SlideShare a Scribd company logo

Key Data Privacy Roles Explained: Data Protection Officer, Information Security Manager, and Information Security Auditor

Download as PPTX, PDF
PECB
PECB

This document provides an agenda and introduction for a presentation on separating and defining the roles of Chief Information Security Officer (CISO), Data Protection Officer (DPO), and Auditor. It begins with introductions of the presenters and their relevant experience. It then discusses why role separation is important and challenges organizations may face in separating roles. It considers different CISO roles and hierarchy options and highlights recent issues in the news regarding CISOs, DPOs, and auditors. The document outlines the basics of information security management (CISO role), data protection management and the DPO role under GDPR, and information security auditing. It discusses challenges for the DPO role under GDPR and considerations for

Education
1 of 60
• Introduction • Why role separation? • From the news… • Considering the CISO, DPO & Auditor roles • Combining CISO and DPO • Q & A Agenda
Introduction
Peter Geelen (CyberMinute) • 20+ years experience in security • Enterprise Security & IAM • Cybersecurity • Data Protection & Privacy • Incident management, Disaster Recovery • Trainer, coach, auditor • ISO27001 Master & Lead ISO27002 • ISO27701 Lead Impl. & Lead Auditor • Certified DPO & Fellow In Privacy • Lead Incident Mgr & Disaster Recovery • ISO27032 Sr. Lead Cybersecurity Mgr • Lead ISO27005 (Risk Mgmt) • Accredited ISO27001/9001 Lead auditor • Accredited Security Trainer My experience Certification Accreditation http://www.cyberminute.com https://ffwd2.me/pgeelen More info (LinkedIn): peter@cyberminute.com
Stefan Mathuvis (QMA) • 20 years experience in security • Quality Management • Quality Auditor • Cybersecurity • Security, Data Protection & Privacy • Trainer, coach, auditor • ISO27001 Lead Auditor • ISO9001 Lead Auditor • Lead auditor ESD & GDP Pharma • Lead auditor GQS • CDPO • Master trainer DGQ • Accredited ISO27001 lead auditor • Accredited 9001 Lead auditor My experience Certification Accreditation http://www.qma.be https://ffwd2.me/stefan More info (LinkedIn): Stefan@qma.be
Why role separation?
We’re used to … lots of CISO, bit of privacy and audit In many case when companies think “security”, they point to IT to manage it… • CISO aka “security officer” securing IT operations • Legal department for damage control • Business... Eh… do their own thing, little concern for security if everything goes well • Security = cost, not benefit • Privacy or “data protection” wasn’t really part of the business driver (except for some sensitive data areas like health…) What it was… (before GDPR)
Various roles and functions kicked in… • Security manager, security officer, CSO, CISO, CDO… • DPO, data protection manager, • CPO, Privacy officer, privacy manager, • Data security, privacy, data privacy, … • Internal auditor, external auditor • GRC, Compliance officer • Risk manager, risk officer, … • Legal officer, … Since 2008 (financial crisis)…
Role separation is not that simple • There is no exact prescription & guidance how to do it in YOUR specific situation • Each role requires specific expertise, knowledge and experience • The company organization, hierarchy or organigram hinders the required role delegation • In many cases reorganization is required to support security and data protection implementation… But in reality…
Organizing security governance is difficult, because • … people HATE change and • … people feel threatened (losing their job) • … management only sees the costs (not the benefits) • … organization is “too small” • … conflicts of interest • … lack of expertise and experience • … lack of courage (to speak up, to make the change…) But in reality…
From the news… last few weeks
GDPR in the news (DPO issues) Source: https://www.dataguidance.com/news/belgium-belgian-dpa-issues-%E2%82%AC50000-fine-organisation-dpo-appointment-violation Source: https://www.enforcementtracker.com/
CISO, Risk manager, GRC officer… issues Source: https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/heads-of-compliance-legal-step- down-as-dpo
Happy CISO? Source (NL): https://www.security.nl/posting/660081/It-bedrijf+moet+schade+door+ransomware+bij+klant+grotendeels+vergoeden (jun 2020) IT company has to largely compensate customer damage from ransomware
Considering CISO, DPO and auditor roles Untangling security & DP governance
The Information security & Data protection basics Getting started with • Information Security management (aka CISO) • DPO role in data protection management & GDPR • Information security audit (both internal as external) Today’s focus
The Information security & Data protection basics CISO • Responsible for enterprise information security management • Focus on company obligations • Company internal (even with CISO as a service) DPO • Data protection officer • Main tasks & responsibility definition in GDPR • Focus subject rights Some definitions (1)
The Information security & Data protection basics Auditor (*) • See ISO for definition of tasks and responsibilities • Compliance control • Not only “policing”, but also advisory and • pushing continuous improvement • Internal Audit (company) • External Audit (certification) (*) Focus on Information Security audit (not financial, …) Some definitions (2)
GDPR & DPO Impossible job?
Art. 37 (1): Designation of the data protection officer 1. The controller and the processor shall designate a data protection officer in any case where: a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. GDPR & DPO designation requirement
Art. 37 (5): Designation of the data protection officer 5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. DPO qualification
