Privacy Audits

Chief Privacy Officers and others concerned with privacy in an organization worry about what they don't know. It's not the data you know about that will get you in trouble. In Chapter 16, we'll discuss resource mapping and specifically talk about how to create inventories of the data in your organization. Having these data maps is the first step to being able to perform privacy audits . Here are some of the privacy-related questions you might ask about the identity data in your organization:

  • What kinds of identity data are you collecting?

  • How is this identity data collected?

  • Why was the identity data collected?

  • Were special conditions on its use established at any time?

  • Who is the data owner?

  • Who is the custodian?

  • Who uses the data, why, and how do they usually access it (i.e., remotely, via the Web, from home)?

  • Where is it stored?

  • Is any of the data stored on devices that are routinely transported off-site such as a laptop or PDA?

  • Are there backups? If so, you need to answer these same questions about the backups.

  • Are there access logs for the data?

  • Where are the logs stored?

  • Are the logs protected?

  • What other security measures (firewalls, intrusion detection systems, and so on) are used to protect the data?

Conducting privacy audits and collecting all of this information may seem like a lot of work, but ask yourself what it means if you don't know the answers to these questions. There's good news and bad news. The good news is that data maps are useful for more than just privacy, so you can balance the cost and effort with other benefits. The bad news is that it's hard to get anyone very excited about data. Applications are the stars of the IT world. In Chapter 16, we'll cover a strategy for moving your organization toward having a better understanding of what data it owns and getting answers to the preceding list of questions.

Get Digital Identity now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.