well to basically how data life cycle should look within an enterprise. So you can see it apart from inception when data creation happens. And this doesn't mean that your
enterprises creating data. It's really from the moment that you ingest data from whether that's an employee, a customer, a partner. So once that um personal data is coming into the company, that's really at the time of data creation. Um so that's why they use that terminology here, is because
you're now basically ingesting that particular personal data for different purposes. Um you know, for customers, um you may be uh ingesting it from a marketing perspective for employee perspective employees, it's for employment partners, it may be uh financial data, um, email address address, other things of that nature.
Um so that's really data creation. Um and once you have the data it has to be stored somewhere. So that's where storage management comes in, whether it's stored um by a cloud service provider or on prim and a server. Um you want to make sure that you have policies and processes in place regarding how that
data will be stored
and if it is being stored by a third party, making sure that you have um clauses within your contracts that define how that data is being stored and how you get access to it.
Um And then that really moves into data use and role based security. Um So I know we've all seen various privacy policies where um it basically tells the individual that's applying the personal data or the data subject how that data is going to be used. So what's the purpose for
um the enterprise asking for that particular piece of information,
for instance, with employees and I know I keep using this example but it's one of the best ones um is when you're asking for bank account information so that you can pay your employees. Uh So information is necessary for payroll and it really goes back to that data inventory and mapping that we went through in the identify function
of when you're building out your inventory and listing all the applications
um that possibly have personal data and what data there keeping and why it's being used. What's the purpose for. So that's kind of where this comes in and making sure that you have access management in place that for particular pieces of information.
And once again using bank account information, someone who works in a lab wouldn't need access to someone's bank account information that really should be relegated to someone um that works in finance. Um So making sure that um the individuals in your company
only have access to data that is necessary for their job function.
And that's to where we kind of go back to the training aspect of knowing basically what roles and responsibilities people have to know how you need to train them. Um So you would definitely train um
uh basically someone finance how to handle that data um And making sure that you are going through your role based security to make sure that you know someone leaves or changes the job function within the company that they no longer have access to that data.
So having those types of policies, processes and procedures in place for provisioning and de provisioning access and making sure that you're auditing that become vitally important to the data Lifecycle management.
And then we get into sharing data and this could actually be an internally or externally. Um There may be data that's moving between applications. Like I know when a company I worked for oracle um was where a lot of um uh personal data came. That's from the data creation but then it got disseminated and shared with various applications depending on what the other applications needed that data for. So that's an internal way that data is shared. But then also it can be shared externally. Once again with a payroll provider um or with another service provider. Um It could be someone um a company that may be doing marketing on your behalf. Maybe getting some of that customer data uh that was created for your company.
So you definitely want to make sure if you're sharing data with external parties. Once again contractual obligations come in that you make sure that you have clauses and they're protecting that data when it is given to um a service provider or a third party partner and then once again within your company, making sure that you have valid processes in place
for basically how that data is moving in between applications and then when that data no longer um is useful to your company. You get into having the archive that data,
you don't necessarily get into destroying it yet because sometimes you have record retention policies, which you should definitely have within your organization, for knowing from a legal obligation when you have to retain data for a certain period of time, uh definitely working within an HR or finance function, we know that there are laws and regulations pertaining to how long
those types of records need to be stored as well as there could be a contractual or operational reasons to not get rid of data yet, but making sure that you have a way to archive that data until you're ready to destroy it. So making sure that you have a record retention schedule or other policies, processes and procedures in place to handle the archiving of data.
And then finally getting to um you no longer have to retain the data um because it served its purpose already and you've already met your record retention requirements and there's no reason to keep it. Um That's when you get into how you're going to permanently destroy data. So having like a data destruction um uh process in place for how you do that, how you sanitize
um hardware or um other things when you no longer need them or you're going to repurpose them. But making sure that you have those types of procedures and processes in place to handle that and that really encompasses that data lifecycle management and it really does speak to all the category and the subcategories that are encompassed in this particular category
of the control function.
So before we move on to the next video we're going to have a quiz. So true or false. A data life cycle is the sequence of stages that a particular unit of data goes through from its initial generation or captured to its eventual archival and or deletion at the end of its useful life. One true or to false.
So the answer here is true. As you remember from the data lifecycle slide, we went through all the different phases basically of data lifecycle management. For data that basically comes um into an enterprise and so it does basically go from
inception or generation or capture of that data all the way through
um to basically destroying the data once it's already served its purpose and it doesn't need to be kept for archival purposes pertaining to a record retention policy.
So please feel free to revisit that slide um to make sure when you are creating your policies and procedures that you're encompassing all those aspects.
So in this video we covered the control function description.
We looked at the sub categories of the data processing policies, processes and procedures, and then we went through the data life cycle diagram, so I hope you'll join me as we move into the next video.
NIST 800-53: Introduction to Security and Privacy Controls
This course will provide Executives, Assessors, Analysts, System Administrators and students with the foundational knowledge ...
2 CEU/CPE Hours Available
Certificate of Completion Offered
CIS Top 20 Critical Security Controls
This course will provide students with an overview of the CIS Top 20 Critical Security ...
4 CEU/CPE Hours Available
Certificate of Completion Offered