Basic Structure for 29190

Information technology – Security techniques –

Privacy capability assessment model*

Introduction

The aim of this document is to provide organizations with high-level guidance about how to assess the level of their ability (capability)_to manage and achieve privacy-related outcomes and potentially compliance with privacy and data protection legislation and relevant good practice. The document will focus on an approach to assessing the efficiency of privacy-related processes used by organizations.

One challenge in formulating such guidance is that the issue of privacy management is a multi-faceted one:

●the decision support information useful to a senior executive in formulating and executing privacy strategy is different from the decision support useful to operational and line-of-business staff – even though their various activities may all ultimately be directed towards the same goal;

●there are likely to be multiple “privacy stakeholders” (that is, parties who have an interest in the way the organization in question manages privacy); those stakeholders may impose very different requirements – for example, driven by legal and regulatory compliance requirements, but also by an inter-related group of “good practice” factors such as policy, code-of-conduct, business risk, audit, personal privacy, reputational and/or financial imperatives.

This broader, good practice context is important because it is perfectly possible for an organization to meet its legal/regulatory compliance obligations and still suffer significant damage if it fails to address the requirements of the other stakeholders. An assessment of the organization's capabilities in this area, then, will have to meet two principal sets of criteria:

1. It must provide the organization with information which is useful to the appropriate level or levels of management;
2. It should cater for the fact that “capability” needs to be assessed in many different domains (legal compliance, risk management, reputation and so on).

This document is aimed at those individuals responsible for directing, managing and operating an organization's privacy management capabilities, or those responsible for advising that stakeholder group. As indicated above, that implies that the capability model will consider multiple kinds of privacy stakeholder requirement, and will result in guidance to multiple levels of readership, from enterprise strategists to operational and line-of-business managers.

However, this document is not intended as a comprehensive manual for each identified set of stakeholder requirements. The Capability Assessment Model, then, should be seen as a first step in a longer process. That first step should be aimed at producing a “snapshot” (assessment) of the organisation's current capabilities in the area of privacy.

(Ed: Note regarding rationale of title change, to be removed before publication):

There are many ways in which an organization might choose to make use of such a snapshot in guiding its future decisions and actions. As indicated in the Introduction above, the Capability Assessment Model might be a prelude to the definition of formal assessment criteria, assessment programmes, assessment services, audit etcand thence also to equivalent models for Management, as opposed to Assessment.

Placeholder for potential edit and insertion later:

In other words, 29190 as a whole has the potential to guide organisations towards the production of several different kinds of output:

an over-all “score” against a simple capability assessment such as the six-level model above;

a set of metrics indicating assessment against key performance indicators in areas such as those listed under (6.2) and in section 7;

the detailed outputs from audit and management disciplines in specific areas of privacy and data management (for instance, assessment against data protection criteria, data custody best practice, and so on).

Information technology – Security techniques –

Privacy capability assessment model*

1Scope

This International Standard provides ogranizations with high-level guidance about how to assess their capability to achieve privacy-related outcomes.

In particular, it:

●specifies a set of capability levels for privacy capability assessment

●specifies key functional areas against which privacy capability should be assessed (legal compliance, stakeholder expectations, risk to the organization)

●provides guidance on how to map the levels of assessment onto an enterprise privacy capability model

2Normative references

The following referenced documents which are indispensable for the application of this document.

ISO/IEC 29100 – Information technology – Security techniques – Privacy Framework -[1]

ISO/IEC 29101 – Information technology – Security techniques – Privacy Reference Architecture[2] -

ISO 15504-1: 2004 – Information Technology – Process Assessment – Concepts and vocabulary

ISO 15504-3:2003 – Information Technology – Process Assessment – Guidance on performing an assessment

ISO 15504-4: 2004 – Information Technology – Process Assessment – Guidance on use for process improvement and process capability determination

These next ones as non normative but have been heavily used in producing this draft

ITSM Portal:

30th August 2011

accessed 30th August 2011

3Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC apply.

S-Curve – [Ed: definition to follow if the term remains in the text]

[Ed: Additional new terms and definitions may be introduced as the drafts develop]..

4Symbols and abbreviated terms

KPAKey Process Area(Ed: not sure we should use this – and have not in the revised draft - as it is used in the maturity model and therefore may be subject to copyright)

[Ed: To be populated as the drafts develop]

5Privacy capability assessment models

ISO/IEC 15504 offers a reference model consisting of process attributes that further consist of generic practices. The information collected during assessments is placed against this model in order to determine a relative capability. [Figure 1 description taken largely from the Wikipedia ref]

Figure 1: Generic Reference Model

Privacy capability assessment assumes a cycle of continuous improvement, as shown in the following figure. The resulting privacy capability assessment lifecycle applies the generic model from ISO/IEC 15504.

