Aligning COSO and Privacy Frameworks - Joa - Eng - 0320
Aligning COSO and Privacy Frameworks - Joa - Eng - 0320
Aligning COSO and Privacy Frameworks - Joa - Eng - 0320
“
appropriate privacy protections in the Asia-Pacific THE CONTROLS NEED TO
region.3 The APEC Privacy Framework serves as a
basis for the APEC Cross-Border Privacy Rules MEET THE OBJECTIVES OF
System, which establishes an accountability THE ORGANIZATION, BUT
mechanism for organizations to certify their data
privacy practices.4 THEY ALSO NEED TO BE
REALISTIC, RECOGNIZING
In addition, the US National Institute of Standards
and Technology (NIST) and the International THE CAPABILITIES OF THE
Organization for Standardization (ISO)/International TEAM AND AVAILABLE
”
Electrotechnical Commission (IEC), whose
respective cybersecurity frameworks are used by RESOURCES.
many organizations, both developed new privacy
frameworks/standards. The NIST Privacy
Framework was released on 16 January 2020.5 Defining the Right Privacy
Additionally, the ISO/IEC 27701 standard, published Control Environment
in 2019, builds on the privacy framework described Per the COSO framework, the control environment is
in ISO 29100, mapping specific privacy-related the set of standards, processes and structures that
controls to the framework.6 Both have already been provides the basis for carrying out internal control
utilized by organizations seeking a solid foundation across the organization. Designing the right control
for their privacy program. environment for an organization is a balancing act.
The controls need to meet the objectives of the
The widely used COSO framework describes five key organization, but they also need to be realistic,
components of internal control that must exist to recognizing the capabilities of the team and available
achieve an entity’s mission: a control environment, resources. While each control environment is unique,
risk assessments, control activities, information and COSO establishes five guiding principles:
communication, and monitoring activities.7 Further,
the COSO framework defines 17 principles aligned 1. Demonstrating commitment to integrity and
with these five key components (figure 1). To align ethical values
with COSO, a privacy framework should: 2. Exercising oversight responsibility
• Define a privacy control environment 3. Establishing structure, authority and responsibility
• Establish a risk assessment for privacy 4. Demonstrating commitment to competence
• Document applicable privacy control activities 5. Enforcing accountability
Risk assessment Privacy Framework Reinventing the risk assessment for privacy
(ISO, NIST)
Control activities Documenting applicable privacy control activities
“
should have regular conversations with the privacy
officer or person responsible for maintaining the THE TEAM RESPONSIBLE
privacy program. FOR MAINTAINING PRIVACY
The Establishment of Authority and Responsibility OPERATIONS MUST HAVE
The organization must establish, with board THE SKILLS AND
oversight, a formal charter for the privacy program.
This charter can: CAPABILITIES OUTLINED IN
”
• Define the privacy team and a privacy committee, THE PRIVACY CHARTER.
if applicable
• Define roles and responsibilities for oversight and Reinventing the Risk Assessment
alignment with strategy and objectives for Privacy
• Set the tone for the introduction, design or Risk assessment is a “dynamic and iterative process
enhancement of privacy controls and privacy for identifying and assessing risks to the achievement
compliance management of objectives”8 across the organization. Those risk
factors are considered relative to established risk
• Identify the responsibilities and the relationship of tolerances. Therefore, a risk assessment is the basis
the chief information security officer (CISO) and for determination of how to manage risk across the
security functions with the privacy function organization. COSO identifies four principles
• Provide the process for the review and approval of supporting this component:9
privacy-related policies and procedures 1. Specifying suitable objectives
Those establishing this charter should also involve 2. Identifying and analyzing risk
human resources (HR) to build a strong sanction 3. Assessing fraud risk
program related to privacy concerns and issues.
Embedding privacy throughout the organization is a 4. Identifying and analyzing significant change
key component. For instance, privacy concerns can
be addressed by taking privacy into account when Performing a risk assessment that addresses
creating any engineering process (i.e., privacy by privacy concerns and aligns with the COSO
design) and by appointing privacy liaisons across framework requires the development of a
the organization. methodology applicable to the environment and the
unique challenges of privacy risk.
Building and Maintaining a Team
The team responsible for maintaining privacy According to NIST, while managing cybersecurity risk
operations must have the skills and capabilities is necessary to address privacy risk, it is not
outlined in the privacy charter. This list of skills will sufficient, as privacy risk may arise beyond the scope
likely be long and will probably have to evolve as of cybersecurity concerns.10 For instance, while
technology advances. Competencies outside the cybersecurity risk factors are associated with the loss
of confidentiality, integrity and availability of
”
financial loss consumers would experience.
