DeGaetanoSamantha_week 4

pdf

School

Full Sail University *

*We aren’t endorsed by this school

Course

1301

Subject

Information Systems

Date

Dec 6, 2023

Type

pdf

Pages

7

Uploaded by JudgeWaterKouprey37

Report
Samantha DeGaetano Week 4 Company: iSeeU Eyecare 4.6 - Assignment Your Company + Compliance, Audit and Cybercrime Reporting 1. Using the Function column in the NIST Privacy Framework CORE document (Identify-Govern-P, Control-P, Communicate-P, and Protect-P), describe how each selected function can add value and benefits to your company's specific situation. Identify-P: Develop the organizational understanding to manage privacy risk for individuals arising from data processing. iSeeU Eyecare benefits because this allows the breakdown of iSeeU Eyecare at each level for assessment of the vulnerabilities and potential risks to privacy for individuals from data processing. This closer leaves no stone unturned. Govern-P: Develop and implement the organizational governance structure to enable an ongoing understanding of the organization's risk management priorities that are informed by privacy risk. This benefits iSeeU Eyecare because this allows for policies and procedures created, implemented, and enforced at all levels of the organization to manage the priorities that are presented by privacy risks. Control-P: Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. iSeeU Eyecare would benefit because this allows for creating and using policies and procedures that will protect against risks related to privacy. This will allow iSeeU Eyecare to control how the cardholder's information is obtained, used, and processed. It will also protect cardholders from certain exposures that could violate those privacy policies. Communicate-P: Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks. This will allow iSeeU Eyecare to have open lines of communication about what is working and what isn't working with iSeeU Eyecare's approach to privacy protection and its abilities to fight risks that iSeeU Eyecare and its clients may face. Protect-P: Develop and implement appropriate data processing safeguards. This
allows iSeeU Eyecare to test and conduct active audits of its policies, procedures, and systems. This allows iSeeU Eyecare to monitor the employees and all third parties involved in the day-to-day interactions with data card holding, processing, and storing. 2. Using the Category column in the document, select one category for each function that offers the most benefit to your company. You should have a total of five of the most beneficial categories listed for your company. Describe how each of the selected categories can add value to your company's privacy. The five categories that are the most beneficial for iSeeU Eyecare under each function are: Under Identify function: Risk Assessment (ID.RA-P): The organization understands the privacy risks to individuals and how such privacy risks may create follow-on impacts on organizational operations, including mission, functions, other risk management priorities (e.g., compliance, financial), reputation, workforce, and culture. Making it beneficial to iSeeU Eyecare because this establishes a foundation for iSeeU Eyecare ’s privacy policy. If iSeeU Eyecare understands the privacy risks to individuals both internally and externally, along with the ripple effect that can happen from those risks in every aspect of iSeeU Eyecare's infrastructure, then iSeeU Eyecare can fortify itself against all threats foreign and domestic. Govern function: Awareness and Training (GV.AT-P): The organization's workforce and third parties engaged in data processing are provided privacy awareness education and are trained to perform their privacy- related duties and responsibilities consistent with related policies, processes, procedures, and agreements and organizational privacy values. This is beneficial to iSeeU Eyecare because this sets the parameters for the employee and third parties’ responsibilities and expectations when it comes to companywide privacy protection and risk management. Control Function: Data Processing Management (CT.DM-P): Data are managed consistent with the organization's risk strategy to protect individuals' privacy, increase manageability, and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization). This is beneficial to iSeeU Eyecare because this will outline how iSeeU Eyecare manages data and processes it when faced with all potential risks that have been assessed by iSeeU Eyecare's privacy compliance. Under Communicate Function: Data Processing Awareness (CM.AW-P):