Art 37 (6) “6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract” DPO in hierarchy?
GDPR Art 39: Tasks of the data protection officer 1. The data protection officer shall have at least the following tasks: a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including • the assignment of responsibilities, • awareness-raising and • training of staff involved in processing operations, and • the related audits; c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; d) to cooperate with the supervisory authority; e) To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. 2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. DPO tasks
What’s NOT the responsibility of the DPO? • Organizing information security • Organizing data protection • Accountable for data breaches • Risk management & risk assessment • Implementing security/data protection/privacy by design • … NOT the DPO tasks
What qualifications you need to do the job • Business expertise • Know the business and your company • Legal expertise • Legal & regulatory insights • Compliance • Audit & GRC • Data protection • Information security • Current state of protection, ref. State-of-the-art security techniques The ideal DPO?
But also needs… • Incident management, Business continuity, disaster recovery… • Soft skills • Management skills • Project management skills • Communication • Education • Authority • Behavioral skills (handling the human bad practices …) The ideal DPO?
Consider • DPO office • An expert for each function or task • External support for certain tasks • … The ideal DPO?
From WP29 guidelines • If you’re not sure you need a DPO, assign a DPO • Involvement of DPO in all issues related to data protection • Necessary resources (see ideal DPO) • Acting in an independent manner • Dismissal or penalty for performing DPO tasks • Conflict of interests • Data processing by DPO when executing tasks… (!) DPO attention points
Internal or external DPO Some considerations
Pro and cons Advantages • Knowing the company • Direct impact • Connection to management • Internal Multi-discipline team support • Availability Disadvantages & risks • Conflict of interest (being employee) • Lack of authority • Data protection vs information security Internal DPO
Pro and cons Advantages • Authority as expert • DPO office (knowledge coverage) • External view Disadvantages & risks • Lack of knowledge on company internals • Availability • Accountability • Data management & transfers (processing contract!) External DPO
CISO Up or down the tree of hierarchy?
What’s in a name? • SO or ISO? • CSO or CISO? • Information security or IT security? What options do you have in hierarchy? • Operational Information Security Officer (not “C”) • Departmental CISO • C-level security officer (CSO or CISO) Choice of department • Security • Risk • IT • Business • … Power of hierarchy
Main position level choices • Strategic • C-level • Board-level • Upper management • Tactical • Department level • Operational • IT security • Practical Some options (with pro and cons)
Traditional approach (from IT) Source: PECB ISO27002 Lead implementer Some options (with pro and cons)
Traditional approach (from business) Source: PECB ISO27002 Lead implementer Some options (with pro and cons)
Other organizational options Source: PECB ISO27002 Lead implementer • GRC team • Compliance • Risk • CSO Office • Security Office • Internal Audit • Operational security (non-IT) • …. Some options (with pro and cons)
No strict governance guidelines or rules • Current drive for Security by design (ref ISO27001, PCI-DSS, GDPR, ISO27701, …) • But no GDPR or direct regulatory requirement to have CISO • Security vs performance vs budget • Necessary resources to do the job • Conflict of interests • Acting in an independent manner (?) • Dismissal or penalty for performing CISO tasks (integrity) • DPO (subject interests) vs CISO (company interests) CISO attention points
Combining CISO and DPO Always trouble?
Guidelines on DPO’s • Guidelines on Data Protection Officers (‘DPOs’) https://ec.europa.eu/information_society/newsroom/image/document/2016- 51/wp243_en_40855.pdf?wb48617274=CD63BD9A • WP243 Annex – FAQ https://ec.europa.eu/information_society/newsroom/image/document/2016- 51/wp243_annex_en_40856.pdf WP29/EDPB advisory
Good practice advise for DP/DC “Depending on the activities, size and structure of the organisation, it can be good practice for controllers or processors: • to identify the positions which would be incompatible with the function of DPO • to draw up internal rules to this effect in order to avoid conflicts of interests • to include a more general explanation about conflicts of interests • to declare that their DPO has no conflict of interests with regard to its function as a DPO, as a way of raising awareness of this requirement • to include safeguards in the internal rules of the organisation and • to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests. In this context, it should also be borne in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally.” WP29/EDPB advisory
Segregation of duties Do NOT combine  DPO  Management function You CAN combine (with due diligence)  DPO  Security operations Attention point
Identify conflicts of interest Segregation of duties vs team/company size • When IS/DP is handled by single/small team, conflict of interest will arise (by default) • Add policy/process/procedure to maintain due diligence Important difference (identify tasks!) • DPO • Management functions • Operational security /data protection functions Attention point
ISMS audit roles Audit, advisory & consulting?
Goals • Compliance check • Keeping security in line of business • Continuous improvement Types of audit • Internal • External What is audit about?
