Navigating Privacy – Insight on Professional Certifications
2024-1-4 18:7:24 Author: blogs.sap.com(查看原文) 阅读量:5 收藏

(Jana Subramanian serves as Head of Cybersecurity, APJ Strategic Customer Engagements and is a Fellow of Information Privacy (FIP), awarded by the International Association of Privacy Professionals (IAPP). In this role, Jana supports strategic customer engagements on cybersecurity, data privacy, multi-cloud security integration architecture, contractual assurance, audit, and compliance.)

Introduction

In today’s cloud-driven world, reliable cloud computing is everything. But ensuring its safety is contingent upon two essential pillars: cybersecurity and data privacy. While crucial and often inter-linked, these pillars play distinct roles in safeguarding our digital assets in cloud and foundation of everything we do in the digital realm. Through my own journey within this intricate domain, I have come to appreciate the nuanced differences between these areas. Each pillar holds unique characteristics that are crucial for ensuring the security and privacy of our cloud environment.

This blog delves into the distinctions and unique synergy between cybersecurity and data privacy. Also, with the escalating demand for specialized knowledge in Data Privacy field, I will attempt to shed some light on highly valued data privacy certifications offered by IAPP and ISACA. These certifications lay out a clear path for learning and specializing in data privacy domain and an established pathways for cybersecurity professionals who want to transition to the data privacy domain.

Distinguishing Cybersecurity and Data Privacy

The following table illustrates the key differences between cybersecurity and privacy.

S.No Feature Cybersecurity Privacy
1 FOCUS
  • Protecting systems and data from unauthorized access, modification, or destruction.
  • Protecting individual control and rights over their personal data or sensitive personal data.
2 GOAL
  • Confidentiality, Integrity, and Availability (CIA)
  • Transparency, Choice, Control, Accountability, Data Minimization, Purpose Limitation and Data Integrity & Accuracy
3 METHODS
  • Firewalls, Intrusion detection/prevention systems (IDS/IPS), DDOS Protection, encryption, malware scanning, patching among others.
  • Consent management, Access control, data minimization, personal data breach notification, de-identification (anonymization, pseudonymization), data subject rights (e.g., deletion, rectification).
4 TYPE OF THREATS
  • Hackers, malware, phishing, intrusion (logical and physical), data breaches.
  • Unauthorized data collection, misuse of personal data, automated profiling, surveillance.
5 IMAPCT
  • Financial losses, operational disruptions, reputational damage, loss of intellectual property, regulatory fines.
  • Loss of trust and credibility, discrimination, identity theft, loss of autonomy, hefty regulatory fines, potential harm and safety of individuals impacted.

Figure%201%3A%20Cybersecurity%20Vs%20Privacy

Figure 1: Cybersecurity Vs Privacy

Protecting Personal Data – Technical and Organization Measures

Most privacy regulations around the globe including GDPR and PIPL emphasize two critical types of measures to safeguard personal data: technical and organizational measures. These are mandatory elements for compliance and play a critical role in protecting individuals’ privacy rights.

What are Technical and Organizational Measures:

Technical measures refer to the tools and technologies used to protect personal data from unauthorized access, disclosure, alteration, and destruction. The essence of technical measures remains in their ability to create a robust defence against cyber threats and data breaches, leveraging technology to secure data across various processing stages. Some of the technical measures may be embedded within the cloud applications.

Organizational measures, on the other hand, encompass the internal policies, procedures, and practices that govern how an organization handles personal data. These are less about technology and more about the management, culture, and governance of data processing. Organizational measures are crucial for embedding data protection into the fabric of an organization, ensuring that every member understands and contributes to the safeguarding of personal data.

You may refer to Technical and Organizational Measures for SAP cloud services that are part of contractual assurance in SAP role as a “data processor” for SAP Cloud Services.

The following table broadly provides illustrative example for technical and organizational measures.

Examples of Technical Measures Examples of Organizational Measures
  • Data Encryption: Encrypting data to protect its confidentiality at rest and transit.
  • Data Protection Policies: Developing and implementing internal policies and procedures for handling personal data.
  • Access Control: Restricting data access to authorized personnel only, using mechanisms like passwords, MFA and biometric authentication.
  • Data Protection Officer (DPO): Appointing a DPO responsible for overseeing data protection strategies and compliance with privacy laws.
  • Firewalls and Antivirus Software: Using these to protect against external threats and malware.
  • Employee Awareness Training: Conducting regular training sessions for employees on data protection laws and handling personal data securely.
  • Intrusion Detection and Protection Systems: Monitoring systems for suspicious activities that could indicate a breach.
  • Supply-Chain Management: Ensuring that third-party service providers who handle personal data comply with privacy laws.
  • Data Anonymization and Pseudonymization: Processing data in a way that it can no longer be attributed to a specific data subject without additional information.
  • Privacy Impact Assessments (PIA): Regularly assessing the impact of processing activities on personal data privacy.
  • Secure Data Storage Solutions: Storing data in secure environments to prevent unauthorized access and data loss.
  • Incident Response Plan: Having a plan in place for responding to personal data breaches, including notification procedures.
  • Regular Security Audits: Conducting periodic reviews and audits to ensure security measures are effective.
  • Data Minimization: Ensuring that only the necessary data is collected and processed for a specific purpose. Seeking consent prior to collecting personal data from the data subjects
  • Data Backup and Recovery Systems: Implementing systems to recover data in case of a loss or breach.
  • Record Keeping: Maintaining detailed records of data processing activities as required by privacy regulations.
  • Systems Security Measures: Implementing measures to secure the network, application, DB against cyber-attacks and unauthorized access and implementing protection against DDOS attacks, Web Attacks etc
  • Compliance Review and Auditing: Regularly reviewing practices to ensure ongoing compliance with privacy regulations.