PRIVACY RISK RELATED TO THAT PII.
Similarly, NIST defines some factors organizations
information, privacy risk factors are associated with may use to assess the likelihood of risk factors
the unintended consequences of data processing. such as customer demographics and information
In other words, a privacy risk is the “likelihood that available about privacy problems in similar
individuals will experience problems resulting from scenarios.14 However, every organization may
data processing, and the impact should they occur.”11 consider figure 2 in making this assessment.
NIST further defines privacy risk in the NIST Internal
Report (IR) 8062, “An Introduction to Privacy All these risk factors should be carefully considered
Engineering and Risk Management in Federal and clearly communicated to executive leadership
Systems,”12 Section 3.2, and the Privacy Risk and the board so they can determine easily if
Assessment Methodology (PRAM), which was their privacy risk aligns with the risk appetite of
created as an application of the NIST IR 8062 risk the organization.
model to help organizations analyze, assess and
prioritize privacy risk. It identifies the following four Documenting Applicable Control Activities
impact factors of privacy risk:13
The COSO framework describes control activities as
1. Noncompliance costs such as regulatory fines, the “actions established through policies and
litigation costs, etc. procedures that help ensure that management’s
2. Direct business costs such as revenue directives to mitigate risks to the achievement of
or performance loss from customer objectives are carried out.”15 Control activities are
abandonment or avoidance performed at “all levels of the entity, at various stages
“
must consider the quality and effectiveness of
AS A PREVENTIVE communications. The board and executive leadership
set the tone and must build a culture that prioritizes
CONTROL, ALL clear and direct communication about privacy risk
ORGANIZATIONS SHOULD and obligations. In addition, communication with
external parties, including regulatory organizations,
INCLUDE PRIVACY TRAINING should be clear and consistent. For instance, the
FOR EMPLOYEES WHO Communicate-P function defined in the NIST Privacy
Framework recommends developing and
HANDLE PII SO THEY CAN implementing “appropriate activities to provide
RECOGNIZE THE RIGHTS organizations and individuals with a reliable
understanding about how data is processed and the
THAT APPLY AND DIRECT associated privacy risks.”28 As the NIST Privacy
DATA SUBJECTS TO THE Framework describes, this might include establishing
formal policies and training to ensure that impacted
APPROPRIATE CHANNELS individuals and organizations are notified in the event
”
FOR REQUESTS. of a privacy breach. It may also include developing
transparent policies to communicate data processing
purposes and implementing mechanisms for
In addition, compliance is not just a legal, compliance
obtaining feedback from individuals about data
or privacy team function. As a preventive control, all
processing risk.
organizations should include privacy training for
employees who handle PII so they can recognize the
rights that apply and direct data subjects to the
Managing the Compliance of the
appropriate channels for requests. Privacy Program
The “monitoring activities” component of the COSO
Meeting Effective Communication framework suggests establishing evaluations to
Requirements for Privacy ensure that each of the COSO framework
components and principles are present and
The COSO framework identifies “information and
functioning.29 Business processes may contain
communication” as a core component of internal
”
COMMUNICATIONS. Within COSO, there are three central control
objectives focused on operations, reporting and
ongoing evaluations at all levels in the organization, compliance. These three control objectives may be
ensuring consistent application of the framework. applied to privacy controls (figure 4).
Moreover, periodic evaluations may be conducted
with varying scope and frequency, depending on the Operations
organization’s risk profile, to focus on specific The COSO framework defines operational objectives
concerns or other management considerations. of internal control as pertaining to the effectiveness
Findings may be evaluated against standard-setting and efficiency of the entity’s operations. These may
bodies or regulations, while deficiencies should be include operational and financial performance goals
communicated to organization leadership.30 The and safeguarding assets against loss.33 When it
two COSO principles related to this component comes to managing privacy control operation
include conducting ongoing evaluations and objectives, an organization may consider both the
evaluating and communicating deficiencies. type of PII and its use within the operations of the
organization. PII may be involved in marketing
Ongoing monitoring (the second line of defense) processes, employment processes, consumer
and independent evaluations (the third line of product fulfillment processes and many others
defense) should be considered in the development throughout the organization. The applicable privacy
and maintenance of any privacy program to controls that align with business operations in those
evaluate its effectiveness and communicate its varied areas may differ. However, the central objective
deficiencies. For instance, the NIST Privacy of maintaining the privacy of PII throughout the
Framework Core describes, within the Monitoring organization’s operations is overarching. Thus, the
and Review category of the Govern-P function, an operations objective informs the selected controls.