Auditor vs implementer (from previous sessions) • If you know how the audit works, you know better what to implement • Both in the right spirit • Results based, • not check list based • Growth mindset • Not perfect at first step • Better done than perfect • Think big, act small… Why is this important?
• The audit cycle pushes the implementation of PDCA • Continuous improvement • Step by step • Have an independent / external view • Keep the helicopter view, with good relation between • Business • IT • DPO • Legal The auditor view helps to…
• Include audit considerations from the start • Involve audit throughout the project • Internal audit vs external audit • External audit • mostly end stage (before you restart the cycle) • Certification target • Internal audit • Separate department • Why not cross check? (cross-department) • External auditor (but still under authority of data controller) Some practical hints
• Look at the external auditor as advisor • Not a checklist dummy • [NOT consultant ;) ] • Watch out for conflicts of interest • Auditor -> general advice • Advise <> consultancy (specific, targeted advices) • Guidelines • ISO27006 (ISO27001 auditor guidance) • ISO17021 (audit the auditor, general) Some practical hints
ISO27006 5.2.1 Certification bodies may carry out the following duties without them being considered as consultancy or having a potential conflict of interest: a) arranging and participating as a lecturer in training courses, provided that, where these courses relate to information security management, related management systems or auditing, certification bodies shall confine themselves to the provision of generic information and advice which is publicly available, i.e. they shall not provide company-specific advice which contravenes the requirements of b) below; Auditor – Conflicts of interest
ISO27006 5.2.1 b) making available or publishing on request information describing the certification body’s interpretation of the requirements of the certification audit standards (see 9.1.3.6); c) activities prior to audit, solely aimed at determining readiness for certification audit; however, such activities shall not result in the provision of recommendations or advice that would contravene this clause and the certification body shall be able to confirm that such activities do not contravene these requirements and that they are not used to justify a reduction in the eventual certification audit duration; d) performing second and third-party audits according to standards or regulations other than those being part of the scope of accreditation; e) adding value during certification audits and surveillance visits, e.g. by identifying opportunities for improvement, as they become evident during the audit, without recommending specific solutions. The certification body shall not provide internal information security reviews of the client’s ISMS subject to certification. Furthermore, the certification body shall be independent from the body or bodies (including any individuals) which provide the internal ISMS audit. Auditor – Conflicts of interest
ISO17021 5.2 Management of impartiality 5.2.1 Conformity assessment activities shall be undertaken impartially. The certification body shall be responsible for the impartiality of its conformity assessment activities and shall not allow commercial, financial or other pressures to compromise impartiality 5.2.3 The certification body shall have a process to identify, analyse, evaluate, treat, monitor, and document the risks related to conflict of interests arising from provision of certification including any conflicts arising from its relationships on an ongoing basis. Where there are any threats to impartiality, the certification body shall document and demonstrate how it eliminates or minimizes such threats and document any residual risk Auditor – Conflicts of interest
ISO17021 5.2 Management of impartiality 5.2.10 In order to ensure that there is no conflict of interests, personnel who have provided management system consultancy, including those acting in a managerial capacity, shall not be used by the certification body to take part in an audit or other certification activities if they have been involved in management system consultancy towards the client. A recognized mitigation of this threat is that personnel shall not be used for a minimum of two years following the end of the consultancy Auditor – Conflicts of interest
Initial audit • “Get in control” • Passing the mark • Basic maturity (ref. CMMI … level 3) • Room for growth and maturity Surveillance audit (1yr) + recertification (3yr) • “Stay in control” • Focus on improvement • Increasing maturity • Based on metrics and measurement… Remember the ISO audit lifecycle…
References
Important • FAQ • https://ec.europa.eu/information_society/newsroom/image/document/20 16-51/wp243_annex_en_40856.pdf • Guidelines on Data Protection Officers ('DPOs'), wp243rev.01_en • https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612048 • Available language versions • http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48137 EDPB (aka WP29) on DPO
Ramping up… Relevant PECB Training courses
Check the PECB agenda, select the ISO/IEC 27701 Lead Implementer https://pecb.com/en/partnerEvent/event_schedule_list Training Events For full detailed information about an event click on the ‘View’ button on the right hand side under ‘View full details’. Note: Before applying for any training courses listed below, please make sure you are registered to PECB Training Agenda
ISO/IEC 27701 Training Courses • ISO/IEC 27701 Foundation 2 Day Course • ISO/IEC 27701 Lead Implementer 5Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/iso- 27701 www.pecb.com/events
THANK YOU ? info@cyberminute.com CyberMinute Stefan Mathuvisstefan@qma.be

