42 - Business first
The Answer to the Ultimate Question of Life, the Universe, and Everything is 42
The Hitchhiker's Guide to Galaxy
Douglas Adams
For the technological people, everything begins and ends by deploying technologies.
For the bureaucrats, everything is a process, a form, or "call somebody else".
For the legislators all and all, it is how do you comply with the law..
They all have one answer to any question which always sums up to one number - 42.
This is a wakeup for all of us - It all begins with the business!
Here we will share our thoughts about the way to start with the business, and only then move on to the technologies and processes.
What is your business? What do you do for life? What's really matters?
Identify the processes and activities necessary to deliver your products and services,Identify the resources necessary to deliver these processes and services.
Analyze the data flow within these processes - Do you collect, store or process sensitive business data, Intellectual Property, Private Identifiable Information (PII)?
Identify your "Crown Jewels".
Think for a minute: What would the impact be if this data would be damaged? (Leaked, modified or will not be available?) .
Is this sort of data and/or processing should comply wit any rules, regulation, standard, contract etc.?
If PII is involved follow the Records of Processing Activity process.
What is the risk that something bad will happen?
Assess the likelihood of disruption to the activities and resources that deliver products and services based on a review of controls designed to “protect” key resources, Identify the potential causes or sources of disruption (commonly called threats), Select controls to limit the likelihood or impact of disruption to processes, activities, and resources (with an understanding of potential risk treatment costs)
If PII is involved consider performing Data Privacy Impact Analysis.
If the PII data is transferred out of your territory, consider performing Data Transfer Risk Analysis.
Get ready
Analyze all the practical steps you need to do in order to reduce the risk,
Go
Go and get them. You are ready to the next step in the journey - Practical Privacy Engineering