作为ICT专业人员,我们被大量的框架所淹没, but it is the nature of the specialization in the field that prompts the need for them.
It is always convenient to draw similarities between these frameworks to allow for seamless implementation to different regulations within the sector. 随着隐私问题在许多国家日益突出, understanding the specific processes or controls that are required to meet privacy requirements from legislation and regulations is key. COBIT is one of the frameworks that is overarching as it has taken a holistic approach to the governance and management of information and technology; as such, 它更容易与其他框架集成.
One of the major changes introduced by COBIT 2019 is that the framework is open-ended, thus affording organizations using it the ability to create an unlimited number of focus areas that can address their particular needs.
To build an effective privacy focus area, one can combine the COBIT framework with the NIST隐私框架 让两者都发挥最大的作用. NIST隐私框架, 作为一个专门的框架, 可以用来在COBIT的基础上构建一个全面的重点领域吗. 这些框架有三个显著的相似之处:
- The two frameworks advocate for a risk-based approach to address specific needs of an organization.
- The frameworks provide models that organizations can use to practically define processes required to build a privacy-controlled environment.
- The frameworks emphasize the need for performance evaluation of defined privacy processes.
The NIST framework is composed of three parts that can be mapped to COBIT as follows:
步骤1
的核心 一套保障私隐的活动是否包括功能, categories and sub-categories while the COBIT framework has a core model that consists of 40 governance and management objections. 请看下面两者的图片对比:
| NIST | COBIT |
| 功能 | 域 |
| 类别 | 治理和管理目标 |
| 子类别 | 管理实践 |
作为一个通用框架, the domains in the COBIT framework address key areas in the governance management of information and technology while the NIST 功能 are specific to addressing the privacy needs. 无缝地实现这两者, categories defined within the NIST framework can be used to guide the selection of governance and management 目标 relevant to the organization’s needs. That is, the 29 categories will be mapped to 40 governance and management 目标. Below is an example that shows mapping of the NIST identity –P function to governance and management objective.
| NIST的框架 | COBIT框架 | |||
| 函数 | 类别 | 客观的 | 治理/管理目标 | 描述 |
| 身份 | 库存和映射(ID).IM-P) | 系统数据处理, 产品, 或服务被理解并告知隐私风险的管理. | 管理服务协议 | 使我&T enabled 产品 and services and service levels with enterprise needs and expectations, 包括识别, 规范, 设计, 出版, 协议和监测I &I的发布、协议和监控&T产品和服务、服务水平和绩效指标. |
| 营商环境(ID).是p) | 组织的使命, 目标, 利益相关者, and activities are understood and prioritized; this information is used to inform privacy roles, 责任和风险管理决策. | EDM02确保福利交付 | 优化业务流程投资对业务的价值 &T服务和I&T资产. | |
| 风险评估(ID).RA-P) | The organization understands the privacy risks to individuals and how such privacy risks may create follow-on impacts on organizational operations, 包括任务, 功能, 其他风险管理优先事项(如.g.(合规、财务)、声誉、劳动力和文化. | APO12风险管理 | 持续识别,评估和减少I&T-related risk within tolerance levels set by the enterprise executive management. | |
| 数据处理生态系统风险管理.DE-P): | 组织的优先事项, 约束, 风险承受能力, and assumptions are established and used to support risk decisions associated with managing privacy risk and third parties within the data processing ecosystem. 组织已建立并实施了识别的过程, 评估和管理数据处理生态系统中的隐私风险. | APO10管理供应商 | 管理我&T-related 产品 and services provided by all types of vendors to meet the enterprise requirements. 这包括搜索和选择供应商, 关系管理, management of contracts and reviewing and monitoring of vendor performance and vendor ecosystems (including upstream supply chain) for effectiveness and compliance | |
To make the selection of the COBIT governance and management 目标 easier, 可以参考ISACA指南 Implementing a 隐私 Protection Program Using COBIT 5 Enablers with ISACA 隐私 Principles. The guide clearly outlines the privacy goals of each governance and management objective, eliminating any language barriers between the NIST隐私框架 and COBIT.
步骤2
NIST框架中的第二个组件是 概要文件, 哪些是特定功能、类别和子类别的选择.
为了有意义的选择, the NIST framework advises that a risk-based framework approach should be used. 概要文件组件可以比作COBIT焦点区域.
一个重点领域, 如COBIT 2019框架中定义的, 是某个治理主题吗, domain or issue that can be addressed by a collection of governance and management 目标 and their components. In selection of the governance and management 目标 to build a focus area, COBIT brings more practical guidance by assessing organizational needs through 11 设计 factors. These factors influence the selection of management 目标 that address the organization’s privacy needs.
The 11 设计 factors include 澳门赌场官方下载 Strategy, 澳门赌场官方下载 Goals, Risk Profile, I&T-related问题, 威胁景观, 法规遵循需求, 资讯科技的角色, IT采购模式, IT实施方法, 技术采用策略与澳门赌场官方下载规模.
在如上步骤1中所述的映射两个核心模型之后, only governance and management 目标 that meet the privacy requirements of the organization will be implemented or referred to as the target profile.
步骤3
第三部分, 在NIST框架中称为实现层, measures whether an organization has sufficient processes to effectively manage privacy risks. The tiers can therefore be likened to the COBIT focus area maturity levels which measure the performance focus areas on a scale of 1 to 5 (the maturity levels being 0 –Incomplete, 1 -初始, 2 -管理, 3 -定义, 4 -定量和5 -优化).
The organization can thus measure its maturity level to ensure the level attained meets its compliance requirements.
结论
For organizations that have already implemented COBIT and are required to implement privacy controls to manage privacy risks, building a privacy focus area using the two frameworks can provide a stable starting point.