Recommended

GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
PECB
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
PECB
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 

Recommended

GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
PECB
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
PECB
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
Business Beam
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
Tanmay Shinde
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
Pranay Kumar
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
PECB
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from Symantec
Arrow ECS UK
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
Shantanu Rai
 
Soc
SocSoc
Soc
Mukesh Chaudhari
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
GDPRBrief.pptx
GDPRBrief.pptxGDPRBrief.pptx
GDPRBrief.pptx
BabatundeAbioye2
 

More Related Content

What's hot

Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
PECB
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from Symantec
Arrow ECS UK
 

What's hot (20)

What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from Symantec
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
Soc
SocSoc
Soc
 

Similar to Key Data Privacy Roles Explained: Data Protection Officer, Information Security Manager, and Information Security Auditor

GDPR Scotland 2017
GDPR Scotland 2017GDPR Scotland 2017
GDPR Scotland 2017
Ray Bugg
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
Stephanie Vasey
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to know
PECB
 
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"
Ragnar Heil
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10)
Jim Kaplan CIA CFE
 
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & AzureRencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore
 
DBAs - Is Your Company’s Personal and Sensitive Data Safe?
DBAs - Is Your Company’s Personal and Sensitive Data Safe?DBAs - Is Your Company’s Personal and Sensitive Data Safe?
DBAs - Is Your Company’s Personal and Sensitive Data Safe?
DevOps.com
 