Individuals and organizations have reliable knowledge about data processing practices and associated privacy risks, and effective mechanisms are used and maintained to increase predictability consistent with the organization's risk strategy to protect individuals' privacy. This is beneficial to iSeeU Eyecare because this is the action plan to manage potential privacy risks and implement company defenses and if needed conduct damage control. Protect Function: Maintenance (PR.MA-P): System maintenance and repairs are performed consistent with policies, processes, and procedures. This is beneficial to iSeeU Eyecare because this will provide a policy and action plan for maintenance and repairs related to data privacy such as the incident that occurred in Tampa when the store location was unprotected due to maintenance issues related to the firewall malfunctioning and replacement. 3 .Using the Subcategory column in the document, select one subcategory for each category you selected in item 2 above that offers the most benefit to your company. You should have a total of five of the most beneficial subcategories listed for your company. Describe how each of the selected subcategories can add value to your company's privacy. Subcategory under Risk Assessment: ID.RA-P3: Potential problematic data actions and associated problems are identified. This is beneficial because this allows for a more detailed breakdown of how iSeeU Eyecare will assess risk and respond to it. Subcategory under Awareness and Training: GV.AT-P1: The workforce is informed and trained on its roles and responsibilities. This is beneficial to iSeeU Eyecare because this specifically outlines how the workforce should function in day-to-day operations in addition to, moments of risk/treatment. Subcategory under Data processing management: CT.DM-P8: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy and incorporating the principle of data minimization. This is beneficial because this maintains a digital "paper trail". If there are privacy breaches, then the documentation will allow iSeeU Eyecare to track
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
and trace all access points to find where the data leak has occurred and where the weak spot(s) is(are) to help them in any future privacy risks. Subcategory under Data Processing Awareness: CM.AW-P5: Data corrections or deletions can be communicated to individuals or organizations (e.g., data sources) in the data processing ecosystem. This is beneficial because this allows for adequate communication between all levels within iSeeU Eyecare for better coordination during processing of all iSeeU Eyecare's data. Subcategory under Maintenance: PR.MA-P2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access. iSeeU Eyecare would benefit so incidents like Tampa can be corrected and prevented because remote maintenance will be in place as a potential backup plan. Tampa could have opened full operation and protected with its firewall if the subcategory was active. 4. Security control that could help support would be, ID.RA-P3: Daily system checks, reviewing incoming and outgoing data processing for in-store and remote processing. GV.AT-P1: Intake training and quarterly debriefing on new security protocol and risk countermeasure scenarios. CT.DM-P8: Processing team/department in place to gather, assess, and implement the appropriate responses to the data acquired through the audit logs. CM.AW-P5 : Communications monthly debriefing that stems from iSeeU Eyecare's top tier down to the entry -level positions of iSeeU Eyecare. PR.MA-P2 : All of iSeeU Eyecare's servers and devices will be connected to the main headquarters so remote access can be monitored and initiated as a last line of defense in incidents like the Tampa security/privacy risk. 5 . Using the Subcategory column in the document, select four other subcategories that offer the most benefit to your company. Describe how each of these additional subcategories can add value to your company's privacy. These are four additional subcategory's that offer the most benefit to iSeeU Eyecare: 1. ID.RA-P5 : Risk responses are identified, prioritized, and implemented. This gives the iSeeU Eyecare targeted action plans for each of iSeeU Eyecare s assessed risks.
2.GV.AT-P4: Third parties (e.g., service providers, customers, partners) understand the roles and responsibilities. This sets procedures and policies in place that will protect iSeeU Eyecare from external threats that can come from third-party. A example, the third party, an IT consultant, left iSeeU Eyecare vulnerable at the Tampa location. If these policies/procedures were in place Tampa location wouldn't have become a potential liability. 3. PR.PO-P7: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are established, in place, and managed. This allows iSeeU Eyecare to prepare all of its employees to operate and practice in a readiness/preparedness status for privacy risk-assessed scenarios. 