BS ISO IEC 29190 pdf download

BS ISO IEC 29190 pdf download.Information technology — Security techniques — Privacy capability assessment model
1 Scope
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it — specifies steps in assessing processes to determine privacy capability, — specifies a set of levels for privacy capability assessment, — provides guidance on the key process areas against which privacy capability can be assessed, — provides guidance for those implementing process assessment, and — provides guidance on how to integrate the privacy capability assessment into organizations operations.
4 Methodology
4.1 Introduction In the current global environment, there is a tendency towards collection, use, disclosure and retention of more and more personally identifiable information (PII), for purposes ranging from support for business operations to national security and law enforcement. As is evident from the regular notification of privacy breaches, much more work is required on the part of organizations to adequately protect the PII that they are collecting, using, disclosing and retaining, as required by relevant national regulatory laws.One way to develop and refine an organization’s processes is to begin with an assessment of their existing capabilities in this area. To perform a process assessment in the privacy domain, typically involves the following activities: — Define a privacy capability assessment model (see 4.2); — Define a capability scale (see 4.3); — Rate the process’s current capability vs. target capability (see 4.4); — Determine sub optimal processes (see 4.5); — Identify proposals for changing processes (see 4.6); — Modify processes (see 4.7); — Identify the privacy activities and target capability (see 5.1); — Identify the privacy-related processes (see 5.4); — Prepare criteria for information collection (see 5.5); — Collect and analyse information from privacy-related processes (5.6). An optional additional subsequent action is to map the capability determination (i.e. the target capability level) to a scale taken from a process assessment model to assist in goal setting, comparative analysis (i.e. to measure current capability and use as a baseline for assessing an incremental process improvement target), and continual improvement strategies (i.e. develop a context or business function improvement strategy to use in planning for a process improvement project). This International Standard as a whole guides organizations towards the production of several different kinds of output: — an over-all “score” against a simple capability assessment such as the example of the six-level model described in 4.3; — a set of metrics indicating assessment against key performance indicators in areas such as those described in the second example in 5.1; — the detailed outputs from audit and management disciplines in specific areas of privacy management (for example, assessment against data protection criteria and data custody best practice).4.2 Define a privacy capability assessment model ISO/IEC 3300x is a suite of International Standards that has been developed by the ISO/IEC JTC 1/SC 7 Software and system engineering committee. It provides information on the concepts of process assessment and its use in process improvement and process capability determination. ISO/IEC 29190 uses the concepts of ISO/IEC 3300x for the assessment of privacy capability. For the purposes of this International Standard, a process assessment model is related to one or more process reference models. It forms the basis for the collection of evidence and rating of a process quality characteristic. The relationships within the process assessment model is shown in Figure 1. The information collected during assessments should be referenced against this model in order to determine a relative capability.laws. A capability assessment model can also be used as a benchmark for comparing different organizations where there is something that can be used as a basis for comparison. For the purposes of this International Standard, the basis for comparison should be the organizations’ processes for handling PII in a manner compliant with national regulatory laws and relevant good practice.