Similar to Key Data Privacy Roles Explained: Data Protection Officer, Information Security Manager, and Information Security Auditor (20)

GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
GDPRBrief.pptx
GDPRBrief.pptxGDPRBrief.pptx
GDPRBrief.pptx
 
Assessing the impact of security services
Assessing the impact of security servicesAssessing the impact of security services
Assessing the impact of security services
 
Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)
 
GDPR Scotland 2017
GDPR Scotland 2017GDPR Scotland 2017
GDPR Scotland 2017
 
Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)
 
Education law conferences, March 2018, Workshop 1B - The role of the DPO
Education law conferences, March 2018, Workshop 1B - The role of the DPOEducation law conferences, March 2018, Workshop 1B - The role of the DPO
Education law conferences, March 2018, Workshop 1B - The role of the DPO
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to know
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10)
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
 
Logs in Security and Compliance flare
Logs in Security and Compliance flareLogs in Security and Compliance flare
Logs in Security and Compliance flare
 
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & AzureRencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
 
#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
 
DBAs - Is Your Company’s Personal and Sensitive Data Safe?
DBAs - Is Your Company’s Personal and Sensitive Data Safe?DBAs - Is Your Company’s Personal and Sensitive Data Safe?
DBAs - Is Your Company’s Personal and Sensitive Data Safe?
 
Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the art
 

More from PECB

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
PECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
PECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
PECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
PECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
PECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
PECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
PECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
PECB
 

More from PECB (20)

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
 

Recently uploaded

Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 

Recently uploaded (20)

SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 

Key Data Privacy Roles Explained: Data Protection Officer, Information Security Manager, and Information Security Auditor

