4 hours 7 minutes
Welcome to less than 9.2 hypothetical use case # one.
So in this video we're gonna cover hypothetical use case number one company a description. We're gonna look at companies ready set go approach. We're going to look at the results and impact of companies approach and view the current and target profile key.
So use case number one. Um This is a use case that we're looking at uh from Nist actually um there is a link for the actual hypothetical in the resources section, but I wanted to walk through it um so that you get a sense um of companies approach.
Um And on the screen we're just going to give some general background information on company a
which is a large retail organization with about 3000 employees and they sell smart home and wearable devices. Um So and on those devices, customers can register their devices, view information about their usage history as well as enable a universal remote control or dashboard if you will. So within this organization they have a formalized governance structure where key stakeholders
um in product development are legal marketing engineering and product and senior management. Um And they are required to implement and comply with many international and domestic privacy laws. So that's just to give you a little bit of background before we move into
their use of the ready set go approach to adopt the miss privacy framework.
So in that ready phase, um these are some of the things that they did during their ready phase. So their legal department focused on the govern function, uh the subcategory on identifying legal, regulatory and contractual requirements relating to privacy obligations.
So they really wanted to get a sense of what privacy regulations the organization had to adhere to.
So that's where legal focused uh their time. Uh the C. I. O. Team. Uh they considered the inventory and mapping category and the identify function. Um So what they did was they over laid data map of the existing architecture design for the dashboard app.
Um So they did that to see basically
um where applicant what applications they had that were processing data and then mapping to see where um basically that data was going within the company but like I said only within the dashboard apps. So right now we see that their profiles and this is where I said we get into when back in module
um uh Eight I believe it was where we focused on, I'm sorry, module seven where we focused on profiles and we mentioned sort of industry specific or profiles that could be uh process specific. Um And we did mention about developers, this is one of those areas because they're strictly focusing on the dashboard app.
Um Their current target profiles are not focusing on the enterprise as a whole, so keep that in remembrance as we go through um basically this use case.
So security then did a review. They reviewed the risk assessment category and they identify function um and they basically had already assessed risks related to the entry points for hackers, but they realized that they had assessed risks for types of problems that users could face with the app, so that they realized they needed to do a risk assessment there.
So when they moved into the set phase, which is the phase where you're really looking to sort of flush out um and really document what your um uh current and target profiles are going to be. And you do that gap analysis to determine um where you need to basically
um put together an action plan to help you move from
that current state to that target state. This is the phase they're in right now. So pretty much they had a cross functional team review and this is where the C. I. O. Teams data map to show the different components of the app and the component owner owners and the data actions was shown to the cross functional team.
Um And then they notated data collection points, data storage and data bases on analytics within that same map.
Um And so legal then discusses what will what data is going to be stored and for how long um because they're looking at it from legal requirements um possibly if there are any retention periods that need to be adhered to. And then they also focused on contracts with data processing um ecosystem risk management.
Because besides legal or regulatory requirements there could be some contractual obligations that they have um for how long they need to store or maintain certain pieces of data.
And then engineering brought in. Um They were focusing on internal controls to manage the data disposal. Um and realized that they also needed to build capabilities in the back end um to manage access and deletion request. Um So more than likely they may need to be compliant with G. D. P. R. So that in the event someone does request that there
um data uh needs to be deleted, that they can actually carry out that particular capability. So they realized they needed to build something like that into the back end of the system to be able to do that.
Um As well as they realized they wanted to foc focus on the disassociated processing category uh to help to help with behavior tracking. So that if they were if this was something that we're gonna track, it didn't necessarily need to be linked to a specific person or individual, they could track this particular type of data without needing it to link it
um to an individual.
Um And then lastly security was focusing on I. D. Management and authentication. Um and they realized that they needed to hire an additional additional personnel to really implement encryption uh that enabled analysis without revealing the underlying data. So all of these teams brought different things to the table in terms of where the gaps were in their current process and realizing where they wanted to mature their program and and really take it to the next level.
And you see that some of these things it's not because it's only focused on the dashboard. Um it's definitely on a much smaller level just pertaining to that because they really were trying to focus on um basically the impact to the user at this point.
So really in the go phase they implemented the outcomes that they selected in the set stage. Um and that was really focusing on deletion and metadata. Um And they realized that really that privacy enhancing encryption capability, they were gonna wait basically till the next version of the dashboard app
um to put that on the action plan. Um So it didn't get implemented this go round but they knew it was going to happen for the next phase of the dashboard app as well as they hired a privacy engineer so that they would be able to do that in the next phase.
So the results and impact of their ready set go approach and adopting this privacy framework in relation to that dashboard app, it meant that they were able to explain capabilities um it developed and enable customers to access and delete data,
which becomes vitally important, especially if you have to hear to g D P R um you have to be able to have that capability should you receive a data subject access request.
Um They realized that they could now manage additional privacy risks around behavior tracking
because it was one of the things that they focused on and they also, now we're able to basically distinguish themselves in the marketplace from their competitors because they now had privacy enhancing attributes
as well as um for audit purposes. They can now show current and target profiles. They could show that they had an action plan and implementation implementation documentation for how they were able to map to legal requirements and now they were able to communicate um
privacy risks across the enterprise above and beyond what they were able to do before.
So now I just wanted to show you um and this is something you will see if you go into the resources tab to really look at the hypothetical use case, um the more in depth documentation that was provided by this, but I just wanted to show the um how they documented their current profile
and then really what they were focusing on for their target profile.
Um you'll see that they now wanted to mature their program by being able to add some disassociate ability into their program. But this is just one example of how to document the current profile or the target profile. Remember I said there's no template for how to do this, it's really up to your organization.
So in this video we reviewed company a scenario and they're ready set go approach to implementing the framework. We looked at the results and impact of companies implementation as well as company A's current and target profile data map.
So I hope you'll join me as we go into the next hypothetical use case
NIST 800-53: Introduction to Security and Privacy Controls
This course will provide Executives, Assessors, Analysts, System Administrators and students with the foundational knowledge ...
2 CEU/CPE Hours Available
Certificate of Completion Offered
CIS Top 20 Critical Security Controls
CIS Controls are a prioritized set of actions that protect your organization and data from ...
4 CEU/CPE Hours Available
Certificate of Completion Offered