© 2018 by Verutus, LLC.  

This website is for educational purposes only and does not render professional services advice and is not a substitute for dedicated professional services. If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. Verutus, LLC (Verutus) disclaims any liability whatsoever for any documentation, information, or other material which is or may become a part of the website. Verutus does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website is assumed by the user. Verutus reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

Verutus, LLC

1002A North Springbrook Rd #229
Newberg, OR 97132

+1-503-850-7997

support@verutus.com

Privacy Notice

Cookie Policy

Cybersecurity for Privacy by Design (C4P) is a flexible and scalable model that holistically addresses both cybersecurity and privacy control aspects from the start.

 

C4P is strategic approach to dealing with the myriad of statutory, regulatory and contractual obligations for both cybersecurity and privacy protections. Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organization, since every organization has unique requirements. 

Verutus can help design a C4P strategy for your organization to comply with EU GDPR and other data protection requirements.

The approach looks at the following spheres of influence to identify applicable controls: 

  • Statutory Obligations. These are US state, federal and international laws

  • Regulatory Obligations. These are requirements from regulatory bodies or governmental agencies

  • Contractual Obligations. These are requirements that are stipulated in contracts, vendor agreements, etc.

  • Leading Practices. These are applicable requirements that based on an organization’s specific industry.

EU GDPR Compliance Consulting

All too often, cybersecurity and privacy controls are siloed by the individual cybersecurity and privacy teams. At a minimum this is bad business practice, since the lack of collaboration is inefficient, but it often leads to broader issues:

  • Lack of situational awareness between the cybersecurity and privacy teams about existing and planned controls.

  • Improper assumptions of statutory, regulatory and contractual obligations.

  • Redundant questionnaires for vendors and project teams.  

Identifying Touch Points Between Cybersecurity & Privacy

Verutus can help develop processes to "bake in" both cybersecurity and privacy principles so that your company can have evidence of cybersecurity and privacy principles being built by default. This is more than just a checklist exercise, but it is a holistic approach to building secure processes that will reduce risk across your organization.​ ​One of the main factors driving the integration of cybersecurity and privacy is the European Union’s General Data Protection Regulation (EU GDPR).

The EU GDPR has three (3) very specific requirements that require significant coordination between privacy and cybersecurity teams to accomplish:

  • Article 5 covers the principles relating to processing of personal data.

  • Article 25 covers data protection by design and by default; and

  • Article 35 covers data protection impact assessment.

 
 

Privacy by Design (PbD)

Privacy by Design (PbD) requirements come from numerous sources.

 

In this context, the most important frameworks are:

  • Generally Accepted Privacy Principles (GAPP)

  • Fair Information Practice Principles (FIPPs)

  • Organization for the Advancement of Structured Information Standards (OASIS) 

  • International Organization for Standardization (ISO)

  • National Institute for Standards & Technology (NIST)

  • Information Systems Audit and Control Association (ISACA)

  • European Union (EU) General Data Protection Regulation (GDPR)

  • US Government (HIPAA & FTC Act)

Security by Design (SbD) requirements come from numerous sources.

 

In this context, the most important frameworks are:

  • International Organization for Standardization (ISO)

  • National Institute for Standards & Technology (NIST)

  • US Government (HIPAA & FedRAMP)

  • Information Systems Audit and Control Association (ISACA)

  • Cloud Security Alliance (CSA)

  • Center for Internet Security (CIS)

  • Open Web Application Security Project (OWASP)

Security by Design (SbD)

 

Contact us so that we can understand your needs and come up with a plan to help you!