Information technology – Security techniques –
Privacy capability assessment model*
Introduction
The aim of this document is to provide organizations with high-level guidance
about how to assess the level of their ability (capability)_to manage and achieve
privacy-related outcomes and potentially compliance with privacy and data
protection legislation and relevant good practice. The document will focus on an
approach to assessing the efficiency of privacy-related processes used by
organizations.
One challenge in formulating such guidance is that the issue of privacy
management is a multi-faceted one:
●
the decision support information useful to a senior executive in
formulating and executing privacy strategy is different from the decision
support useful to operational and line-of-business staff – even though their
various activities may all ultimately be directed towards the same goal;
●
there are likely to be multiple “privacy stakeholders” (that is, parties who
have an interest in the way the organization in question manages privacy);
those stakeholders may impose very different requirements – for example,
driven by legal and regulatory compliance requirements, but also by an
inter-related group of “good practice” factors such as policy, code-ofconduct, business risk, audit, personal privacy, reputational and/or
financial imperatives.
This broader, good practice context is important because it is perfectly possible
for an organization to meet its legal/regulatory compliance obligations and still
suffer significant damage if it fails to address the requirements of the other
stakeholders. An assessment of the organization's capabilities in this area, then,
will have to meet two principal sets of criteria:
1. It must provide the organization with information which is useful to the
appropriate level or levels of management;
2. It should cater for the fact that “capability” needs to be assessed in many
different domains (legal compliance, risk management, reputation and so
on).
This document is aimed at those individuals responsible for directing, managing
and operating an organization's privacy management capabilities, or those
responsible for advising that stakeholder group. As indicated above, that implies
that the capability model will consider multiple kinds of privacy stakeholder
requirement, and will result in guidance to multiple levels of readership, from
enterprise strategists to operational and line-of-business managers.
However, this document is not intended as a comprehensive manual for each
identified set of stakeholder requirements. The Capability Assessment Model,
then, should be seen as a first step in a longer process. That first step should be
aimed at producing a “snapshot” (assessment) of the organisation's current
capabilities in the area of privacy.
(Ed: Note regarding rationale of title change, to be removed before
publication):
There are many ways in which an organization might choose to make use of such
a snapshot in guiding its future decisions and actions. As indicated in the
Introduction above, the Capability Assessment Model might be a prelude to the
definition of formal assessment criteria, assessment programmes, assessment
services, audit etc and thence also to equivalent models for Management, as
opposed to Assessment.
Placeholder for potential edit and insertion later:
In other words, 29190 as a whole has the potential to guide organisations towards
the production of several different kinds of output:



an over-all “score” against a simple capability assessment such as the six-level
model above;
a set of metrics indicating assessment against key performance indicators in
areas such as those listed under (6.2) and in section 7;
the detailed outputs from audit and management disciplines in specific areas
of privacy and data management (for instance, assessment against data
protection criteria, data custody best practice, and so on).
Information technology – Security techniques –
Privacy capability assessment model*
1
Scope
This International Standard provides ogranizations with high-level guidance about how to
assess their capability to achieve privacy-related outcomes.
In particular, it:
●
●
●
2
specifies a set of capability levels for privacy capability assessment
specifies key functional areas against which privacy capability should be assessed
(legal compliance, stakeholder expectations, risk to the organization)
provides guidance on how to map the levels of assessment onto an enterprise
privacy capability model
Normative references
The following referenced documents which are indispensable for the application
of this document.
ISO/IEC 29100 – Information technology – Security techniques – Privacy
Framework -1
ISO/IEC 29101 – Information technology – Security techniques – Privacy
Reference Architecture2 ISO 15504-1: 2004 – Information Technology – Process Assessment – Concepts
and vocabulary
ISO 15504-3:2003 – Information Technology – Process Assessment – Guidance
on performing an assessment
ISO 15504-4: 2004 – Information Technology – Process Assessment – Guidance
on use for process improvement and process capability determination
These next ones as non normative but have been heavily used in producing this
draft
ITSM Portal:
http://www.itsmportal.com/columns/why-perform-process-assessmentsaccessed
30th August 2011
http://en.wikipedia.org/wiki/ISO/IEC_15504 accessed 30th August 2011
1
2
To be published
To be published
3
Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC
apply.
S-Curve – [Ed: definition to follow if the term remains in the text]
[Ed: Additional new terms and definitions may be introduced as the drafts
develop]..
4
Symbols and abbreviated terms
KPA Key Process Area (Ed: not sure we should use this – and have not in the
revised draft - as it is used in the maturity model and therefore may be subject to
copyright)
[Ed: To be populated as the drafts develop]
5
Privacy capability assessment models
ISO/IEC 15504 offers a reference model consisting of process attributes that further
consist of generic practices. The information collected during assessments is placed
against this model in order to determine a relative capability. [Figure 1 description taken
largely from the Wikipedia ref]
Figure 1: Generic Reference Model
Privacy capability assessment assumes a cycle of continuous improvement, as shown in
the following figure. The resulting privacy capability assessment lifecycle applies the
generic model from ISO/IEC 15504.
Figure 2: Lifecycle of Privacy Capability Assessment
6
Requirements for process assessment for privacy
capability
6.1
Introduction
In the current global environment, there is a tendency towards collection, use,
disclosure and retention of more and more personal information, for purposes
ranging from national security and law enforcement to support for business
operations. As is evident from the almost daily notification of privacy breaches,
much more work is required on the part of organizations to adequately protect the
personal information that they are collecting, using, disclosing and retaining, as
required by relevant legislation and regulation. One way to develop and refine an
organization’s processes is to begin with an assessment of their existing
capabilities in this area. To perform a process assessment in the privacy domain,
typically involves the following activities:
 Define a process assessment model
 Identify organizational privacy contexts and target capability







