Security, Privacy & Risk
Ensure appropriate and necessary privacy standards, security standards, and data regulations requirements are met to achieve optimal balance between maximizing data assets usage versus managing risks related to data availability and utilization.
SPR-01: Create and publish data security policies and protected data practices based on the principle of least privilege and data minimization
SPR-02: Create and implement a 24×7 Data Security Incident Response Program
SPR-03: Develop and implement an Automatic Data Labelling and associated Digital Right Management programs
SPR-04: Develop and implement an Enterprise Data Loss Prevention Program
SPR-05: Adopt a Zero-Trust based enterprise approach to control access to data, application, and services
SPR-06: Ensure endpoint compliance with management and protection tools to limit the likelihood of data loss due to compromised or loss/stolen devices
SPR-07: Develop and implement a comprehensive Enterprise Data Access and Usage Audit program
SPR-08: Create and formalize a data privacy program structure, including committees and roles with assigned responsibilities.
SPR-09: Create and publish data privacy related policies, notices, procedures, guidelines, and resources based on the principle of least privilege and data minimization
SPR-10: Create and maintain technology resources, processes and procedures to respond to individual data subject requests
SPR-11: Define a Data Risk Advisory Board and appoint members
SPR-12: Create and maintain a data-oriented risk register reviewed periodically by the Data Risk Advisory Board
IN THE WORKS
Endpoint Security Compliance
Based on USG recommendations, the Institute is implementing controls in support of its endpoint management and protection program.