Secure Controls Framework Privacy Management Principles

00:00

Welcome to less than 10.4 secure controls framework privacy management principles

00:06

in this video. We'll cover the overview of the secure controls framework privacy management principles. We look at the secure controls framework privacy management principles, mapping

00:16

And we'll look at the secure controls framework privacy management principles 11 domains, as well as an excerpt of secure controls framework privacy management principles matrix.

00:28

So here we have our grid comparing this privacy framework to secure controls. Framework privacy management principles using the four different elements that I've used, which is the governing body, the correlating security framework, the controls and the maturity model.

00:44

So as we know that this privacy framework is governed by Nist, the National Institute of Standards and Technology, whereas the secure controls framework is governed by

00:55

the secure control Framework Council and its security and privacy by design initiatives. So it's a group of volunteers um from security and privacy um that basically created uh this framework as well as the correlating uh security frame with the secure control framework that

01:14

um this is based on

01:15

um and as we know, the correlating security framework for this privacy framework is in this cyber security framework

01:23

um as far as controls furnace, there are five functions, 18 categories and 100 subcategories. Whereas the secure controls framework privacy management principles has 11 domains and 76 principles that fall under each of those 11 domains. Um As far as the maturity model,

01:41

this privacy framework falls for implementation tears,

01:44

one partial to risk informed through repeatable and for adaptive.

01:49

And then finally, um for the maturity model for secure controls framework privacy management principles, there are six maturity levels, so you have not performed performed informally planned and tracked. Well defined, quantitatively controlled and continuously improving.

02:09

So one thing to point out with secure controls framework privacy management principles um is the reason that they did develop this is because they knew it would be very difficult for people um with a non legal background to try to comb through and call through all the different frameworks and laws and regulations

02:29

um to really sort of identify um

02:34

you know, and do a true comparison. Uh So what they did was they looked at a lot of the leading um frameworks that were out there that were out there and Prince privacy management principles um and map to those so that if you're choosing to follow the secure controls framework

02:53

in a sense, it is almost like you're following and adhering to these other ones, if you are compliant

02:59

and are enacting these controls within your organization. So you can see that they map to the G D P R. We see the Fair Information Practice principles on here, which means more than likely those 11 domains may be pretty similar to the Fair information practice principles. We also see the generally accepted privacy principles here as well as the HIPAA privacy rule.

03:20

We even see 27 701 and 29 100 here missed 853. And it does even including this privacy framework. So you see here they map to a lot of different frameworks and even some regulations um which means this could be pretty valuable for a company that maybe

03:38

operating in a lot of different regions around the world and have to adhere to a lot of different privacy frameworks because we even see that um a I C P A s trust services criteria is on here as well as the ASIA pacific Economic Cooperation. So there's a lot going on here, even CCP A um that may make this a viable option for some companies to use as their

04:01

privacy framework.

04:04

So the 11 domains um for the secure controls framework, privacy management principles are number one privacy by design to data subject participation, three limited collection and use for transparency. Five Data life cycle management,

04:25

six data subject rights,

04:27

seven security by design, eight incident response, nine risk management, 13th party management and 11 business environment.

04:34

And so as again, once again, now that we've gone through the fair information practice principles and the general accepted privacy principles as well as even the eye. So 29 100 principles um like I said, you do start to see a lot of overlap. A lot of

04:50

Similar principles from each one. And like I said, a lot of them took their cue from the codification of the fair information practice principles um way back in the 1980s. And so like I said, you do see a lot of them having the same principles throughout. Like I said, we see privacy by design, we see

05:10

collection and use

05:12

um you do see, you know, security listed here as well as data subject rights. Um And like I said, you even see how this ties into um the regulations um that spawned a lot of these same elements from the CCP A and G D P R that I've mentioned previously.

05:30

So here I wanted to give an excerpt sort of of their matrix. Um and so focusing on the darker gray area where it says 2.0, data subject participation was one of the 11 domains we saw on the previous screen. And so it gives a description here um of that particular principle.

05:48

And then as it goes into 2.1,

05:51

you see uh one of the principles that falls under that domain. Um so we see a clear choices is one that falls under data subject participation and it gives basically a description of that particular principle. Um So then what you're looking at in the yellow area

06:11

um is how it maps to these different frameworks and regulations. So it's actually giving you article numbers

06:16

or clauses or different sections of another framework or regulation that it's mapping to so that you can easily um go to those sections in those documents to see um what the description says or what the requirements are. And you would actually be meeting them since it's basically mapping back to that.

06:35

Um So I said this is definitely on the higher end for someone to consider, since it does map to all the frameworks that we've covered, including Nist and um actually some regulations we saw C C P A and G D P R um so I have included the link

06:51

for the secure controls framework in the resources section.

06:56

Please check it out. They do have a lot of documentation and help to assist you should this be one that you're choosing to adopt and it is free, just like the knicks privacy framework. As you can see from our comparisons right now, the only one of the that is a true cost because it is a standard and not a framework was I so

07:15

27 701 and I saw a 29 100.

07:18

And so that does have a cost because also you would get certified to ISO whereas the other frameworks that we looked at are just that frameworks that can be tailored to um how your organization um is choosing to operate.

07:33

So in this video we covered the miss privacy framework and the secure controls. Framework, privacy management principles comparison. Uh We looked at the secure controls framework, privacy management principles mapping and the 11 domains. And then we reviewed an excerpt of the secure controls framework privacy management principles Matrix.

07:53

So I hope you've enjoyed this course