Global Privacy Certifications for aspiring Privacy professionals

The International Association of Privacy Professionals (IAPP) and ISACA offer different certifications in the field of privacy, each with its own focus and benefits.

The International Association of Privacy Professionals (IAPP):  This is the largest and most extensive worldwide community focused on information privacy. The IAPP offers privacy certifications that assist professionals in enhancing their skills and career growth. These certifications provide essential knowledge and tools for effectively handling privacy risks and safeguarding data in organizations. As technology and regulatory landscape constantly evolve and change, these certifications are updated providing a structured learning and testing of skills. The table below provide high level details and links for anyone interested in pursuing privacy skills and certifications.

S.No Certification Description
1 Certified Information Privacy Professional (CIPP)
  • This is probably the first professional certification offered in information privacy and focuses on understanding the laws, regulations, and standards of privacy in various jurisdictions or disciplines. It has four concentrations: Asia (CIPP/A), Canada (CIPP/C), Europe (CIPP/E), U.S. government (CIPP/G), and U.S. private sector (CIPP/US).
  • I would recommend starting with the Certified Information Privacy Professional/Europe (CIPP/E) certification if you’re entering the field of privacy. The CIPP/E provides a strong foundational understanding of the General Data Protection Regulation (GDPR), which is crucial since many other privacy regulations are based on or influenced by the GDPR. By mastering the principles and applications of the GDPR through the CIPP/E, you can gain a solid grasp of key privacy concepts that are applicable to a wide range of other data protection laws and regulations globally. This approach can be particularly beneficial for developing a comprehensive understanding of privacy laws and practices in an international context.
  • Also, it is important to note that CIPP/A covers only Singapore, Hong Kong and India regulations and it is uncertain if the content and tests have been updated based on the new regulations.
2 Certified Information Privacy Manager (CIPM)
  • This is the only certification in privacy program management, providing skills on how to manage privacy in an organization.
3 Certified Information Privacy Technologist (CIPT)
  • For professionals in IT, security, or engineering, this certification focuses on managing and building privacy requirements and controls into technology. You will have an opportunity to learn all aspects of Privacy Enhancing Technologies (PET). I found this exam really tough and challenging.
4 Artificial Intelligence Governance Professional (AIGP)
  • This is a new certification introduced by IAPP recently. The certification covers principles of AI governance, aiming to teach how to develop, integrate, and deploy AI systems in a manner that is trustworthy and compliant with emerging laws and policies. The curriculum covers an overview of AI technology, a survey of current laws, and strategies for risk management, among other relevant topics.

To earn credentials from the International Association of Privacy Professionals (IAPP), you need to become a professional member of the IAPP and register for each exam individually. Preparing for these exams requires a comprehensive understanding of privacy regulations and case studies. Many of the exam questions are scenario-based and require an in-depth understanding of privacy and analyze specific case study, as well as the ability to interpret regulations in the context of these scenarios. This process involves not only knowing facts but also understanding how privacy principles apply in real-world situations. The reference materials and books are available in the IAPP once you become a member. Earning CIPP credentials may take between 3-6 months depending on your effort, prior knowledge, practical experience among others.

ISACA (Information Systems Audit and Control Association): ISACA’s Certified Data Privacy Solutions Engineer (CDPSE) certification tackles the critical technical skills gap in data privacy. It empowers aspirants to assess, build, and implement comprehensive privacy measures, minimizing risk, enhancing efficiency and in navigating the complex landscape of modern data protection. The main focus on the certification is on privacy governance, privacy architecture and data life cycle and is more tuned towards technical skills.

While decision between taking the IAPP’s Certified Information Privacy Professional (CIPP) certification and ISACA’s Certified Data Privacy Solutions Engineer (CDPSE) certification depends on your professional focus and career aspirations, I would think that CIPP would be more suitable for Privacy Lawyers, Privacy Policy Professional, Data Protection Officers, Privacy Managers and Consultants. ISACA’s CDPSE may be suitable for technical professionals, privacy implementors, Risk Assessment and Management. It is possible to obtain Fellow of Information Privacy from IAPP if one passes CIPP as well as CIPM or CIPT and possesses demonstrated experience in data privacy domain.

Conclusion

The evolution of privacy regulations around the globe and cutting-edge privacy-enhancing technologies calls for continuous learning. This is especially true with the rise of AI and Machine Learning in data privacy, presenting exciting opportunities, threats, and challenges. Recognizing the intertwined nature of cybersecurity and data privacy, professionals in both fields can benefit from expanding their horizons. Cybersecurity experts can leverage their technical expertise to excel in privacy engineering, while privacy professionals can gain strategic insights from security best practices. Even legal professionals, navigating the legal landscape of this dynamic domain, will find foundational knowledge of cybersecurity and privacy-enhancing technologies increasingly valuable.

If you are aspiring to be a data privacy professional, wish you happy learning in 2024 with these certifications.


文章来源: https://blogs.sap.com/2024/01/04/navigating-privacy-insight-on-professional-certifications/
如有侵权请联系:admin#unsafe.sh