Security, Privacy & Risk

Security, Privacy & Risk

Ensure appropriate and necessary privacy standards, security standards, and data regulations requirements are met to achieve optimal balance between maximizing data assets usage versus managing risks related to data availability and utilization.


SPR-01: Create and publish data security policies and protected data practices based on the principle of least privilege and data minimization

SPR-02: Create and implement a 24×7 Data Security Incident Response Program

SPR-03: Develop and implement an Automatic Data Labelling and associated Digital Right Management programs

SPR-04: Develop and implement an Enterprise Data Loss Prevention Program

SPR-05: Adopt a Zero-Trust based enterprise approach to control access to data, application, and services

SPR-06: Ensure endpoint compliance with management and protection tools to limit the likelihood of data loss due to compromised or loss/stolen devices

SPR-07: Develop and implement a comprehensive Enterprise Data Access and Usage Audit program

SPR-08: Create and formalize a data privacy program structure, including committees and roles with assigned responsibilities.

SPR-09: Create and publish data privacy related policies, notices, procedures, guidelines, and resources based on the principle of least privilege and data minimization

SPR-10: Create and maintain technology resources, processes and procedures to respond to individual data subject requests

SPR-11: Define a Data Risk Advisory Board and appoint members

SPR-12: Create and maintain a data-oriented risk register reviewed periodically by the Data Risk Advisory Board

Endpoint Security Compliance

Based on USG recommendations, the Institute is implementing controls in support of its endpoint management and protection program.