Inventory Mapping

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

4 hours 7 minutes
Video Transcription
Hello and welcome to module two of 10 than this privacy framework core identify
if you remember from the beginning. I said that as we go through the course, I just want to always provide a status of where we are in the course outline. So we've gone through the introduction and we just completed module one overview of this privacy framework
and we're now entering module to this privacy framework. Core identified.
So welcome to less than 2.1, identify inventory and mapping.
So in this video we will cover the identify function, the identified category, # one inventory and mapping.
And then the eight subcategories of inventory and mapping.
So before we really get into um
this particular video, I really wanted to cover um sort of what we will go through um as we go through modules two through six, I'm sure some of you have seen webinars online
uh to cover the Miss privacy framework, but a lot of those webinars don't give you a deeper dive of the core and sort of walk through with the function the category and subcategories are discussing. And really in this course, besides just kind of giving you a high level overview of this privacy framework. I did want to
do a deeper dive and really
try to provide some guidance on depending of if you decide to um choose certain functions categories and subcategories really had to go about doing that. Um should you choose certain ones so that you know, sort of what your what you have in store and what you should be doing, should you choose to adopt
certain functions categories or subcategories?
So that's really what modules two through six are about, is really kind of giving that deeper dive on those modules um
with those functions and categories and subcategories for the core so that you just have a better, a better understanding and really had to tackle, going about implementing a lot of these controls.
So as I mentioned for this video, the first one that we're really going to cover, um module tool module two is covering uh the identify function. And so what that's focusing on really is developing the organizational understanding to manage privacy risk for individuals arising from data processing.
And so uh this first category that we're going to focus on um the other lessons will go into subsequent categories, but this one is focusing on inventory and mapping. And so that's where you look at data processing by systems, products or services and
seeing how it's understood and informs the management of privacy risk.
So data, what data processing means really is that you're looking at, how does your company or a partner company essentially process data. That could be anything from storing the data to sharing the data.
There's multiple ways that a company can process data and I'll use an example is um your payroll provider processes data personal data from an individual in order to
pay payroll. So you probably share um a
social security number, a name address, bank account information for that individual to ensure they get paid.
So that's an application that is processing data. Um So within this category, that's what you were going to be looking at is really trying to inventory all the systems within your enterprise that are possibly processing data,
um creating an inventory for those and then really creating sort of a data map to show the data flow of how that data is flowing through your organization. Because many times different applications may interface with other applications. So although you may, for instance, input personal data into oracle
um within a system, Oracle's probably feeding other applications,
so really being able to create a data map becomes vitally important.
So as we look at their eight subcategories for this particular category and it can seem daunting. But the next screen, I'm going to really show you how actually um
P one through really, P six all really go to sort of building out whether you do an Excel spreadsheet or even um in an application that you may be helping maybe you're utilizing to help you manage privacy risk of how those are really just laid out
um sort of in a grid style format to collect all the data that you need for data inventory. And then really, um P seven and P eight are really going into really more so the uh data mapping process.
So here's an example of what I was talking about regarding sort of building that data inventory and this is really a sample of how you could start. And this is more so using an Excel spreadsheet format. Um Sometimes when companies are starting out they don't necessarily have the budget yet to pay for something like one trust
or big data or other possible
um tools that may be available out there on the market. So one way to start sometimes is creating an Excel spreadsheet that is essentially listing all of your applications. As you can see here. I've even shown you how it correlates with the subcategories um from this particular category of inventory and mapping.
So i. d. i. m. p. one.
Um and
as you'll go through this you'll see that
the way to read this really is I. D. Stands for the functions. So we know that we're in the identify function
and then the
letters after the period I am are really for the category. So it's the inventory and mapping category and then P one is just letting you know that this is the first subcategory within um this category. So I d I M P one
anytime you see that now, you should be able to know what function you're in, what category we're looking at
and then just knowing what number subcategory of the subcategory that you're looking at.
So as you can see at the top
as I've put what each one represents, I also just put the correlating subcategories. So you knew that you were essentially tackling um
IDIM. P one through P seven in this document.
So as you'll see here, I'm using ADP which is the example that I used earlier as the system or application um
that's listed here and then you always want to put who your system owner is. So in the event there are questions um Normally this person I'm sure probably conducts the testing for the application and they're probably the one that helps troubleshoot when there are issues.
So then in categories this is where you're putting the particular type of um individuals who you have personal data for. So in this instance you probably have um information for customers for employees, prospective employees, vendors or consumers. And you could put that in a drop down format. I
did it this way so that you could see the different possibilities that you could utilize
and when we get into data actions, once again when I mentioned data processing that there are various ways that um an application can process data. Um The way that data's process um within this privacy framework, those are referred to as data actions. So you could be collecting data, you can retain data, you can share data
and I mentioned before that storing data is also a day to action.