  • 1.
  • 2. • Introduction • Why role separation? • From the news… • Considering the CISO, DPO & Auditor roles • Combining CISO and DPO • Q & A Agenda
  • 4. Peter Geelen (CyberMinute) • 20+ years experience in security • Enterprise Security & IAM • Cybersecurity • Data Protection & Privacy • Incident management, Disaster Recovery • Trainer, coach, auditor • ISO27001 Master & Lead ISO27002 • ISO27701 Lead Impl. & Lead Auditor • Certified DPO & Fellow In Privacy • Lead Incident Mgr & Disaster Recovery • ISO27032 Sr. Lead Cybersecurity Mgr • Lead ISO27005 (Risk Mgmt) • Accredited ISO27001/9001 Lead auditor • Accredited Security Trainer My experience Certification Accreditation http://www.cyberminute.com https://ffwd2.me/pgeelen More info (LinkedIn): peter@cyberminute.com
  • 5. Stefan Mathuvis (QMA) • 20 years experience in security • Quality Management • Quality Auditor • Cybersecurity • Security, Data Protection & Privacy • Trainer, coach, auditor • ISO27001 Lead Auditor • ISO9001 Lead Auditor • Lead auditor ESD & GDP Pharma • Lead auditor GQS • CDPO • Master trainer DGQ • Accredited ISO27001 lead auditor • Accredited 9001 Lead auditor My experience Certification Accreditation http://www.qma.be https://ffwd2.me/stefan More info (LinkedIn): Stefan@qma.be
  • 7. We’re used to … lots of CISO, bit of privacy and audit In many case when companies think “security”, they point to IT to manage it… • CISO aka “security officer” securing IT operations • Legal department for damage control • Business... Eh… do their own thing, little concern for security if everything goes well • Security = cost, not benefit • Privacy or “data protection” wasn’t really part of the business driver (except for some sensitive data areas like health…) What it was… (before GDPR)
  • 8. Various roles and functions kicked in… • Security manager, security officer, CSO, CISO, CDO… • DPO, data protection manager, • CPO, Privacy officer, privacy manager, • Data security, privacy, data privacy, … • Internal auditor, external auditor • GRC, Compliance officer • Risk manager, risk officer, … • Legal officer, … Since 2008 (financial crisis)…
  • 9. Role separation is not that simple • There is no exact prescription & guidance how to do it in YOUR specific situation • Each role requires specific expertise, knowledge and experience • The company organization, hierarchy or organigram hinders the required role delegation • In many cases reorganization is required to support security and data protection implementation… But in reality…
  • 10. Organizing security governance is difficult, because • … people HATE change and • … people feel threatened (losing their job) • … management only sees the costs (not the benefits) • … organization is “too small” • … conflicts of interest • … lack of expertise and experience • … lack of courage (to speak up, to make the change…) But in reality…
  • 11. From the news… last few weeks
  • 12. GDPR in the news (DPO issues) Source: https://www.dataguidance.com/news/belgium-belgian-dpa-issues-%E2%82%AC50000-fine-organisation-dpo-appointment-violation Source: https://www.enforcementtracker.com/
  • 13. CISO, Risk manager, GRC officer… issues Source: https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/heads-of-compliance-legal-step- down-as-dpo
  • 14. Happy CISO? Source (NL): https://www.security.nl/posting/660081/It-bedrijf+moet+schade+door+ransomware+bij+klant+grotendeels+vergoeden (jun 2020) IT company has to largely compensate customer damage from ransomware
  • 15. Considering CISO, DPO and auditor roles Untangling security & DP governance
  • 16. The Information security & Data protection basics Getting started with • Information Security management (aka CISO) • DPO role in data protection management & GDPR • Information security audit (both internal as external) Today’s focus
  • 17. The Information security & Data protection basics CISO • Responsible for enterprise information security management • Focus on company obligations • Company internal (even with CISO as a service) DPO • Data protection officer • Main tasks & responsibility definition in GDPR • Focus subject rights Some definitions (1)
  • 18. The Information security & Data protection basics Auditor (*) • See ISO for definition of tasks and responsibilities • Compliance control • Not only “policing”, but also advisory and • pushing continuous improvement • Internal Audit (company) • External Audit (certification) (*) Focus on Information Security audit (not financial, …) Some definitions (2)
  • 20. Art. 37 (1): Designation of the data protection officer 1. The controller and the processor shall designate a data protection officer in any case where: a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. GDPR & DPO designation requirement
  • 21. Art. 37 (5): Designation of the data protection officer 5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. DPO qualification
  • 22. Art 37 (6) “6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract” DPO in hierarchy?
  • 23. GDPR Art 39: Tasks of the data protection officer 1. The data protection officer shall have at least the following tasks: a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including • the assignment of responsibilities, • awareness-raising and • training of staff involved in processing operations, and • the related audits; c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; d) to cooperate with the supervisory authority; e) To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. 2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. DPO tasks
