Mobile App Privacy Compliance Considerations

Mobile App Privacy Compliance Checklist Douglas S Knehr Copyright

Click on the above link for a condensed view of my deep research and expertise in Mobile App Privacy Compliance Considerations covering the following areas:

Mobile application categories
Hacking Defense Strategies (20+ things you can do to prevent hacking)

General Considerations
Security by Design Considerations
Consider traditional and non traditional PI
Know the Business Rationale
Maintain Technical and Legal Control
Info collected automatically
Comply with Industry-specific Laws
Commission Privacy Reviews or Audits
Requested information
Commission privacy reviews or audits

Industry regs

Copyright

Douglas S. Knehr Esq.,MBA, CIPM, CIPP, CISSP (Training)

Doug@DougKnehr.com

609-635-2226

Advertisements

Privacy Management Program

CIPM Privacy Management Program Copyright Doug Knehr

Click on the above link for a condensed view (not all links opened) of my deep research and expertise in creating complete privacy programs for corporations covering the following areas:

Defining your organization’s privacy vision and privacy mission statement

The privacy team must be properly funded and resourced to reach across an entire organization
Every member of the organization is required to do his or her share to protect personal information
Identify Data necessary to develop and define a privacy strategy
Leverage key functions of organization to support privacy program activities
Creating a process for interfacing with an organization
Develop a data governance strategy for PI
Privacy workshop for your stakeholders
Structuring the privacy to to determine privacy governance for the organization to align to the privacy strategy
Established professional competency levels

Implementation roadmap providing structure and checklists to prompt the privacy professional for the details to determine privacy relevant decisions for the organization
Developing organizational privacy policies and standards or guidelines
Conduct a gap analysis of the privacy program
Review and monitor the program
Communicate the framework
Sample privacy policy framework template

Define your organization’s privacy vision and privacy mission statement
The privacy team must be properly funded and resourced to reach across an entire organization
Every member of the organization is required to do his or her share to protect personal information
Identify Data necessary to develop and define a privacy strategy
Leverage key functions of organization to support privacy program activities
Creating a process for interfacing with an organization
Develop a data governance strategy for PI
Privacy workshop for your stakeholders
Structuring the privacy to to determine privacy governance for the organization to align to the privacy strategy
Established professional competency levels

Metrics performance provides quantifiable output that is measurable meaningful answer specific questions is clearly defined
Metrics must add value and provide data tracking to improve business objectives and goals

The metric lifecycle -5steps

Privacy operational lifecycle
1. Assess
2.protect
3. Sustain
4. Respond
Several frameworks that allow measurement and alignment of these activities

Cyber Attack Compliance

CyberAttack Compliance Copyright Douglas Knehr 6096352226

Click on the above link for a condensed view (not all links opened) of my deep research and expertise in cyber attack compliance.

Topics covered:

Determine and evaluate the company’s entire security chain.

If even a single link is weak, the company could be vulnerable to attack.
create a written compliance plan to monitor the highest risks for a potential cyber attack., This should include:
Prepare Legally Required Disclosures
CCO must coordinate with the CIO and CPO on cyber attack issues
Implement an Enterprise-wide Data Management Program
Review Employee Policies
Invest in Computer Security and Protection Measures
Adopt a Cyber Incident Response Plan and Employee Reporting Mechanisms
Adopt Procedures to Preserve Evidence
Obtain Support of Senior Management
Maintain Relationships with Law Enforcement Agencies
Develop Cyber Incident Response Plans
Laws to enforce Civil and Criminal Remedies for Cyber Attacks
Other Actions to Deter or Mitigate Cyber Attacks
Cyber Liability Insurance Coverage

Identity and Access Management

5 Identity and Access Management Copyright Doug Knehr

Click on the above link for a condensed view (not all links opened) of my deep research and expertise in Identity and Access Management covering the following areas:

physical and logical access to assets
Access control systems should consider three abstractions
PACS physical access control systems
Identification and authentication of people and devices
Identification methods
user identification guidelines
2. Identity management implementation
Identity as a service
Integrate third-party identity services
implement and manage authorization mechanisms
prevent or mitigate access control attacks
identity and access provisioning lifecycle

Copyright

Douglas Knehr

Doug at DougKnehr dot  com

Communications and Network Security

4 Communications and Network Security Copyright Doug Knehr

Click on the above link for a condensed view (not all links opened) of my deep research and expertise in security engineering covering the following areas:

secure network architecture and design
IP networking
OSI and TCP/IP


Directory services

domain name service (DNS)
light weight director he Access protocol LDAP
network basic input output system (net bios)
Network information service (NIS)
NIS+
common Internet file system (CIF S)/server message block (SMB)
network file system(NFS)
simple Mail transfer protocol(SMTP) and enhanced simple Mail transfer protocol (E SMTP)
File transfer protocol
transfer modes
Anonymous FTP
Trivial file transfer protocol (TFT P
Hyper text transfer protocol (HTTP
HTTP proxy – anonymizing proxies
open proxy servers
content filtering
HTTP tunneling
implications of multi-layer protocols


Converged Protocols

defining IP convergence
implementation
VOIP
Wireless
Wireless Security Issues open system authentication
Cryptography used to maintain communications security


Securing Network Components
secure communication channels
Network attacks

Security and Risk Management

1 Security & Risk Mgmnt Copyright Doug Knehr

Click on the above link for a condensed view (not all links opened) of my deep research and expertise in Security and Risk Management covering the following areas:

1.Security and Risk Management

Critical Areas
Compliance
Data Breaches
Conducting a Business Impact Analysis (BIA)
Implementation
Continuous improvement
Threat Modeling
Determining potential attacks
Performing a Reduction Analysis
Technologies and processes used to remediate threats
Integrating security risk considerations into acquisitions strategy and practice
Third-Party assessments
Minimum security requirements
Service-Level requirements
Appropriate levels of awareness, training, and education within an organization
Periodic reviews for content relevancy”
Security Principles
Security & Risk Governance
Industry best practices (i.e., NIST, ITIL, ISO 27000, COSO, and COBIT). ”
Mechanisms for the board of directors and management to have the proper oversight to manage the risk to the enterprise to an acceptable level.”
Purpose of governance
Board of directors should:
Be informed about information security
Set direction to drive policy and strategy
Provide resources to security efforts
Assign management responsibilities
Set priorities
Support changes required
Define cultural values related to risk assessment
Obtain assurance from internal or external auditors
Insist that security investments are made measurable and reported on for program effectiveness.”

