Privacy Impact Assessment
Information Technology (IT) is now an integral part of service delivery in all aspects of today's networked e-business and e-government economy. The Information Management and IT functions have come under increased scrutiny by senior managers and external auditors. Almost all aspects of delivering services in a networked environment are made more complex by a plethora of interdependent legal and regulatory requirements related to security and privacy. Our clients need to identify and articulate the policies that underpin business processes supported by the IT architecture.
The International Security Trust Privacy Alliance (ISTPA) produced a Privacy Framework that bridges the gap between the legal, regulatory and privacy principles and the IT architects that need to design and build the supporting IT infrastructure. The ISTPA Framework defines seven security services and three capabilities intended to support the implementation of fair information practices that are generally accepted within the international privacy community and defined in international legislation and regulations.
Intertek EWA-Canada has recognized the need to have a common approach that ensures privacy and security issues are identified and considered at every stage in the life cycle of systems and data. Intertek EWA-Canada is involved with both the International Systems Security Engineering Association (ISSEA) and International Security Trust & Privacy Alliance ( ISTPA) and through these organizations, has agreed to collaborate in the development of an initial series of high level foundation documents. These foundation documents form the basis for our approach to not just PIA's but to security reviews in general.
Our approach provides a security engineering perspective of the "privacy services and capabilities" and demonstrates:
- how the systems security engineering base practices defined by the SSE-CMM can be used to develop, deliver and operate a system to comply with all relevant policies; and
- how the resulting system architecture can be assessed to provide assurance that both security and privacy requirements have been met.