Data Protection Policies, Processes & Procedures

00:00

Welcome to Mulele six of 10. Then this privacy framework core protect.

00:07

So looking at the course outline, we've now gone through the introduction, module number one. The overview of the MS privacy framework. We've gone through now, modules two through five, which cover the first four core functions of identified, govern control and communicate. We're now in module six which covers the final uh miss privacy framework core of protect.

00:32

So welcome to less than 6.1, protect data protection policies, processes and procedures.

00:40

So in this video we're going to cover the protect function description. We're gonna look at the protect function category number one, the data protection policies, processes and procedures and then look at types of internal policies.

00:54

So now that we're in the protect function, the description for this function is really looking at developing implementing appropriate data processing safeguards. So what you're gonna see throughout the protect function and uh some of the security professionals that may be taking this course may see this, you're gonna start to see possibly overlap

01:12

with security frameworks.

01:15

Um so for instance, because this is the this privacy framework, it does correlate with in this cyber security framework and there actually is a protect function within that security framework. So those of you that may be familiar with in this CSF and your company may even be utilizing that

01:33

may see some overlap here, which can actually be a good thing

01:37

when you're looking um

01:38

to basically establish your privacy program, there may be some of these controls that you already have in place within your organization. But looking at this category, this is really focusing on ensuring that you've established policies, processes and procedures around the protection of data.

01:56

So you'll see here and it seems like a large number, but you'll see there are 10 subcategories because it's really getting into the controls that you should be setting up and the policies um that you should be putting in place to govern those controls. So really the first one is focusing focusing on that concept at least functionality,

02:15

really having a baseline configuration for of information technology um and basically maintaining uh maintaining and incorporating those security principles, especially the concept of least functionality and then really having a change control process in place um for how you handle changes within an application or system um

02:37

that you're making sure that back up

02:38

some information are conducted, maintained and tested in the event that there's a disaster or from the business continuity standpoint, that you can basically recover, especially from a financial standpoint um with your applications that may be handling finance

02:58

um that you can really recover from the point at which maybe things went down.

03:02

And then really looking at sub category for that policy and regulations regarding the physical operating environment for organizational assets that's met. So if you have, like on site servers, you're gonna want to make sure that the that the temperature is controlled for those rooms as well as what would happen in the event of a fire that alerts are set um

03:23

that uh facilities is aware of how those rooms needs to be maintained and what would happen in the event that there is a physical event on site. How that affects basically um the data and the systems and applications that are storing or processing that data.

03:38

Um You want to make sure that protection processes are continuously improved so that you're always monitoring and looking at how are you protecting um the data that you have on site. Um and this to gets into

03:52

in the event there is an event that you're really incorporating those lessons learned from those events. And we went through that in a previous

03:59

function that you're incorporating that back into your processes and procedures and that really the effectiveness of the protection technologies has shared. So um whether that's uh shared with others within your organization, um that even you're sharing it with industry peers, maybe there's something that's working for your organization,

04:18

you know, share that with others so that personal data can be protected.

04:23

Um and

04:24

these next to kind of get into having incident response and business continuity plans in place. Um and that you're basically managing and testing those response and recovery plans so that in the event something happens, it's not the first time your personnel is looking at these documents and the first time that they're actually going through that process or procedure,

04:45

you wanted to be able to kick in when an event happens, that they know what they should be doing. So making sure that your training, the requisite personnel to those documents

04:54

as well as ensuring that your privacy procedures are inherent in your human resources practices. So this means provisioning and de provisioning access when you're on boarding and off boarding someone or when they're moving into a new role within the company, that if they move from finance to marketing, they don't still have access to

05:13

those finance applications

05:15

as well as personnel screening when you're looking at um prospective candidates for roles that you're doing that background screening. Um And then finally your vulnerability and patch management plan um becomes vital. Um You know, if you're have Microsoft office or some other application

05:31

and Microsoft is pushing patching to your

05:35

company, making sure that you're following up on that because you don't want to leave networks or applications or hardware vulnerable. Um and that be the reason that you have a data breach when you could have been following um you know, vulnerability and patch management plan.

05:51

So we want to get into in the next slide of what are some of the internal policies that you can create um in order to meet what's being discussed here in these subcategories to ensure that your um you know, instituting appropriate safeguards to protect your personal data that you have within your company.

06:09

So really that information security policy is really gonna be sort of a,

06:13

you know, a complete package of what your security practices are within the enterprise. You know, this is where you may have, you know, sort of your high level overview for what a lot of these other policies are. And that's really a document um where people can get an overall sense of what your security posture is.

06:32

But change management really goes into if you're making a change um within an application or to the network that you're going through the proper channels of getting that approved, that hopefully it's being tested in development environment before it goes into production. Um So that, you know, if there's going to be any issues before that gets instituted

06:51

to having a data backup policy

06:55

where you're ensuring that either um if a system goes down that it's failing over to another location, um that you can easily recover those documents um or bring back um whatever systems online. Um Should you need to do that

07:11

as well as your your physical security policy. You know, if you're in a particular industry like finance, um people may need to get badged into your building. Um Even within your facility, there may be areas that are off limits to some people depending on the type of work that you're doing and definitely your server room should only be access by the individuals that need access to that as well as what safeguards are in place

07:34

um to manage um

07:36

access uh to the security server as well as what safeguards are in place to ensure nothing happens to the security room. You know, if a fire happens or some other um event may take place. And that's really where your physical security policy comes in.

07:53

We mentioned before about having an incident management policy in response plan that really just goes through what your step by step processes in the event. You have a data breach or some sort of other incident um where your network has been breached. How do you handle that? What is your response plan in the event? You

08:13

have to basically let individuals know that their data was breached? Or do you have to report

08:18

um to a regulatory body? So really laying out what that is as well as your disaster recovery and business continuity management policy? What happens if the power goes out um how will people be able to work and operate um and access those applications? Is the integrity of the data still going to be maintained?

08:37

So you want to make sure that you have that as well as an access management policy?

08:41

You know how when people are on board and what are they given access to? What are people given access to? Um From a role based perspective based on their role within the company, whether that's customer service or finance, um You want to make sure that you're at um provisioning and de provisioning access accordingly and that you're even monitoring and auditing um your access management processes on a regular basis to ensure that someone's left the company, um Their accounts truly were deactivated. Um

09:13

And then finally, as I mentioned before, really looking at your vulnerability and patch management policy, um whether that's something you do in house or looking at a third party or cloud provider that has their own um patch management schedule that you're following and adhering to their schedule, um so that you don't leave your networks or system vulnerable or forget to do a patch.

09:35

Um because you know, that's the easiest way that um uh hackers or a hacker or someone else can have access to your network. So you want to ensure that you're monitoring that um and doing regular vulnerability and penetration testing scans on a regular basis.

09:52

And this list is um not indicative of all the internal policies that you should have, but these are some of the major ones that um every enterprise should have in place for how they're handling and protecting data.