Project 4 – Privacy Compliance Strategy Description For this project, you will leverage your research from Projects #1, #2, and #3 to develop a privacy compliance strategy for your chosen company. The deliverabl

 Project 4 – Privacy Compliance Strategy

Description

For this project, you will leverage your research from Projects #1, #2, and #3 to develop a privacy compliance strategy for your chosen company. The deliverable for this project will be a Privacy Compliance Strategy that includes a legal and regulatory analysis for privacy laws and regulations. The scope for this project will be laws and regulations from the United States (federal and state) and the European Union.

Research 

1.       Begin your research by reviewing the privacy concepts and requirements presented in the (ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide (the course textbook).

2.       Review your selected company’s Form 10-K to identify privacy related risks which the company disclosed to investors and shareholders. You will use these and additional privacy-related risks, identified through your readings and research, to construct a privacy compliance profile.

3.       Read Chapters 1 and 2 of the NIST Privacy Framework: A tool for improving privacy through enterprise risk management. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pdf 

4.       Review the Audit and Compliance control family in NIST SP 800-53 (section 3.3).

5.       Review one or more reports written by privacy analysts about privacy issues affecting global businesses:

a.       2010 Ponemon Report: How Global Organizations Approach the Challenge of Protecting Personal Data

https://www.ponemon.org/local/upload/file/ATC_DPP%20report_FINAL.pdf 

b.       2019 Thomson Reuters GDPR Report Business’ struggle with data privacy: Regulatory environment continues to evolve rapidly

https://legalsolutions.thomsonreuters.co.uk/blog/wp-content/uploads/sites/14/2019/1

2/Thomson-Reuters-GDPR-Report.pdf 

c.       2021 blog from PrivacyPolicies.com Global Privacy Laws Explained https://www.privacypolicies.com/blog/global-privacy-laws-explained/ 

6.       Review existing and proposed privacy legislation for U.S. jurisdictions (states): Association of Privacy Professionals (IAPP)

https://iapp.org/resources/article/us-state-privacy-legislation-tracker/ 

7.       Review the privacy guidance for the European Union’s General Data Protection Regulation https://gdpr.eu/ 

8.       Review the Fact Sheet for the Trans-Atlantic Data Privacy Framework https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-unitedstates-and-european-commission-announce-trans-atlantic-data-privacy-framework/

9.       Find and review additional authoritative sources which discuss (a) specific privacy-related legal or regulatory non-compliance events (lawsuits, fines, etc.) impacting large, global companies and (b) the business and financial impacts arising from compliance failures (violations) for privacy laws and regulations. 

Analyze Privacy Compliance Issues, Risks, and Mitigations

1.       Identify the five most important privacy issues which your chosen company must address as part of its enterprise risk management program. You should focus on strategic issues, e.g. lack of management support, lack of resources, rapidly changing external politico-legal privacy environment, lawsuits and fines arising from non-compliance, etc. For each issue, identify the legal and regulatory drivers from both the U.S. (federal and state) and the European Union.

2.       Identify 10 or more privacy-related legal or regulatory compliance risks arising from your identified privacy issues. For each risk, identify the specific law or regulation that imposes privacy requirements upon your selected company. You may reuse privacy-related risks from your previous projects. Present your risks using the Table 1 template found at the end of this file.

3.       For each identified compliance risk, identify one or more security controls (from NIST SP 800-53) which could be implemented to reduce or mitigate the compliance risk. Audit and Compliance Controls should be included in your mitigation profile. Remember that you need one or more controls that will be the audit targets. You may reuse work from your previous projects but you should make sure that the selected controls actually address mitigations for PRIVACY

COMPLIANCE risks. If they do not, you must select controls which do address compliance. Enter this information into Table 2 found at the end of this file.

Write

1.       An introduction section which identifies the company being discussed and provides a brief introduction to the company (you may reuse some of your narrative from Project #1 and/or Project #2). Your introduction should include a brief overview of the company’s business operations and include a description of the purpose and contents of this Privacy Compliance Strategy deliverable. 

