4 hours 7 minutes
Welcome to Mulele nine of 10. How to adopt in this privacy framework ready set go.
So now on the course outline, we've completed the introduction, we've gone through module one overview of this privacy framework. We've completed modules two through six which covered in this privacy framework core. Identify govern control, communicate protect. We've completed modules seven and this privacy framework profiles and module aid in this privacy framework implementation tears.
And now we move into module nine. How to adopt in this privacy framework ready set go
So welcome to less than 9.1 ready set. Go
in this video, we will cover the overview of Ready set, the Ready set go method, and we'll go through a step by step adoption process for this privacy framework.
So really the Ready set go method, it's really just a simplified approach um uh for establishing or improving a privacy program.
So in the first phase, the Ready phase, you're really using the identify and governed functions to get ready and what that means is you're reviewing the categories and subcategories under those functions to begin to develop your current and target profiles because they really are going to be the foundation for
how you're building your privacy program.
So you're really looking at your organizational privacy values, your policies, um you're determining your risk tolerances and conducting your privacy risk assessments really to provide that foundation before you move into the set phase. So this is all preparing you for what you're going to do in the next phase of really building out
your current and target profiles.
So in the set phase, this is when you start to put together your action plan based on that gap analysis that you're determining between your current or as is state and your target to be state. Um So you're really working on those two profiles and like you don't have to do it in a particular order, there's nothing saying that you have to write your
current profile first and then do your target. You could very easily document your target profile first and then your current profile. Um So at this point in the set phase you're making sure that you're completing um the current the current profile by indicating the categories and subcategories
outcomes uh even
more so, not just from the identifying the govern functions but now you're also looking at the other functions to see if there are other uh functions and categories and subcategories that you need to include in your currency. Are there other things that you're currently doing
and if not really determining where you want to be?
So then looking to see what isn't already being utilized that you may want to bring in to mature your privacy program.
So you're complaining, as I said, both the current and target profiles. Looking at the remaining functions categories subcategories and then really comparing those two current and target profiles to determine where they're gaps. Um and then that's really how you're basically putting together the action plan
for how you want to move from your current profile to your target profile.
So then finally in that go phase, this is when you're just really moving forward and implementing what you outlined in your action plan. So you're going to prioritize which actions to address um to address any of the gaps and adjust your current privacy practices to help you achieve your target profile and there's no set order in which you have to do that.
Um Really you're prioritizing it based on the resources that you have, what you feel are the most important controls or items that you need to put in place um to at least at a basic level. Make sure that you are adhering to any privacy regulations or contractual obligations that you may have
before you start possibly moving into a more granular, granular level of building your program. Um and you can easily go through the phases non sequentially. Um Some people actually start implementing um controls or writing policies before they've even identified their current target profiles. Um
because just remember that you're always continuing to assess and improve
upon your privacy posture. Um So don't look at. So we've created our target um or current profile and we're done um Your target profile can be something that is continuing to evolve as well as your current profile continues to evolve. Uh Maybe you've created a current profile on a target profile and six months later
you're deciding to look at your program again to see.
Um We've gotten to a certain maturity state and maybe you're looking to a maturity even further. So you may write a new current profile and a new target profile based on where you're at six months later. So just remember this is not something that's going to remain static, is going to be something that's ever evolving.
So in addition to that ready set go method, I just kind of wanted to break down sort of a step by step process based on what we looked at with all the functions categories and subcategories. Um And this isn't a hard and fast rule, but some people do like a more granular process to help them achieve
building a privacy program. So I thought I would throw this in to show you
how to adopt in this privacy framework. So really with step one, um and the reason it's on the bottom because like I said, that's step one, um and then each step after that you're continuing to build upon the foundation that you started with Step one, that's why step one is at the bottom and not at the top.
Um So step one you're really prioritizing and scoping and this is really determining those business objectives
um and strategy and prioritizing um what those are and what they mean to the company, if you remember there was a program worksheet um that is included in the resources that's gonna help you do this and step two is orient. Um and that means really creating that data inventory,
um listing all those applications, who's the owner, what data they're collecting and what it's used for. Um So you really want to do that data inventory and then map so show the data flow of how the information is flowing through your organization and that's really um at the same time you're doing that, you're trying to figure out what privacy regulations um that your company um must be compliant with.
Um because those all help you get into when you're doing the risk assessment and step three really determining what exposure you have under those regulations. And then to how you want to determine your tolerances because sometimes your tolerances may be based on possibly the penalties that are set forth within some of these regulations. Um And so you may be looking at it from that perspective or even a contractual perspective.
So then step four and five. This is when you now get into creating, you've done the heavy lifting with the prioritizing, you've done uh determine your business objectives and strategy. You've done your data inventory and mapping determine where you have exposure and what your risk tolerances are.
So now you can build that current and target profile because you know now what you're doing and then where you want to be, how do you want to mature your program? And then from there, once you have both your current target profile, you're able to do a gap analysis between the two to see where you have gaps and develop an action plan to help you determine how do we go from the current profile to the target profile. And then seven is really um putting that action plan into place um to build your privacy program and then continuing to measure um and monitor that program to see how you can continue to make it even better.
So in summary in this video we covered the ready set go method and the main points of each phase. And then we did a step by step process. We went through a step by step process to achieve adoption of this privacy framework, so I hope you'll join me as we move into the next video.
NIST 800-53: Introduction to Security and Privacy Controls
This course will provide Executives, Assessors, Analysts, System Administrators and students with the foundational knowledge ...
2 CEU/CPE Hours Available
Certificate of Completion Offered
CIS Top 20 Critical Security Controls
CIS Controls are a prioritized set of actions that protect your organization and data from ...
4 CEU/CPE Hours Available
Certificate of Completion Offered