4.CT.DM-P9: Technical measures implemented to manage data processing are tested and assessed. This allows for all of the procedures and policies in place to be tested continuously every thirty days for weakness in the defensive and offensive protocols before a real-life breach/incident occurs. 6 .Using the Category column in the document, select one category for each function that offers the least benefit to your company. You should have a total of five of the least beneficial categories listed for your company. Describe why each of the selected categories adds the least amount of value to your company's privacy. The five categories that offer the least benefit to iSeeU Eyecare: 1) Business Environment (ID.BE-P): iSeeU Eyecare's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform privacy roles, responsibilities, and risk management decisions. This is least beneficial to iSeeU Eyecare because the focus should not be placed on the organization's or stakeholders' mission or objectives as this may interfere with or oppose the policies and procedures that should be implemented to maintain companywide PCI DSS compliance. 2) Risk Management Strategy (GV.RM-P): iSeeU Eyecare's priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. This is the least beneficial to iSeeU Eyecare because it places too
much emphasis on iSeeU Eyecare 's priorities and focusing on iSeeU Eyecare 's ability to line up with compliances. 3) Disassociated Processing (CT. DP-P): Data processing solutions increase consistent with iSeeU Eyecare's risk strategy to protect individuals' privacy and enable the implementation of privacy principles (e.g., data minimization). This is least beneficial because it would be more effective to focus on data recognition and risk-based scenarios that can be implemented in preventative measures. 4) Communication Policies, Processes, and Procedures (CM.PO-P): Policies, processes, and procedures are maintained and used to increase the transparency of iSeeU Eyecare's data processing practices (e.g., purpose, scope, roles, and responsibilities in the data processing ecosystem, and management commitment) and associated privacy risks. This is the least beneficial because the focus should be more on global communication for iSeeU Eyecare and policy updates as needed for the refortification of security procedures. 7. Using the Subcategory column in the document, select one subcategory for each category you selected in 2, that offers the least benefit to your company. You should have a total of five of the least beneficial subcategories listed for your company. Describe how each of the selected subcategories adds the least amount of value to your company's privacy. The five subcategories that are the least beneficial for iSeeU Eyecare are: 1. ID.RA-P2: Data analytic inputs and outputs are identified and evaluated for bias. This is the least beneficial because if iSeeU Eyecare's internal, external, and third-party operations are meticulously monitored and assessed during the Govern function phase, this would become unnecessary and redundant. 2. GV.AT-P2: Senior executives understand their roles and responsibilities. This is the least beneficial because if the focus is strictly on compliance, then leadership/management roles and responsibilities will be covered under employee training and readiness. 3. CT.DM-P10
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
: Stakeholder privacy preferences are included in algorithmic design, objectives and outputs are evaluated against these preferences. Although stakeholders ‘privacy preferences are important, they do not supersede compliance procedures and policies which keep the stakeholders, customers, and company safe and secure, making money. 4. CM.AW-P2 : Mechanisms for obtaining feedback from individuals (e.g., surveys or focus groups) about data processing and associated privacy risks are established and in place. This is the least beneficial because, without a firm foundation and secure and working privacy policy in place, iSeeU Eyecare won't get this far. It should be about compliance as the priority. 5. PR.MA-P1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools. This is least beneficial because this is already completed during the monthly or quarterly assessments made by iSeeU Eyecare when risk assessments are complete.

Related Documents

110323 - Trial Questions For Exam Two.ppt
Screenshot 2023-08-02 093106.png
SArroyo Data Disk Storage, Backup, and Recovery.docx
110323 - Trial Questions For Exam Two.pdf
SArroyoStorage,Indexing,and Views.docx
NSE-Lab2-Samantha-DeGaetano.docx
Shawn Arroyo Topic 1 Assignment Part 1.docx
NSE-Lab4-Samantha-DeGaetano.docx
SArroyo Benchmark-SQL Triggers.docx
IT 304 Project One System Requirements Specific.- Angran (1).docx
Foster C__5e Lesson Planning_Assignment.pdf
Katie Coleman_DoD Project_Final.docx