GAP/RISK ASSESSMENTS
SoCal Privacy’s most commonly performed service is to conduct Gap Assessments for privacy, security, or both.
Privacy and/or Security Gap Assessments include:
Data Flow Mapping
-
Process: SoCal Privacy develops a data flow diagram for each separate end-to-end process involving PHI/PII. This means mapping “the data privacy life-cycle” – identifying data collected, accessed/used, shared, stored, and disposed of. Resources (where data is stored) are identified and appropriate resource owners and resource custodians are assigned to establish resource governance. Data is inventoried in terms of its data sensitivity or risk level which determines the strength of required controls for each resource to adequately protect its data. While some consultants do not data map, this helps us get our arms around your data processes and locations, so we can better advise you, especially during the Assessment process.
-
Company Benefits:
-
Evidence of Governance: Walking a regulator, auditor or third-party through your data map(s) demonstrate(s) appropriate governance is in place. Sometimes data maps are requested as part of due diligence.
-
Data Governance: If you don’t know where your data is, you cannot protect it. Clients are always surprised to learn where some data is located. Often, we find that clear formal ownership of resources is lacking. Keeping the data flow diagrams current helps ensure data governance is maintained.
-
Gap and Risk Assessments: Data maps better inform gap and risk assessments.
-
Continuous Improvement: Data maps can reveal opportunities for risk mitigation and improved or new controls, as well as areas for improved or new efficiency in business processes and systems.
-
-
Deliverable:
-
Data flow diagram(s) (usually created in Visio with swim lanes for separate functions/processes); and
-
Raw SIPOC data gathering tool (developed in an Excel workbook) that identifies processes that collect, access/use, share or move PHI / PII, resources that store PHI/PII with the sensitivity of the data, and the resource owner and resource custodian for each resource
-
NOTE: Our Data mapping whitepaper can be downloaded from the Resources section of the website.
Controls Evaluation
-
Process: For security, SoCal Privacy follows the NIST Cybersecurity Framework methodology to conduct a review against required standards and controls (such as HIPAA, ISO 27001/2:2013, CIS Top 20 Critical Security Controls) and identifies and documents existing controls in a Current (state) Profile and desired new or strengthened controls in a Target (state) Profile. Also, using NIST's methodology, we rate each Profile regarding its Risk Management Implementation Tier: 1 – Partial (Ad-hoc); 2- Risk-Informed: 3- Repeatable; and 4 – Adaptive. For privacy, we generally conduct a privacy impact assessment (PIA/DPIA) based on the data privacy lifecycle mapping and either generally accepted privacy principles and/or appropriate regulatory requirements. During phase II: program establishment, we can help you shore up any identified control gaps.
-
Company Benefits:
-
Regulatory Requirement: A periodic controls evaluation or monitoring is required by many laws, regulations, guidance and standards. It establishes the baseline for compliance.
-
Due Diligence: Due diligence questionnaires by third parties and for cybersecurity risk insurance will ask you to attest to having this done periodically, often annually. We provide you the tool to conduct this activity going forward.
-
-
Deliverable: Controls evaluation tool
Risk Assessment
-
Process: SoCal Privacy conducts and documents a risk assessment to identify foreseeable risks and assess risks to determine materiality and priority. Confirmed material risks as assigned to a risk owner, the risk response is determined, and where appropriate a risk mitigation plan strategy developed. During phase II: program establishment, we can help you further develop and implement risk mitigation plans as appropriate.
-
Company Benefits:
-
Regulatory Requirement: A periodic risk assessment is required by many laws, regulations, guidance and standards. It helps move beyond compliance toward a legally defensible posture.
-
Due Diligence: Due diligence questionnaires by third parties and for cybersecurity risk insurance will ask you to attest to having this done periodically, often annually. We provide you the tool and train you on how to conduct this activity going forward.
-
-
Deliverable: Risk assessment tool
Requested Documents List (optional)
(including policies/procedures, network connectivity diagram, etc.)
-
Process: SoCal Privacy reviews the documents produced by you for adequacy. While some consultants do not request this, it helps us evaluate how formalized your privacy / security program’s governance is and how audit-ready your company is. During phase II: program establishment, we can help you develop any documents that you are unable to produce.
Note: If policies and other documented evidence of compliance does not currently exist, this component will be postponed until after polices are developed and rolled out.
-
Company Benefits:
-
Regulatory Responsiveness: These documents are typical of those requested by regulators due to a complaint, investigation or audit. Generally, you have 10-15 days to provide these to regulators and cannot provide these later. Not being able to timely produce these documents can turn an inquiry into an investigation, followed by enforcement action, including penalties.
-
Due Diligence: These documents can also be requested as part of due diligence by Fortune 1000 and other companies, especially those that have experienced a breach, that you want to do business with and by investors or prospective acquiring companies.
-
-
Deliverable: Requested documents list
Summary Security Report
-
Process: SoCal Privacy develops an actionable report of security recommendations based on a crawl, walk and run priority after establishing the foundational program components as the initial focus.
-
Company Benefit: You get a prioritized road-map that is easier to consume than simply a list of things to do.
-
Deliverable: Summary report of key security recommendations
Privacy Impact Assessment (PIA/DPIA) Report
-
Process: SoCal Privacy develops a privacy impact assessment report of privacy recommendations..
-
Company Benefit: You get an actionable PIA/DPIA report of prioritized privacy recommendations.
-
Deliverable: PIA/DPIA report of privacy recommendations
Gap and Risk Register
-
Process: SoCal Privacy provides you a Register control gaps and risks identified during our assessment.
-
Company Benefit: Your Register facilitates active tracking and management of gaps and risk formally identified during the Assessment and those identified informally or formally thereafter.
-
Deliverable: Gap and risk register