Identify the privacy-related processes supporting the privacy contexts
Prepare criteria for information collection from the targeted processes
Collect and analyse information from privacy-related processes
Rate the current process’s capability
Determine sub optimal processes
Proposals for changing processes
Modify processes
An optional additional subsequent action is to map the capability determination to
a scale taken from a authoritative maturity model to assist in goal setting,
comparative analysis, and continual improvement strategies
Each of these activities are detailed below.
6.2
Define Process assessment model
A process assessment is a disciplined evaluation of an organizational unit’s
processes against a process assessment model. A processes assessment aims to
determine how well the processes in the current practice are performing, relative
to their goals, and locating areas of weakness.
A capability assessment model [such as is defined by ISO 15540] is a structured
collection of elements that describe the characteristics of effective processes. In
the form documented by ISO 15540, the model allows an organization to rate its
processes on the following capability scale: [the actual chart comes from ITSM]
With profiling, the model can be used to assess how mature an organization is
with respect to, for instance, protecting personal information as required by
relevant legislation and regulation. A maturity model can also be used as a
benchmark for comparing different organizations where there is something that
can be used as a basis for comparison. For the purposes of this document, the
basis for comparison would be the organizations’ processes for handling personal
information in a manner compliant with legislation regulation and relevant good
practice.
This capability model provides a layered framework providing a progression to
the discipline needed to engage in continuous improvement. It is important to note
that an organization develops the ability to assess the impact of a new practice,
technology or tool on their business activities. Hence it is not a matter of adopting
these, rather it is a matter of determining how innovative efforts influence existing
practices.
This empowers projects, teams, and organizations by giving them the foundation
to support reasoned choice.
6.3
Identify the organizational privacy contexts and target
capability
This activity identifies a cluster of related activities which, when performed
collectively, achieve a set of privacy-related outcomes considered important.
These contexts offer a focus to apply target capability states that must exist for
that context to have been implemented in an effective and lasting way. The extent
to which the contexts have been accomplished is an indicator how much
capability the organization has established at that maturity level. The contexts
signify the scope, boundaries and intent of each privacy-related process.
There are numerous approaches to assembling these contexts and it is outside of
the scope of this standard to prescribe a single approach. However, the help
readers to better understand this requirement, two examples of possible
approaches are shown below:
A context approach:

conceptual framework

legal context

implementation readiness

process readiness

regulatory and compliance criteria

adoption culture/behaviour
A business function approach:

Inventory. The organization's understanding of its processing of personal
information, including its accounting of the processes, systems, databases,
and third parties involved with processing personal information.

Policy. The corporate and business unit policies over privacy and the use
(from collection to destruction) and protection of personal information.

Governance. The roles and responsibilities for managing the use and
protection of personal information at the corporate and business unit
levels.

Risk Management. An approach for managing privacy risk and business
compliance across the organization, addressing the use of technologies,
and dealing with the trans-border and multi-jurisdictional challenges.

Procedures & Controls. Procedures and controls to actively enforce
policy and other compliance obligations, and monitoring of those
procedures and controls to ensure they remain intact and effective.

Information Security. Managing the confidentiality, integrity, and
availability of personal information and the related information technology
used to collect, use, transfer, retain, and destroy the information.

Third Party Management. Third party risk management processes that
account for privacy, including performing due diligence during the
selection process, putting controls in place—both contractually and for the
secure transfer of the information—and building a solid basis of
confidence that the third parties using the personal information can protect
it and govern its use.

Compliance. The company's program to manage compliance with policy,
regulations, and other obligations around the use and protection of
personal information.