Um So I just listed a few here. I'm sure there are others. If you really looked at a definition um for data action that could go here I'm just trying to get you thinking in the right direction of what it really means to process data and what a data action consists of.
So then I. D. I. M. P. Five gets into
the purpose. So why are you processing data? And that's what we mentioned before with ADP your processing processing it for employee payroll. So no the purpose doesn't have to be elaborate. Just have to know why the personal data is being processed. So in the sixth column we get into data elements. So a data element
is what is being collected.
So a name of social social Security number, bank account information. Those are the data elements. And so you're gonna see these different um
uh definitions um and descriptors as you go throughout this privacy framework. So looking at this first category and identify function is really going to help you learn the terminology that's being used throughout the privacy. Um this framework.
Uh I'm sorry, the next privacy framework. So in that final column, I D I D I M P seven, it's the data processing environment. So this is really where it's being processed is where is the region. So if you have a server that's on prim um
I'm in massachusetts. So I'll just say that it's in my location, the city where I'm at marlborough massachusetts, that it's located there. And the reason you want to know where it is as well as um the region is because it gets helpful in if you have a data subject access requests,
let's say that you have to adhere to the G. D. P. R.
You want to know where that data is stored. This also will get into the data flow maps that we're going to discuss in a few slides
because if you have a desire requests come in you want to know where all that information is in the event that you have to delete all the information. So that would mean deleting it from all the applications that have it.
So knowing um the geographic location also lets you know what regulations you may have to adhere to depending on where the data stored and then whether if it's a cloud or a third party you may have to have that third party partner help you um with a D. Start request. So it's important to know all of the
uh the
elements that are being asked for within the spreadsheet that I have here before you.
So on the side we have a sample of a data flow map
um I. D. I. M. P. Eight which was last subcategory for this category. Um You've completed your inventory so now if you want to be able to show how that data is flowing throughout all the systems and applications within your enterprise. So this is just one example of a way to do a data flow map.
You can see that you've used different symbols to show
um different types of systems or applications or even departments and you always want to include a legendary key so that if an auditor or a third party is looking at your data flow, they know how to read it.
So as you can see here um in the beginning part of this, in the swim lane, you see that it may start out with a customer
and then it goes to a certain website located in the UK
and then you can see it may go to multiple sources from that website. So it'll go to a database, it will flow through mail, chimp or um to other websites trend Seymour zero before it's getting to customer service to marketing or accounts. So being able to see where all this data lives because becomes vitally important.
on the next slide, this is also a sample of a data flow map you can see. It's a bit different. Um It doesn't use the different symbols that were utilized in the previous one, but it does use a color coding of sorts for you to see um really the type of data that's flowing through these systems,
So on the previous one, it didn't get
really to this in depth of A level. It really just showed where it was flowing through but it just didn't necessarily state the type of data that was moving.
So in this we can see um the black dot is combined data, so it's personal data, transactions, financial and web sessions. The pink dot r for cookies or behavioral tracking the greens for financial data, the blue dot is just transaction data. So purchase records, confirmation numbers, invoice numbers
and finally that peach dot is customer data.
So you can see here from the various systems from a website or the retail point of sale, how the data is flowing through the company and even what types of data are flowing through their systems. So there's no right or wrong way to do this. But I just wanted to show you different examples of data flow maps um and really just give you some example
examples of how you can implement this
within your enterprise.
So something I did want to share and um I will be referencing this quite a bit as we go through the various modules for this course. Um Is that in implementing this privacy framework? Um this did provide certain tools to help with learning how to implement a lot of these controls.
Um and so you can go to this privacy framework um to get these resources. However in the resource section for this course, I have provided the links myself so that you don't have to hunt and find them on this privacy framework website.
So for each um
each uh subcategory,
um they do provide what the resources are for that for each um subcategories. So as you can see here, um they provide this sp 837 revision to and point to a specific task P 10. Um But two areas that I do want to highlight here
um where I have actually provided the worksheet
and the dashboard or then this plan works you too and uh
personally identifiable information inventory, dashboard.
Um Their resources here that will help you get started with the inventory as well as creating a data flow map. So they're definitely resources out there um
that I will share from the MS privacy framework as well as others that I may have found.
Um And like I said I will reference those and tell you that they are included in the resources section for this course but I did want to point this out in the event. You do want to go to the next privacy framework
page for yourself to see this.
So in summary for this video, we covered the identify function description, determine what it means to conduct the data inventory and mapping, reviewed samples of data inventory and mapping, and looked at the overview of the MS guidance and tools for each subcategory.
So I hope you'll join me as we move into the next video.
Up Next