ongoing review of the organization’s privacy posture
to inform management of privacy risk.31 Reporting
Subcategory GV.MT-P1 describes the reevaluation COSO reporting objectives typically pertain to internal
of privacy risk on an ongoing basis, including key and external financial and nonfinancial reporting,
“
Privacy Privacy
WHEN IMPLEMENTING A
Medical
PRIVACY FRAMEWORK, IT IS Privacy
IMPORTANT TO CONSIDER
HOW IT ALIGNS WITH ALL
APPLICABLE LAWS AND Hierarchical Application
REGULATIONS AND For a privacy framework to align with COSO, it must
apply to the whole organization—from entity-level
WHETHER IT IS FLEXIBLE controls that set the tone at the top of the
ENOUGH TO ACCOMMODATE organization to controls specific to certain business
functions. For example, NIST Framework Core
FUTURE REGULATORY
”
subcategory GV.PO-P1 states, “Organizational
REQUIREMENTS. privacy values and policies … are established and
communicated.”37 This would likely be defined as
Compliance an entity-level control. In comparison, while the
Compliance objectives pertain to an organization’s basis of subcategory CT.DP-P2, “Data are
adherence to laws and regulations.36 When processed to limit the identification of individuals
implementing a privacy framework, it is important to (e.g., de-identification privacy techniques,
consider how it aligns with all applicable laws and tokenization),” might apply across the organization,
regulations and whether it is flexible enough to execution procedures would need to be tailored to
accommodate future regulatory requirements each business function.38 Mapping a framework
(figure 5). Although requirements vary by regulation, across an organization is not an easy step. It
strong privacy controls applied consistently across an requires the organization to determine which
organization help decrease the effort needed to meet controls should be applied at the entity level
new requirements. Many fundamental privacy and which should be tailored to specific
business processes.
”
4 Cross Border Privacy Rules System, “Policies,
REGULATIONS. Rules and Guidelines,” http://cbprs.org/documents/
5 National Institute of Standards and Technology,
The Benefits of Aligning Privacy With COSO “NIST Privacy Framework: A Tool for Improving
Privacy Through Enterprise Risk Management,”
Without a privacy framework in place, it is nearly USA, 16 January 2020, https://www.nist.gov/
impossible for an organization to keep pace with privacy-framework/privacy-framework
changing data protection regulations, putting the 6 International Organization for Standardization
organization at great risk. Using a framework that (ISO)/International Electrotechnical
aligns with a widely adopted standard such as Commission (IEC), Security Techniques—
COSO provides a number of benefits: Extension to ISO/IEC 27001 and ISO/IEC 27002
• Streamlined efforts—Aligning privacy controls for Privacy Information Management—
with COSO greatly reduces the burden on audit, Requirements and Guidelines, August 2019,
operations and implementation teams, requiring https://www.iso.org/standard/71670.html
fewer audits and streamlining remediation efforts 7 Op cit Committee of Sponsoring Organizations
of the Treadway Commission
• Cost and time savings—Addressing privacy 8 Ibid.
compliance ad hoc is a costly experiment. By using 9 Ibid.
a framework, organizations can apply privacy 10 Op cit National Institute of Standards
controls across regulations, minimizing the number and Technology
of resources needed to manage compliance, 11 Ibid.
reducing compliance costs and saving significant 12 Brooks, S.; M. Garcia; N. Lefkovitz; S. Lightman;
time. In addition, a framework helps reduce the risk E. Nadeau; “An Introduction to Privacy
of fines and penalties for noncompliance through a Engineering and Risk Management in Federal
common structure and standardization. Systems,” National Institute of Standards and
• Sustainable compliance—Implementing a privacy Technology (NIST) Internal Report (IR) 8062,
framework makes it possible for the organization USA, January 2017, https://nvlpubs.nist.gov/
to scale its privacy program with organizational nistpubs/ir/2017/NIST.IR.8062.pdf
change, new technologies and shifting 13 National Institute of Standards and Technology,
regulations. “Risk Assessment Tools,” USA, 28 October
2018, https://www.nist.gov/itl/applied-
While choosing and customizing a framework does cybersecurity/privacy-engineering/collaboration-
require a good amount of effort up front, when space/browse/risk-assessment-tools
implemented properly, it can save an organization 14 Op cit National Institute of Standards and
time, resources and budget for years to come. Technology, January 2020
15 Op cit Committee of Sponsoring Organizations
of the Treadway Commission
Endnotes
16 Ibid.
17 Ibid.
1 Committee of Sponsoring Organizations of the
18 Op cit National Institute of Standards and
Treadway Commission, Internal Control—
Technology, January 2020
Integrated Framework, Executive Summary,
19 Op cit National Institute of Standards and
2013, https://www.coso.org/Pages/ic.aspx
Technology, October 2018