  • 24. What’s NOT the responsibility of the DPO? • Organizing information security • Organizing data protection • Accountable for data breaches • Risk management & risk assessment • Implementing security/data protection/privacy by design • … NOT the DPO tasks
  • 25. What qualifications you need to do the job • Business expertise • Know the business and your company • Legal expertise • Legal & regulatory insights • Compliance • Audit & GRC • Data protection • Information security • Current state of protection, ref. State-of-the-art security techniques The ideal DPO?
  • 26. But also needs… • Incident management, Business continuity, disaster recovery… • Soft skills • Management skills • Project management skills • Communication • Education • Authority • Behavioral skills (handling the human bad practices …) The ideal DPO?
  • 27. Consider • DPO office • An expert for each function or task • External support for certain tasks • … The ideal DPO?
  • 28. From WP29 guidelines • If you’re not sure you need a DPO, assign a DPO • Involvement of DPO in all issues related to data protection • Necessary resources (see ideal DPO) • Acting in an independent manner • Dismissal or penalty for performing DPO tasks • Conflict of interests • Data processing by DPO when executing tasks… (!) DPO attention points
  • 29. Internal or external DPO Some considerations
  • 30. Pro and cons Advantages • Knowing the company • Direct impact • Connection to management • Internal Multi-discipline team support • Availability Disadvantages & risks • Conflict of interest (being employee) • Lack of authority • Data protection vs information security Internal DPO
  • 31. Pro and cons Advantages • Authority as expert • DPO office (knowledge coverage) • External view Disadvantages & risks • Lack of knowledge on company internals • Availability • Accountability • Data management & transfers (processing contract!) External DPO
  • 32. CISO Up or down the tree of hierarchy?
  • 33. What’s in a name? • SO or ISO? • CSO or CISO? • Information security or IT security? What options do you have in hierarchy? • Operational Information Security Officer (not “C”) • Departmental CISO • C-level security officer (CSO or CISO) Choice of department • Security • Risk • IT • Business • … Power of hierarchy
  • 34. Main position level choices • Strategic • C-level • Board-level • Upper management • Tactical • Department level • Operational • IT security • Practical Some options (with pro and cons)
  • 35. Traditional approach (from IT) Source: PECB ISO27002 Lead implementer Some options (with pro and cons)
  • 36. Traditional approach (from business) Source: PECB ISO27002 Lead implementer Some options (with pro and cons)
  • 37. Other organizational options Source: PECB ISO27002 Lead implementer • GRC team • Compliance • Risk • CSO Office • Security Office • Internal Audit • Operational security (non-IT) • …. Some options (with pro and cons)
  • 38. No strict governance guidelines or rules • Current drive for Security by design (ref ISO27001, PCI-DSS, GDPR, ISO27701, …) • But no GDPR or direct regulatory requirement to have CISO • Security vs performance vs budget • Necessary resources to do the job • Conflict of interests • Acting in an independent manner (?) • Dismissal or penalty for performing CISO tasks (integrity) • DPO (subject interests) vs CISO (company interests) CISO attention points
  • 39. Combining CISO and DPO Always trouble?
  • 40. Guidelines on DPO’s • Guidelines on Data Protection Officers (‘DPOs’) https://ec.europa.eu/information_society/newsroom/image/document/2016- 51/wp243_en_40855.pdf?wb48617274=CD63BD9A • WP243 Annex – FAQ https://ec.europa.eu/information_society/newsroom/image/document/2016- 51/wp243_annex_en_40856.pdf WP29/EDPB advisory
  • 41. Good practice advise for DP/DC “Depending on the activities, size and structure of the organisation, it can be good practice for controllers or processors: • to identify the positions which would be incompatible with the function of DPO • to draw up internal rules to this effect in order to avoid conflicts of interests • to include a more general explanation about conflicts of interests • to declare that their DPO has no conflict of interests with regard to its function as a DPO, as a way of raising awareness of this requirement • to include safeguards in the internal rules of the organisation and • to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests. In this context, it should also be borne in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally.” WP29/EDPB advisory
  • 42. Segregation of duties Do NOT combine  DPO  Management function You CAN combine (with due diligence)  DPO  Security operations Attention point
  • 43. Identify conflicts of interest Segregation of duties vs team/company size • When IS/DP is handled by single/small team, conflict of interest will arise (by default) • Add policy/process/procedure to maintain due diligence Important difference (identify tasks!) • DPO • Management functions • Operational security /data protection functions Attention point
  • 44. ISMS audit roles Audit, advisory & consulting?
  • 45. Goals • Compliance check • Keeping security in line of business • Continuous improvement Types of audit • Internal • External What is audit about?
  • 46. Auditor vs implementer (from previous sessions) • If you know how the audit works, you know better what to implement • Both in the right spirit • Results based, • not check list based • Growth mindset • Not perfect at first step • Better done than perfect • Think big, act small… Why is this important?
