Privacy Audits: The Subject of “Controls”

When one considers the subject of privacy audits, the first impulse is to ask about the purpose and scope of the audit,  followed by a question as to what privacy controls are in play. While purpose and scope can be more readily defined, privacy controls are not a topic one sees addressed very much and I was pleasantly surprised to see that the National Institute of Standards and Technology (“NIST”) recently did so. How did they make out?

The short answer is: I’m not sure. I cannot help but think that there was some confusion as to the difference between “controls” and “objectives”.

Usually, “controls” can be considered as “means” and “objectives” as “ends” as in “means to an end”. For example, an organization asserts that it complies with applicable privacy laws. To determine whether this assertion is true, an auditor will tell you that an objective (sometimes referred to as a “control objective”) is a specific “target” used to evaluate the effectiveness of one or more controls. Privacy controls include the administrative, technical, and physical safeguards employed within organizations to protect personal information. If the organization meets the target(s) based on the controls or criteria, one can have a reasonable assurance that the risk of an error or omission related to that assertion is low or that an error can detected by controls on a timely basis.

In contrast, a deficiency exists when the design or operation of a control prevents an organization, in the normal course of business, from meeting its assertion-related targets. Minimize your deficiencies and, if you’ll allow the use of an idiom, one runs a “pretty tight ship”. Perhaps not the most elegant of explanations but I suspect I’ve already outraged auditors with this attempt to explain audit controls as simply as possible.

What NIST has done, in Appendix J of Security and Privacy Controls for Federal Information Systems and Organizations (Rev 4)  is to attempt to “provide a structured set of privacy controls, based on international standards and best practices, that help organizations enforce privacy requirements deriving from federal legislation, policies, regulations, directives, standards, and guidance”.

While the concepts in these “privacy controls” are intended for public sector institutions there are some useful ideas that should be considered for private sector organizations. However, they are “best practices” and could be considered more as policy statements. There are eight “families” of controls and much of the list will be familiar to anyone who has had to implement a privacy program in Canada.

As you go through the NIST Appendix containing the privacy controls, one might reasonably characterize them as objectives as opposed to controls. For example, the NIST document describes one control involving contractors: The organization “includes privacy requirements in contracts and other acquisition-related documents.” The presence of a set of standard contractual provisions to be included in contracts, whether “as is” or customized, would seem more like a control than a requirement to include such language in contracts – something that strikes me as more of an objective. An “objective” might be to obtain consent for the processing of personal information. A “control” would be a consent form signed by the subject individual filed and/or logged. Interestingly, when one looks at the security controls described in Appendix H, one finds more granular, operational requirements with different verbs and more specific requirements.

I suppose this could be a difference of opinion as to terminology but one can easily find organizations that can have NIST-like “controls” but fail to adequately protect personal information because they have not been translated into operational practices. How many private sector organizations out there have a privacy policy and little else? A lot more than there should be.

I asked a privacy colleague, John Wunderlich, for his thoughts on the subject of privacy audits and he responded with what I consider a rather precise and pithy comment: “if one has built a privacy program ‘properly’ using control objectives AND with processes in place to ensure that controls are in place and operating properly, then the reports/metrics/assurances flowing from such a program would provide the material basis for an audit to verify the same.”

In terms of accountability and moving beyond the NIST document, a privacy audit should provide the assurance that measures are in place to protect personal information – recognizing at all times that it is a risk-based exercise – rather than simply indicate that a “privacy program” is in place.