Privacy Managers or Data Protection Officers often rely on spreadsheets to record and track assessments aimed at identifying data usage risks. However, this approach can lead to errors and is not scalable. Assessments offers a simpler and more efficient solution to this problem, making the entire process more accurate and easier to manage.
This topic describes how assessment templates can be customized to address critical aspects of data management and compliance, including managing Critical Data Elements (CDEs), ensuring BCBS 239 compliance, adhering to NIST frameworks, and effectively managing vendor risks.
Business Continuity Planning (BCP) support
BCP is a plan to recover from disasters such as data breaches.
You can use Assessments to identify potential data risks and implement safeguards to support BCP. For example, you can customize an assessment template to include the following questions:
- Does the business process involve the use of personal information (PI)?
- Does the business process handle a high volume of PI?
- Is the business process considered high risk?
- What remediation actions should be taken to mitigate risks associated with the business process?
CDE management
Critical Data Elements (CDEs) are data that is crucial for the success of an organization. Disruptions to CDEs could lead to disruptions to business functions. However, CDEs that are critical for one business may not be critical for another.
You can use Assessments to understand how CDEs are identified, prioritized, monitored, and reported across different businesses. For example, you can customize an assessment template to include the following questions:
- What data is necessary to generate financial statements?
- What data is necessary for regulatory reporting?
- What data supports transaction decisions?
BCBS 239 compliance
BSBC 239 is a regulation that applies to financial institutions and offers guidance on risk data aggregation and risk reporting, which includes customer data.
You can use Assessments to determine if your organization complies with BCBS 239. For example, you can customize an assessment template to include the following questions:
- What critical data is used for managing risks?
- Which systems or controls are used for handling and reporting this data?
NIST frameworks compliance
The NIST Cybersecurity Framework offers guidance on handling cybersecurity risks, while the NIST Privacy Framework helps organizations address privacy risks. Both frameworks recommend appointing someone to oversee access control policies.
You can use Assessments to determine if your organization complies with the NIST frameworks. For example, you can customize an assessment template to include the following question: Does your organization have a designated owner responsible for data control policies and procedures?
Vendor risk management
Vendor risk management involves understanding, controlling, and reducing risks when working with third-party vendors.
Assessments can be used to examine the onboarding process for new vendors. For example, you can customize an assessment template to include the following questions:
- Does the onboarding include training on safe data handling?
- What measures are in place to safeguard sensitive data?
- What measures are in place for data sharing with vendors?
Additionally, you can use Assessments to identify and record risks associated with data usage across different departments, such as Cybersecurity, Compliance, Risk, Procurement, and third-party management. By doing so, Assessments can help you understand how data is used within various operations. For example, the Procurement department can use Assessments to ensure that third-party vendors align with internal policies when handling customer data.
Tip Assessments can also be incorporated into your workflows.