  • 47. • The audit cycle pushes the implementation of PDCA • Continuous improvement • Step by step • Have an independent / external view • Keep the helicopter view, with good relation between • Business • IT • DPO • Legal The auditor view helps to…
  • 48. • Include audit considerations from the start • Involve audit throughout the project • Internal audit vs external audit • External audit • mostly end stage (before you restart the cycle) • Certification target • Internal audit • Separate department • Why not cross check? (cross-department) • External auditor (but still under authority of data controller) Some practical hints
  • 49. • Look at the external auditor as advisor • Not a checklist dummy • [NOT consultant ;) ] • Watch out for conflicts of interest • Auditor -> general advice • Advise <> consultancy (specific, targeted advices) • Guidelines • ISO27006 (ISO27001 auditor guidance) • ISO17021 (audit the auditor, general) Some practical hints
  • 50. ISO27006 5.2.1 Certification bodies may carry out the following duties without them being considered as consultancy or having a potential conflict of interest: a) arranging and participating as a lecturer in training courses, provided that, where these courses relate to information security management, related management systems or auditing, certification bodies shall confine themselves to the provision of generic information and advice which is publicly available, i.e. they shall not provide company-specific advice which contravenes the requirements of b) below; Auditor – Conflicts of interest
  • 51. ISO27006 5.2.1 b) making available or publishing on request information describing the certification body’s interpretation of the requirements of the certification audit standards (see 9.1.3.6); c) activities prior to audit, solely aimed at determining readiness for certification audit; however, such activities shall not result in the provision of recommendations or advice that would contravene this clause and the certification body shall be able to confirm that such activities do not contravene these requirements and that they are not used to justify a reduction in the eventual certification audit duration; d) performing second and third-party audits according to standards or regulations other than those being part of the scope of accreditation; e) adding value during certification audits and surveillance visits, e.g. by identifying opportunities for improvement, as they become evident during the audit, without recommending specific solutions. The certification body shall not provide internal information security reviews of the client’s ISMS subject to certification. Furthermore, the certification body shall be independent from the body or bodies (including any individuals) which provide the internal ISMS audit. Auditor – Conflicts of interest
  • 52. ISO17021 5.2 Management of impartiality 5.2.1 Conformity assessment activities shall be undertaken impartially. The certification body shall be responsible for the impartiality of its conformity assessment activities and shall not allow commercial, financial or other pressures to compromise impartiality 5.2.3 The certification body shall have a process to identify, analyse, evaluate, treat, monitor, and document the risks related to conflict of interests arising from provision of certification including any conflicts arising from its relationships on an ongoing basis. Where there are any threats to impartiality, the certification body shall document and demonstrate how it eliminates or minimizes such threats and document any residual risk Auditor – Conflicts of interest
  • 53. ISO17021 5.2 Management of impartiality 5.2.10 In order to ensure that there is no conflict of interests, personnel who have provided management system consultancy, including those acting in a managerial capacity, shall not be used by the certification body to take part in an audit or other certification activities if they have been involved in management system consultancy towards the client. A recognized mitigation of this threat is that personnel shall not be used for a minimum of two years following the end of the consultancy Auditor – Conflicts of interest
  • 54. Initial audit • “Get in control” • Passing the mark • Basic maturity (ref. CMMI … level 3) • Room for growth and maturity Surveillance audit (1yr) + recertification (3yr) • “Stay in control” • Focus on improvement • Increasing maturity • Based on metrics and measurement… Remember the ISO audit lifecycle…
  • 56. Important • FAQ • https://ec.europa.eu/information_society/newsroom/image/document/20 16-51/wp243_annex_en_40856.pdf • Guidelines on Data Protection Officers ('DPOs'), wp243rev.01_en • https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612048 • Available language versions • http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48137 EDPB (aka WP29) on DPO
  • 57. Ramping up… Relevant PECB Training courses
  • 58. Check the PECB agenda, select the ISO/IEC 27701 Lead Implementer https://pecb.com/en/partnerEvent/event_schedule_list Training Events For full detailed information about an event click on the ‘View’ button on the right hand side under ‘View full details’. Note: Before applying for any training courses listed below, please make sure you are registered to PECB Training Agenda
  • 59. ISO/IEC 27701 Training Courses • ISO/IEC 27701 Foundation 2 Day Course • ISO/IEC 27701 Lead Implementer 5Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/iso- 27701 www.pecb.com/events