TECH: Mapping controls in data privacy/information security

Trust, but verify.” That’s a Russian proverb that has been used in various business facets. The phrase is self-explanatory. One can trust but one should also take further steps to verify truths.
In the information and data privacy space, the phrase has gained prominence. If company XYZ claims that after one-year, particular datasets will be wiped away from their web servers, we can trust it will happen.
Controls define required outcomes. They come in various forms. They can be implemented through procedures, mechanisms, systems, policies, and any other measure designed to reduce risks.
For example, a company stops their admin staff from processing customer bank details or having access to it. That is a form of implementing controls. Companies use controls to avoid risky outcomes or meet desires.
The best form of mapping controls in data privacy is to first define the control objectives. Without understanding the desired outcomes mapping controls becomes a futile exercise. An example of a control objective might be to sanction certain personnel within an organisation from having access to personal information or compliance with regulations and other legal obligations.
By teasing out these control objectives the company can decipher the resources required whether an IT system needs consistent monitoring or what to do when there is an interruption to business activity.
Organisations should find control frameworks that fits their operations. After choosing the control framework that works for the organisation, there needs to be a risk assessment to have a full picture of the risks that controls will address.
Usually, in a data privacy mapping assessment, a privacy professional can find out the existing risks within an organisation and which will lead to the next phase of control implementation. One of the most important aspects of designing a control framework is designing the controls.
The privacy or information security manager with other stakeholders in charge of business functions must design the activities that should occur when the controls are implemented. Sometimes, there might be a need to create mock scenarios to test the validity of the controls before they are launched. Designing controls will require some of these elements: auditing structures and changing cumbersome procedures.
Then we move to the control implementation phase. If the controls designed are not implemented, then what is the need of designing a control? One of the reasons for mapping controls is to see the end and know where the company would be after certain procedures, changed procedures or new business records are implemented.
Any change in any business will impact the business and therefore needs great care so that the business activities don’t come to a halt. If a bank’s critical function is affected because of new controls implemented, then that is a failed control implementation. Therefore, the privacy professional must consider business as usual activities while control implementation takes place. Now, what happens after the controls have been implemented? Most stakeholders often think that after controls have been implemented, they can put their legs up and relax.
But the game of information security needs constant monitoring. There needs to be monitoring of controls. In the absence of monitoring, there won’t be ways to find out if the controls are operated in the “organisational agreed manner”.
After monitoring, the organisation must assess their controls. There needs to be security review, internal and external audit and carry out surveys to find out how the controls are doing.
Mapping controls play an important part in fostering information security and data protection in any organisation. As such, privacy professionals and information security personnel must map controls to fit the structures and business missions of their company.