Security Mgmnt
Interrelationship of Security & Risk Mgmnt
Common Business Issues Affecting Security Risk mgmnt
Governance Committees –
Governance Committees – A governance committee is responsible for recruiting and maintaining the governance board for an organization. ”

Security Roles and Responsibilities
Security Activities
How its done
Budget
Implementing Metrics
“Security Council”
Planning
Review and Audit the Security Program”
Establish Control Frameworks for Governance
Compliance
Global Legal and Regulatory Issues
Develop and Implement Security Policy
Laws
Business Continuity (BC) & Disaster Recovery (DR) Requirements
Personnel security
Risk Mgmnt Concept
Risk Assessment Process (NIST – National Institute of Standards and Technology)
Security & Audit Frameworks
ID threats and vulnerabilities
Risk assessment analysis
Risk Mitigation
Risk Acceptance
Counter Measures
Type of controls
Access Control Types
Control assessment/ monitoring measurement
Tangible and intangible Asset Valuation
Continuous Improvement
Risk Mgmnt Frameworks
Create a risk inventory of risks and counter measures
Threat Modeling
enables informed decision making on application security risk
procedure to id objectives and vulnerabilities and then define countermeasures to the threats
Procedure
Determining Potential attacks and reduction analysis
Technologies and processes to reduce threats
Acquisitions Strategy
Security Education Training & Awareness
Formal Training
Creating security awareness course
Creating culture of awareness
Job Training
Performance Metrics

COPYRIGHT Douglas S. Knehr Esq.,MBA, CIPM, CIPP, CISSP  (in Training)

Doug at DougKnehr . com

Welcome. International Data Protection =Information Security + Data Privacy + Governance

Please do stay in touch with me. Enter your contact info:

 

DOUGLAS SCOTT KNEHR CISSP , FIP, CIPM , CIPP/US, JD, MBA

Email: Please reach me thru linked in

US Citizen

 

CERTIFICATIONS: INFORMATION SECURITY & DATA PRIVACY 

CISSP  – Certified Information Security System Professional 2015

FIP – Fellow of Information Privacy-2017

CIPM –  Certified Information Privacy Manager 2014

CIPP /US – Certified Information Privacy Professional  2014

FORMAL EDUCATION

JD-Juris Doctor-Stetson College of Law FL 1999

MBA        Master of Business Administration (Finance) – Rutgers Graduate School of Management NJ 1994

BS            Bachelor of Science in Business Economics – Rutgers University Cook College NJ 1992

Strengths:  Information Security/Cyber Security, Data Privacy, Data Protection, Litigation. I am a SME at  GRC aspects of cross border Information Security and Data Privacy. I am a full member CISSP (Cyber Security) , FIP (Fellow of Information Privacy), CIPM (Certified Information Privacy Manager), and CIPP/US (Certified Information Privacy Professional).

In House Consulting: I have consulted to the United States SIFMUs (Systemically Important Financial Market Utility to the United States) guiding CISO, CPO and GC departments. I have also consulted for a 27000+ person international organization with a 23 country footprint building out a 2nd Data Protection department.

I have operationalized information security as CISO and created governance for a $193 billion financial conglomerate with 6 major entities.

Cyber Security Tooling & Monitoring: Knowing how to implement cyber security monitoring tools lawfully in an international environment requires a global understanding of data protection.

GDPR and GRC: Possessing deep cyber security, information security and data privacy expertise, I am a GRC, GDPR and data protection guru. I’ve built and worked on multiple data protection programs affecting more than 30,000 employees across  23 countries

I welcome your call: Please reach me on 609-635-2226 or email info@corporate-dpo.com

 

Case Law – USA

Class Action Pleadings:

SPOKEO, INC., PETITIONER v. THOMAS ROBINS (May 16, 2016)

Spokeo Supreme Court Decision – 2016 – Douglas S Knehr Esq MBA CISSP CIPM CIPP

The case was remanded back to the lower court. The lower court incorrectly focused only on particularization of injury and failed to determine whether the alleged procedural violations entail a degree of risk sufficient to meet the concreteness requirement (“de facto” that is, it must actually exist)

Class action plaintiffs must prove standing by asserting:

  1. Injury in fact
  2. Fairly traceable to challenged conduct
  3. Likely to receive favorable judicial decision

Injury in fact requires a plaintiff to show that he or she suffered “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical”.  While particularization considers the affect on the plaintiff in a personal and individual manner, concreteness is quite different from particularization and requires an injury to be “de facto,” that is, to actually exist. A “concrete” injury need not be a “tangible” injury. Statutory violation alone is not enough. Article III standing requires a concrete injury even in the context of a statutory violation. The violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact. In this instance however the Supreme Court held that its’ decision doesn’t rule out that risk of real harm will not be enough.

In short, Courts will now look closely at both concreteness and particularization. How this plays out relative to cyber security breaches remains to be seen.