Figure 2: Lifecycle of Privacy Capability Assessment

6 Requirements for process assessment for privacy capability

6.1Introduction

In the current global environment, there is a tendency towards collection, use, disclosure and retention of more and more personal information, for purposes ranging from national security and law enforcement to support for business operations. As is evident from the almost daily notification of privacy breaches, much more work is required on the part of organizations to adequately protect the

personal information that they are collecting, using, disclosing and retaining, as required by relevant legislation and regulation. One way to develop and refine an organization’s processes is to begin with an assessment of theirexisting capabilities in this area. To perform a process assessment in the privacy domain, typically involves the following activities:

• Define a process assessment model
• Identify organizational privacycontexts and target capability
• Identify the privacy-related processes supporting the privacy contexts
• Prepare criteria for information collection from the targeted processes
• Collect and analyse information from privacy-related processes
• Rate the current process’s capability
• Determine sub optimal processes
• Proposals for changing processes
• Modify processes

An optional additional subsequent action is to map the capability determination to a scale taken from a authoritative maturity model to assist in goal setting, comparative analysis, and continual improvement strategies

Each of these activities are detailed below.

6.2Define Process assessment model

A process assessment is a disciplined evaluation of an organizational unit’s processes against a process assessment model. A processes assessment aims to determine how well the processes in the current practice are performing, relative to their goals, and locating areas of weakness.

A capability assessment model [such as is defined by ISO 15540] is a structured collection of elements that describe the characteristics of effective processes. In the form documented by ISO 15540, the model allows an organization to rate its processes on the following capability scale: [the actual chart comes from ITSM]

With profiling, the model can be used to assess how mature an organization is with respect to, for instance, protecting personal information as required by relevant legislation and regulation. A maturity model can also be used as a benchmark for comparing different organizations where there is something that can be used as a basis for comparison. For the purposes of this document, the basis for comparison would be the organizations’ processes for handling personal information in a manner compliant with legislation regulation and relevant good practice.

This capability model provides a layered framework providing a progression to the discipline needed to engage in continuous improvement. It is important to note that an organization develops the ability to assess the impact of a new practice, technology or tool on their business activities. Hence it is not a matter ofadopting these, rather it is a matter of determining how innovative efforts influence existing practices.

This empowers projects, teams, and organizations by giving them the foundation to support reasoned choice.

6.3Identify the organizational privacycontexts and target capability

This activity identifies a cluster of related activities which, when performed collectively, achieve a set of privacy-related outcomes considered important. These contexts offer a focus to apply target capability states that must exist for that context to have been implemented in an effective and lasting way. The extent to which the contexts have been accomplished is an indicator how much capability the organization has established at that maturity level. The contexts signify the scope, boundaries and intent of each privacy-related process.

There are numerous approaches to assembling these contexts and it is outside of the scope of this standard to prescribe a single approach. However, the help readers to better understand this requirement, two examples of possible approaches are shown below:

A context approach:

• conceptual framework
• legal context
• implementation readiness
• process readiness
• regulatory and compliance criteria
• adoption culture/behaviour

A business function approach:

• Inventory. The organization's understanding of its processing of personal information, including its accounting of the processes, systems, databases, and third parties involved with processing personal information.

• Policy. The corporate and business unit policies over privacy and the use (from collection to destruction) and protection of personal information.

• Governance. The roles and responsibilities for managing the use and protection of personal information at the corporate and business unit levels.

• Risk Management. An approach for managing privacy risk and business compliance across the organization, addressing the use of technologies, and dealing with the trans-border and multi-jurisdictional challenges.

• Procedures & Controls. Procedures and controls to actively enforce policy and other compliance obligations, and monitoring of those procedures and controls to ensure they remain intact and effective.

• Information Security. Managing the confidentiality, integrity, and availability of personal information and the related information technology used to collect, use, transfer, retain, and destroy the information.

• Third Party Management. Third party risk management processes that account for privacy, including performing due diligence during the selection process, putting controls in place—both contractually and for the secure transfer of the information—and building a solid basis of confidence that the third parties using the personal information can protect it and govern its use.

• Compliance. The company's program to manage compliance with policy, regulations, and other obligations around the use and protection of personal information.

