4 hours 7 minutes
Welcome to less than 9.3 hypothetical use case number two
in this video will cover hypothetical use case number two Company B description Company B's ready set go approach. The results of the impact of company B's approach as well as excerpts from their current and target profiles.
So this is just to give you a bit of background on company B before we move into their ready set go approach and the results and impact of that approach. So
hypothetical use case number one, we looked at a large company and this use case Company B is a small mobile app development business with less than 15 employees and they develop apps for various industries there, they have a US based operations and they create apps in europe and Asia.
They don't have any in house legal, I don't have a Ci Osso or CPO
um they have engineers and programmers that develop apps based on security requirements that are provided by their clients and their current practice is no longer sufficient for addressing specific privacy and security concerns. So they've decided to hire a privacy consultant.
So in the ready phase of the ready set go approach the consultant um After interviewing all the stakeholders determines that. The first step is to I. D. A set of core privacy practices because that's really non existent right now in the company.
So the consultants plan is to basically build a current profile based on app development
and then a target profile based on the app development program goals. Um So that's our plan and how to move forward really.
So the VP of engineering um scopes profiles to these three processes pertaining to app development. So app design, app engineering coding and app testing. So that's really the scope for the profiles.
And then the consultant focuses on the identify and government functions first because as I mentioned in a previous modules, they identify and govern functions are really going to help establish your foundation for your privacy risk management program.
Finally the consultant select several outcomes from the awareness and training category in the government function because she wants to ensure that senior management, he or she wants to ensure the senior management understands their role within the related privacy landscape as well as she wants to prioritise basic privacy awareness training company wide, which is currently non existent.
So as they move into the set phase, the consultants next steps after that were to select additional functions, categories and sub categories to fill out the current profile. Um and then also the consultants made aware that clients have requested more opportunities for their customers to participate in the apps configuration as it relates to processing their data.
So this is something that the consultant is gonna have to build into those current and target profiles also. So these are the functions and the categories and subcategories that um were chosen to be the focus. So you have the control function
um for two of them which is looking at the policies, processes and procedures for data management
So finally um in the go phase where the go phases where you are now implementing that action plan. So they implemented the outcomes that they selected in that set stage that we just went over. Um But they did decide to wait until later in the year to do a full risk assessment, if you remember right now, they're focusing on app development.
Um So in the immediate term, the VP of engineering right now is most concerned with client requests and the legal obligations because, remember customers um wanted more opportunities to participate in the app configuration as it related to security and privacy for their customers.
So that's right now where the VP of engineering concerns are.
Um So right now they have chosen that entire risk assessment category under the identify function, but they're just going to do the full assessment later in the year.
So what this means for the company um is that right now, as you could see there really choosing to use the functions at a high level uh to communicate how privacy is incorporated in app development. They haven't really gotten into a more granular level yet at this point, which is fine because you have to remember this is a small company, which means they have less resources,
so they're really trying to focus on what's the most important thing for them at the moment.
So they have decided to send a newsletter to all their current clients to highlight their forthcoming privacy efforts, um Which is a good thing because it's just letting them know that they are taking it seriously and that they're putting that um at the forefront of their app development, um They're also sharing their profiles with auditors and regulators, showing that they're becoming compliant basically with
um privacy regulations, which is important. And then finally, they're beginning to share some of the benefits of the privacy enhancing approach that they're taking, um which now is leading to more customer satisfaction engagement um and trust, leading to them gaining more clients
um as well as being able to show compliance with legal requirements based on jurisdiction of sector. Because you have to remember they're doing app development in europe and Asia, which means more than likely they have to be compliant with the G. D. P. R. Um So because of that, they've seen definitely a reduction of non compliance risks, which is a good thing, um as well as they've been able to mitigate some of the potential privacy problems, which is less than the likelihood of having a privacy event.
So even though this is a small company, they've been able to make strides in maturing their privacy program, where it seemed like a lot of things were non existent. So if you're looking at it, even from an implement tear standpoint, uh
more than likely, you know, a lot of areas, they started out as a partial, which means they may have had some semblance but not really a formalized program and maybe there were some things that were non existed and maybe now they've moved more into a risk informed approach in some areas and maybe some areas have possibly even moved into a repeatable approach.
So as I want to take a look at their current and target profiles, because as you can see, there are a bit different from how company a chose to do. There's there's like more of a video diagram where it looks like here, they use more of a spreadsheet approach and they're really um kind of breaking it down to kind of show you.
Um So they're showing which functions and then which categories and subcategories in that function they chose to use from the government's standpoint
and then they showed you where they were from a current profile perspective and then looking at what their target profile is. So where is a company? I took that approach, more of a diagram approach. Um As I mentioned, they use a spreadsheet and so it's just what you feel is best for your company, how you do things.
So there's no right or wrong approach here. But I just wanted to be able to show you two different approaches that we're taking
and then kind of giving you some thought as to what may work best for your company.
So here's just another one. Um another view or excerpt from their current target profile, looking at the disassociated processing, showing what their current profile was and then what their target profile was in relation to this category and subcategory.
So in this video we reviewed Company B scenario and they're ready to go approach to implementing the framework, the results and impact of company. These implementation, as well as we reviewed excerpts of the company B's current and target profiles. So I hope you'll join me as we move into the final module.
NIST 800-53: Introduction to Security and Privacy Controls
This course will provide Executives, Assessors, Analysts, System Administrators and students with the foundational knowledge ...
2 CEU/CPE Hours Available
Certificate of Completion Offered
CIS Top 20 Critical Security Controls
CIS Controls are a prioritized set of actions that protect your organization and data from ...
4 CEU/CPE Hours Available
Certificate of Completion Offered