Incident Management. The process, documented in a comprehensive
plan, which provides an effective and orderly response to incidents and
potential incidents involving personal information

Training & Awareness. General and tailored training related to the
organization’s use and protection of personal information, supported by an
ongoing awareness program and related guidance
Apply the contexts against a target maturity
Target Capability Level
Incomplete Performed Managed Established Predictable Optimising
Inventory
Policy
Governance
Risk
Management
Procedures
& Controls
Information
Security
3rd Party
Management
Compliance
Incident
Management
Training &
Awareness
6.4
Identify the privacy-related processes supporting the contexts
The key processes supporting the contexts in 6.3 encapsulate the infrastructure,
processes and procedures that are designed to contribute to the implementation
and institutionalization of the privacy-related operational goals.
An example of the privacy-related processes that could be applied are the privacy
principles enshrined in a jurisdiction’s legislation [or phases in the data processing
lifecycle such as discussed in ISO 29101]:









6.5
Consent
Collection
Transfer
Use
Storage
Accountability
Audit
Archival
Disposal.
Prepare criteria for information collection from the targeted
processes
A list of questions etc etc etc (check AFNOR comment FR4 in N8750 Attachment
1 to determine if it is applicable here). Text to be provided
6.6
Collect and analyse information from privacy-related
processes
ISO 15504-2:2003 provides an approach for this through the use of process
attributes, defining nine process attributes:
Process Performance
Performance Management
Work Product Management
Process Definition
Process deployment
Process Measurement
Process Control
Process Innovation
Process Optimization
Each of the above process attributes consists of generic practices which are
manifested as practice indicators XXXXX TO DO … find these XXXXX
6.6
Rate the current process’s capability
ISO 15504-3:2004 provides a four-point rating scale:




Not achieved (0 - 15%)
Partially achieved (>15% - 50%)
Largely achieved (>50%- 85%)
Fully achieved (>85% - 100%).
The rating is based upon information collected against the practice indicators,
which demonstrate fulfillment of the process attributes. XXXX as above Find
these process indicators XXXX
6.7
Determine sub optimal processes
Text to be provided
6.8
Proposals for changing processes to achieve target capability
Text to be provided
6.9
Modify processes to achieve target capability
Text to be provided
7
Assessment
Placeholder:
A suggested framework for these outputs is as follows (cf. AFNOR comment
FR4, in N8750 Attachment 1 – find this..):
1. Assessment of the level of privacy maturity which is appropriate to the
organisation, given its purpose, function, risk assessment etc.

The aim would be to create a short (10-15 questions, aimed at senior
stakeholders) which creates this “target” score for the organisation.
2. Assessment of the actual, current levels of maturity for each key process
area in the organisation

For each such key process area, the current maturity level would be
summarised in a paragraph explaining why one of the six defined
levels has been assigned
3. Advice on how to improve key process area maturity levels to bring them
from the “actual/observed” to the “target” level

These recommendations and advice would be likely to depend on (or
refer to) the kinds of other standard/asset referred to in Section 1
Scope, Sub-section 1.2 Intended Audience – namely, Capability
Assessment Criteria, Programmes, Services and a possible Capability
Management Model.
8
Determining Capability Levels
Placeholder…
“S-curves” and maturity models
“S-curves”
For instance the section could include reference to the outputs from the PRIME project
by John Borking and others, citing the work of Richard Nolan, Watts Humphreys and
Everett Rogers in describing the application of an “S-curve” model to the analysis of
innovation adoption. This work reflected French sociologist Gabriel Tarde's much earlier
(Les lois de l'imitation - 1890) observation that cultural diffusion of innovation often
follows an s-shaped curve. This is relevant because in many aspects privacy management
is still a nascent set of disciplines, some of which are gaining adoption at different rates
from others.
Useful reference material here..
http://www.prise.oeaw.ac.at/docs/conf_docs/29/sitzungssaal/BorkingORGANIZATIONAL_ADOPTION-20080429.pdf
9
Integrating Privacy Capability Assessment into
organizational operations
Text to be provided
10
Bibliography
This section consists of an annotated list of relevant non normative documents –
including other standards documents applicable to the specific topic of privacy,
and a pointer to appropriate Glossary/Terminology material.
Annex A:
Relationships to other privacy assurance approaches
[Editors note to be removed before publishing This section should reflect two
separate pieces of work:
(i) a conceptual analysis of how privacy capability assessment relates to any
subsequent privacy management disciplines such as self-assessment, audit,
codes of practice, regulatory and legislative requirements, governance and
so on;
(ii) the results of a high-level survey of current programmes in this area...
recognizing that this data will be ephemeral and therefore included strictly
as interim guidance and not for normative purposes.
Amongst these may be some or all of the following:
5.1
Self-assessment tools
5.2
Audit
5.3
Industry and/or professional codes of practice (for instance, from
highly regulated industries such as financial services, defence etc.,
or from bodies such as ISACA and/or IAPP)
5.4
“Management” equivalents of the “Assessment” documents (defining
frameworks, processes and criteria which enable the organisation to act
on the results of the Assessment).]