• Incident Management. The process, documented in a comprehensive plan, which provides an effective and orderly response to incidents and potential incidents involving personal information

• Training & Awareness. General and tailored training related to the organization’s use and protection of personal information, supported by an ongoing awareness program and related guidance

Apply the contexts against a target maturity

Target Capability Level

6.4Identify the privacy-related processes supporting the contexts

The key processes supporting the contexts in 6.3 encapsulate the infrastructure, processes and procedures that are designed to contribute to the implementation and institutionalization of the privacy-related operational goals.

An example of the privacy-related processes that could be appliedare the privacy principles enshrined in a jurisdiction’s legislation [or phases in the data processing lifecycle such as discussed in ISO 29101]:

• Consent
• Collection
• Transfer
• Use
• Storage
• Accountability
• Audit
• Archival
• Disposal.

6.5Prepare criteria for information collection from the targetedprocesses

A list of questions etc etc etc (check AFNOR comment FR4 in N8750 Attachment 1 to determine if it is applicable here). Text to be provided

6.6Collect and analyse information from privacy-related processes

ISO 15504-2:2003 provides an approach for this through the use of process attributes, defining nine process attributes:

Process Performance

Performance Management

Work Product Management

Process Definition

Process deployment

Process Measurement

Process Control

Process Innovation

Process Optimization

Each of the above process attributes consists of generic practices which are manifested as practice indicators XXXXX TO DO … find these XXXXX

6.6Rate the current process’s capability

ISO 15504-3:2004 provides a four-point rating scale:

• Not achieved (0 - 15%)
• Partially achieved (>15% - 50%)
• Largely achieved (>50%- 85%)
• Fully achieved (>85% - 100%).

The rating is based upon information collected against the practice indicators, which demonstrate fulfillment of the process attributes. XXXX as above Find these process indicators XXXX

6.7Determine sub optimal processes

Text to be provided

6.8Proposals for changing processes to achieve target capability

Text to be provided

6.9Modify processes to achieve target capability

Text to be provided

7 Assessment

Placeholder:

A suggested framework for these outputs is as follows (cf. AFNOR comment FR4, in N8750 Attachment 1 – find this..):

1. Assessment of the level of privacy maturity which is appropriate to the organisation, given its purpose, function, risk assessment etc.

The aim would be to create a short (10-15 questions, aimed at senior stakeholders) which creates this “target” score for the organisation.

1. Assessment of the actual, current levels of maturity for each key process area in the organisation

For each such key process area, the current maturity level would be summarised in a paragraph explaining why one of the six defined levels has been assigned

1. Advice on how to improve key process area maturity levels to bring them from the “actual/observed” to the “target” level

These recommendations and advice would be likely to depend on (or refer to) the kinds of other standard/asset referred to in Section 1 Scope, Sub-section 1.2 Intended Audience – namely, Capability Assessment Criteria, Programmes, Services and a possible Capability Management Model.

8 Determining Capability Levels

Placeholder…

“S-curves” and maturity models

“S-curves”

For instance the section could include reference to the outputs from the PRIME project by John Borking and others, citing the work of Richard Nolan, Watts Humphreys and Everett Rogers in describing the application of an “S-curve” model to the analysis of innovation adoption. This work reflected French sociologist Gabriel Tarde's much earlier (Les lois de l'imitation - 1890) observation that cultural diffusion of innovation often follows an s-shaped curve. This is relevant because in many aspects privacy management is still a nascent set of disciplines, some of which are gaining adoption at different rates from others.

Useful reference material here..

9 Integrating Privacy Capability Assessment into organizational operations

Text to be provided

10 Bibliography

This section consistsof an annotated list of relevant non normativedocuments – including other standards documents applicable to the specific topic of privacy, and a pointer to appropriate Glossary/Terminology material.

Annex A:

Relationships to other privacy assurance approaches

[Editors note to be removed before publishingThis section should reflect two separate pieces of work:

(i)a conceptual analysis of how privacy capability assessment relates to any subsequent privacy management disciplines such as self-assessment, audit, codes of practice, regulatory and legislative requirements, governance and so on;

(ii)the results of a high-level survey of current programmes in this area... recognizing that this data will be ephemeral and therefore included strictly as interim guidance and not for normative purposes.

Amongst these may be some or all of the following:

5.1Self-assessment tools

5.2Audit

5.3Industry and/or professional codes of practice (for instance, from highly regulated industries such as financial services, defence etc., or from bodies such as ISACA and/or IAPP)

5.4 “Management” equivalents of the “Assessment” documents (defining frameworks, processes and criteria which enable the organisation to act on the results of the Assessment).]

[1]To be published

[2]To be published