2.       A separate analysis section (Privacy Issues Impacting [company]) in which you present 10 or more Privacy Issues which you identified from your reading and research. For each issue, you should present your analysis of why this issue is important for your selected company. You should also discuss the legal and regulatory drivers which make this issue important for your company. What are the non-compliance risks associated with these issues? (Discuss at least 3.)

3.       A separate analysis section (Privacy Compliance Risk Profile) in which you present your privacy-related compliance risks. Provide an introductory paragraph that explains the relationship between the previously identified privacy issues and your privacy compliance risk profile. You should discuss the type of information presented in Table #1 Privacy Compliance Risk Profile (use the template at the end of this file – this is a different table than used in previous projects) and what sources were used to obtain this information. Your completed table should have 10 or more entries. Describe the process and documents used to construct Privacy Compliance Risk Profile. Place Table #1 at the end of this section (remember to delete the sample text).

4.       A separate analysis section (Privacy Compliance Controls Profile) in which you present your Privacy Compliance Controls Profile. Provide an introductory paragraph that explains the privacy compliance controls profile, e.g., what information is contained in the table and what sources were used to obtain this information. Describe the process and documents used to construct the Privacy Compliance Controls Profile. Your profile should have 10 or more rows entered into Table #2. Place Table #2 at the end of this section (remember to delete the sample text).

5.       A separate section (Privacy Compliance Risk Mitigation Strategy) in which you present a high-level strategy for implementing the risk mitigations (security controls) presented earlier in this deliverable. This section should include a summary of the business problem (reduce privacy-related risks arising from legal and regulatory requirements for privacy protections), the general types of privacy-related risks to be mitigated (focus on the CIA triad and summarize the risks you previously identified), the timeframe for implementing each element of your strategy, and the benefits of implementing an enterprise strategy for reducing privacy-related compliance risks.

6.       A separate Recommendations and Conclusions section which provides a summary of the information contained in this deliverable and presents your concluding statements regarding the business need and business benefits which support implementing your Privacy Compliance Risk Mitigation Strategy and the allocation of resources by the company. 

Submit Your Work for Grading and Feedback

Before you submit your work, check the rubric (displayed in the Assignment Folder entry) to make sure that you have covered all required content including citations and references.

Submit your work in MS Word format (.docx or .doc file) using the Project #4 Assignment in your assignment folder. (Attach the file.)

Additional Information

1.       Your 8 to 10 page deliverable should be professional in appearance with consistent use of fonts, font sizes, colors, margins, etc. You should use headings and sub-headings to organize your paper. Use headings which correspond to the content rows in the rubric – this will make it easier for your instructor to find required content elements and will help you ensure that you have covered all required sections and content in your paper.

2.       The stated page length is a recommendation based upon the content requirements of the assignment. All pages submitted will be graded but, for the highest grades, your work must be clear, concise, and accurate. Exceeding the recommended length will not necessarily result in a higher grade. Shorter submissions may not fully meet the content requirements resulting in a lower grade.

3.       The INFA program requires that graduate students follow standard APA style guidance for both formatting and citing/reference sources. Your file submission must be in MS Word format (.docx). PDF, ODF, and other types of files are not acceptable.

4.       You must include a cover page with the course, the assignment title, your name, your instructor’s name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignment’s minimum page count. 

5.       You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.  

6.       You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow APA Style guidance. Use of required readings from the course as sources is expected and encouraged. Where used, you must cite and provide references for these readings.

7.       When using Security and Privacy controls from NIST SP 800-53, you must use the exact numbering and names (titles) when referring to those controls. This information does not need to be treated as quotations. You may paraphrase or quote from the descriptions of the controls provided that you appropriately mark copied text (if any) and attach a citation for both quoted and paraphrased information.

8.       Consult the grading rubric for specific content and formatting requirements for this assignment.

9.       All work submitted to the Assignment Folder will be scanned by the Turn It In service. We use this service to help identify areas for improvement in student writing.

Table 1. Privacy Compliance Risk Profile for [company]

Table 2. Privacy Compliance Controls Profile