Cybersecurity for Privacy by Design (C4P) is a flexible and scalable model that holistically addresses both cybersecurity and privacy control aspects from the start.

 

C4P is strategic approach to dealing with the myriad of statutory, regulatory and contractual obligations for both cybersecurity and privacy protections. Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organization, since every organization has unique requirements. 

Verutus can help design a C4P strategy for your organization to comply with EU GDPR and other data protection requirements.

The approach looks at the following spheres of influence to identify applicable controls: 

  • Statutory Obligations. These are US state, federal and international laws

  • Regulatory Obligations. These are requirements from regulatory bodies or governmental agencies

  • Contractual Obligations. These are requirements that are stipulated in contracts, vendor agreements, etc.

  • Leading Practices. These are applicable requirements that based on an organization’s specific industry.

EU GDPR Compliance Consulting

All too often, cybersecurity and privacy controls are siloed by the individual cybersecurity and privacy teams. At a minimum this is bad business practice, since the lack of collaboration is inefficient, but it often leads to broader issues:

  • Lack of situational awareness between the cybersecurity and privacy teams about existing and planned controls.

  • Improper assumptions of statutory, regulatory and contractual obligations.

  • Redundant questionnaires for vendors and project teams.  

Identifying Touch Points Between Cybersecurity & Privacy

Verutus can help develop processes to "bake in" both cybersecurity and privacy principles so that your company can have evidence of cybersecurity and privacy principles being built by default. This is more than just a checklist exercise, but it is a holistic approach to building secure processes that will reduce risk across your organization.​ ​One of the main factors driving the integration of cybersecurity and privacy is the European Union’s General Data Protection Regulation (EU GDPR).

The EU GDPR has three (3) very specific requirements that require significant coordination between privacy and cybersecurity teams to accomplish:

  • Article 5 covers the principles relating to processing of personal data.

  • Article 25 covers data protection by design and by default; and

  • Article 35 covers data protection impact assessment.

 

Cybersecurity for Privacy by Design

 

Privacy by Design (PbD)

Privacy by Design (PbD) requirements come from numerous sources.

 

In this context, the most important frameworks are:

  • Generally Accepted Privacy Principles (GAPP)

  • Fair Information Practice Principles (FIPPs)

  • Organization for the Advancement of Structured Information Standards (OASIS) 

  • International Organization for Standardization (ISO)

  • National Institute for Standards & Technology (NIST)

  • Information Systems Audit and Control Association (ISACA)

  • European Union (EU) General Data Protection Regulation (GDPR)

  • US Government (HIPAA & FTC Act)

Security by Design (SbD) requirements come from numerous sources.

 

In this context, the most important frameworks are:

  • International Organization for Standardization (ISO)

  • National Institute for Standards & Technology (NIST)

  • US Government (HIPAA & FedRAMP)

  • Information Systems Audit and Control Association (ISACA)

  • Cloud Security Alliance (CSA)

  • Center for Internet Security (CIS)

  • Open Web Application Security Project (OWASP)

Security by Design (SbD)

 

Contact us so that we can understand your needs and come up with a plan to help you!