ISACA：2023年度隐私实践研究报告

EivacyEivacy3Abstract4ExecutiveSummaryndings4SurveyMethodology6PrivacyStaffing9/SkillGaps10PrivacyBudgets10PrivacyProgramTrends12/PrivacyTeamInteractionWithOtherAreasrdsofDirectorsPrivacyInvolvement13/MonitoringPrivacyPrograms14PrivacyAwarenessTraining16PrivacyFrameworks,LawsandRegulations16PrivacyBreachesandFailures18PrivacybyDesign19TheFutureofPrivacy20Conclusion21Acknowledgmentsbyisehiseysurveyfindingssomewhatorsignificantlyunderstaffedthanlegal/areimpactedbystaffshortages.eredthemostimportantfactorindlegalcomplianceprivacyprofessionals.Privacyteamsinteractmostfrequentlywithritylegalcomplianceandriskmanagementteams.practiceprivacybydesignaremore•Haveadequatelystaffedprivacyteams•BelievethattheirboardofdirectorsappropriatelyoritizesenterpriseprivacyentedprivacypoliciesproceduresandstandardscycontrolsoverallthanarelegallyFeeltheirprivacybudgetisappropriatelyfundedyytoapproximatelyISACAInformationSecurityManager(CISM®)orCertifiedDataiaSurveyMonkeyAtotalfrespondentscompletedthesurveytheirresponsesareincludedintheresults.ThemostcommonlyheldcertificationistheCISMcertification:Seventy-fivepercentofrespondentsholdtheCISMcertificationpercentholdtheCertifiedInformationSystemsAuditor®(CISA®)certificationtythreepercentofrespondentsareinamanagementppositionspercentareindividualcontributorsand10percenttionsFigureshowsadditionalinformationaboutsurveyrespondents.TopindustriesTopindustriesNumberofemployeesatorganizationPrivacystaffrolesincludelegal/compliancepractitioner,technicalITstaff,riskprofessionalorsecurityprofessionalFigure2showsthepercentageofstaffineachoftheseroles.PrivacypractitionerscanusuallybeclassifiedintoonealLegalcomplianceprivacyprofessionalshaveknowledgeoftheprivacylawsandregulationsthatapplytoanenterprisebutmaynothaveextensivetechnicalexpertise;technicalprivacyprofessionalshavethetechnicalexpertisetoapplycontrolsthathelppreserveprivacyandachievecompliance.Whatpercentageofyourstaffareinthefollowingroles?sentofrespondentsindicatethatlegalmsaresomewhatorsignificantlysreportthatesomewhatorsignificantlyalprivacyteamsthaninlegal/complianceteamsisconsistentwithningithasimprovedfromlastyearigurenext12months.erprisesaretakingstepstoaddressunderstaffing.Twenty-sevenpercentofrespondentssaythattheirenterpriseshaveopenlegal/compliancepercentindicatetheyhaveOftenfillingprivacypositionscanbetimeconsuming(igures4and5).rUnderstaffingofPrivacyRolesrivacyPositionsOnaverage,howlongdoesittaketofilllegal/complianceprivacypositionswithaqualifiedcandidate?Onaverage,howlongdoesittaketofilltechnicalprivacypositionswithaqualifiedcandidate?1%1%Althoughsomesurveyrespondentsreportthatthetimetofillopenprivacypositionsdecreasedinthepastyear,mostreportthattheamountoftimetofillrolesincreasedorstayedthesame.Forlegal/complianceroles,14percentofrespondentssaythatthetimetofillpositionssomewhatorsignificantlydecreased,19percentreportthatitsignificantlyorsomewhatincreasedand31percentsaythatitstayedthesame.Timetofilltechnicalprivacypositionsissimilar,with16percentsayingthatitsomewhatorsignificantlydecreased,23percentsayingthatitsignificantlyorsomewhatincreasedand30percentindicatingitstayedthesame.fiedrespondentlifiedforthepositionstowhichlcomplianceandtechnicalusedtoevaluateifaifiedFIGURE6:ImportanceofFactorsDetermininganApplicant’sQualificationsHowimportantareeachofthefollowingfactorsindeterminingifaprivacycandidateisqualified?4%differenttypesoftechnologiesandorapplicationsasthefindingthatexperienceisthemostimportantfactorgprivacypositioncandidatesigureperiencergeskillgapThedentifiedskillgapisunderstanding•Businessinsight(39percent)IToperationsknowledgeandskills(38percent)•Softskills,suchascommunication,flexibilityand•Networkingand/orotherinfrastructureknowledgekillspercent•Businessethics(18percent)lsGapWhich,ifany,ofthefollowinghasyourorganizationundertakentohelpdecreasethisprivacyskillsgap?Selectallthatapply.taffwhoareinterestedyrolesctdeconsultantstoattesttoactualskillmasterycredentialstoattesttoactualubjectmatterexpertiserelianceonartificialenceorautomationgapetsftoimproveeinthenextmonthstedecreaseinthelpnizationalobjectivesobstacletoformingtssaynivacyprogramrivacyofficerChiefinformationofficerrivacyofficerChiefinformationofficercerutiveofficerralcounselchieflegalofficerChiefcomplianceofficerectorsacyPrivacyWhoisprimarilyaccountableforprivacyinyourorganization?Which,ifany,ofthefollowingareobstaclesfacedbyanorganizationinitsabilitytoformaprivacyprogram?Selectallthatapply.cescesndresponsibilitiessupportLackofvisibilityandinfluencewithineorganizationkassociatedtechnologiesroadmapexistPrivacyTeamInteractionnalsworkcloselywithsTheseteamscallprivacyprofessionalsmeetwithlegalcomplianceprivacyprofessionalsTwenty-eightpercentofrespondentssaythattheirtechnicalprivacyprofessionalsandlegal/complianceprivacyprofessionalsmeetquarterly,25percentsaythattheseprofessionalsmeetonceortwiceayearand17percentreportthattheymeetmonthly.Another17percentofrespondentsreportthattheirtechnicalandlegal/complianceprivacyprofessionalsmeetwhennewprivacylawsandregulationsgointoeffect.stPrivacyteamsalsointeractregularlywithIToperationsanddevelopmentprocurement,internalaudit,humanresources,sales/marketing/customerrelations,finance,product/businessdevelopmentandpublicandmediarelations.FIGURE10:FrequencyofMeetingsBetweenTechnicalandLegal/CompliancePrivacyProfessionalsHowoftendotechnicalprivacyprofessionalsmeetwithlegal/complianceprofessionalstounderstandlegalandregulatoryrequirements?MonitoringPrivacyProgramsMonitoringPrivacyProgramsBoardsofDirectors’PrivacyInvolvementrsfremanyconcernsassociatedwithhavinganprivacyapproachTheglobalidlyOrganizationswhoseprimaryfocusisachievingcompliancemayfindthemselvesstrugglingtocatchup.Apurelycompliance-drivenviewofaprivacyprogrammaysignalthatprivacyteamsmayalwaysfeelastepbehindcomplianceandunabletoworkbesttoprotectdatasubjects’privacy.Itiscrucialthatenterprisesmonitortheirprivacyprograms.Regularmonitoringhelpsenterprisesidentifyluatewhattheyaredoingwellandareasforimprovement.Asenterprisesincreaseprivacy-programmonitoring,theycanseehowtheirprivacyprogramsevolve.Figure12showsthecommonwaysofmonitoringtheeffectivenessofprivacyprograms.Thirtypercentofrespondententerprisesevaluatethenumberofprivacyincidentsasametrictoindicatetheeffectivenessoftheirprivacyprograms.Thismetricshouldbecombinedwithanothermonitoringmechanism;anorganizationthatlookssolelyatthenumberofprivacyincidentswillnotknowaboutitsprivacyprogramweaknessesuntilanincidenthappens,atwhichpointthereputationaldamageandlossoftrustmaybeirreversible.Significantfinescanalsoresultfromprivacyincidents,soitisbesttouseforward-lookingmetricstoevaluatetheeffectivenessofaprivacyprogramtoavoidthesehighpenalties.Doyouthinkyourboardofdirectorsviewsyourenterprise’sprivacyprogramas:rogramEffectivenessHowdoesyourorganizationmonitortheeffectivenessofitsprivacyprogram?Selectallthatapply.%%visesningWhendoesyourorganizationprovideprivacytraining?Selectallthatapply.Toevaluateifemployeesarebenefittingfromprivacyawarenesstraining,enterprisesshouldmonitortheirtrainingprograms.Figure14showsthemetricsthatdententerprisesusetoevaluateprivacytrainingprogrameffectiveness.sycomplaintsreceiveduseitisreactiveectiveuntilahocompleteganythingfromiterhavelearnedfromgMostrespondentsbelievethatprivacytrainingprogramsbenefittheirenterprise.Twenty-sixpercentofrespondentssaythatprivacytrainingandawarenessprogramshaveastrongpositiveimpact,and47percentsaytheyhavesomepositiveimpact.ntofrespondententerprisesprivacyawarenesstrainingisseparatefromsecurityawarenesstraining,while31percentofrespondententerprisesdonotseparateprivacyawarenesstrainingfromsecurityawarenesstraining.Althoughprivacyandsecuritytrainingcanbecombinedinawaythatteachesbothtopics,aconcernisthatprivacy-specifictopicsarenotcoveredthoroughlyincombinedtraining.Itisimpossibletohaveprivacywithoutsecurity,butsecuritydoesnotnecessarilyguaranteeprivacy.acyAwarenessTrainingEffectivenessWhatmetricsdoesyourorganizationtracktoevaluatetheprivacytrainingprogram’seffectiveness?Selectallthatapply.Eighty-twopercentofrespondentsuseaframeworkorlaw/regulationtomanageprivacyintheirenterprises.For73percentofrespondents,itismandatorytoaddressprivacywithdocumentedprivacypolicies,standardsandprocedures.Thetop-threeframeworksandregulationsmostcommonlyusedtomanageUSNationalInstituteofStandardsandTechnologycontrols:36percenteGiventhemyriadprivacylawsandregulationsineffect,someenterprisesstruggletoidentifyandunderstandtheirprivacyobligations.Twenty-threepercentofISACAsurveyrespondentssaythatitisdifficultorverydifficulttoidentifyandunderstandtheirprivacyobligations.Thisfindingemphasizeshowimportantitisfortechnicalprivacyprofessionalstomeetwithlegal/complianceprivacyprofessionalsonaregularbasis,asmanytechnicalprivacyexpertsdonothavethelegalbackgroundtounderstandthespecificprovisionsoflawsandregulations.Aprevioussectioninthisreportrevealedthatprivacybudgetsappeartobemoreadequatelyfundedthisyearthanlastyear,andunderstaffingseemstobeimproving.Partofthereasonforthismaybethatenterprisesfeltthestrainontheirprivacyteamsandincreasedprivacybudgetsandstaffsizesaccordingly.Thisstrainmaybecausedpartiallybyanincreaseindata-subjectrequests.Thirty-fourpercentofrespondentssaythatthenumberofdata-subjectrequestshassomewhatorsignificantlyincreased.Protectingdataandachievingcompliancewithprivacylawsandregulationscanbechallenging,but45percentofrespondentsarecompletelyorveryconfidentintheirprivacyteam’sabilitytoensuredataprivacyandachievecompliancewithnewprivacylawsandregulations.Someofthisconfidencemaycomefromanunderstandingofcommonprivacyfailures.Figure15showstheseprivacyfailures.Only11percentofrespondentsreportthattheirenterpriseexperiencedamaterialprivacybreachinthepast12months,whichisslightlyhigherthanlastyear(10percent).Sixty-fourpercentofrespondentsreportthattheirenterprisedidnothaveaprivacybreach,17percentdonotknowandninepercentpreferrednottoanswer.Althoughthepercentageofrespondentswhodonotknowmayseemhigh,itispossiblethattheyknowasecurityincidentoccurredbutareunsureifpersonalinformationwascompromised.Dwelltime(thetimebetweenabreachandwhenanenterprisediscoversthebreach)mayhavealsoinfluencedwhysomanyrespondentsdonotknowifaprivacybreachoccurred.Figure16showsthenumberofenterprisesexperiencingmoreorfewerbreachesthanlastyear.Inyouropinion,whichofthefollowingarethemostcommonprivacyfailuresinanorganization?Selectallthatapply.Isyourorganizationexperiencinganincreaseordecreaseinmaterialprivacybreachesascomparedtoayearago?17showshowoftenrespondententerprisespracticeprivacybydesign.Thirtypercentofrespondentsindicatethattheirenterprisesalwayspracticeprivacybydesign,and30percentofrespondentssaythattheirenterprisesfrequentlypracticeprivacybydesign.Someinterestingtrendsemergewhencomparingtheenterprisesthatalwayspracticeprivacybydesigntothetotalnumberofrespondententerprises.Thosethatlwayspracticeprivacybydesign•Aremorelikelytoseparateprivacytrainingfromsecuritytraining(65percentvs.57percenttotal)whatconfidentinAremorelikelytorelyonartificialintelligence(AI)orautomation(25percentvs.20percenttotal)iventhatnotpracticingprivacybydesignisviewedasacommonprivacyfailure(igure15),itissurprisingthatmoreenterprisesdonotalwayspracticeit.Thereasonmaybethatenterprisesthatalwayspracticeprivacyorelikelytohaveresourcesthatenablethemtodoso(igure18).ThemedianprivacystaffsizeamongenterprisesthatalwayspracticeprivacyHowoftendoesyourenterprisepracticeprivacybydesign? ISACAEightStrategiestoHelpOrganizationsImplementPrivacybyDesignandDefaultOctoberhttpswwwisacaorgwhyisacaaboutus/newsroom/press-releases/2021/eight-strategies-to-help-organizations-implement-privacy-by-design-and-defaultfortotalrespondents.Forty-fourpercentofrespondententerprisesthatalwayspracticeprivacybydesignfeelthattheirprivacydepartmentisadequatelystaffed,comparedto34percentoftotalrespondents.Italsoappearsthattheboardsofdirectorsofenterprisesthatalwayspracticeprivacybydesignbetterprioritizeprivacy;76percentoftheseenterprisesfeelthattheirboardproperlyprioritizesprivacy,comparedtojust55percentoftotalrespondents.Respondentsfromenterprisesthatalwayspracticeprivacybydesignaresignificantlymorelikelytobecompletelyorsomewhatconfidentintheirteam’sabilitytoensuredataprivacyandachievecompliancewithnewprivacylawsandregulations.Seventy-sixpercentoftheserespondentsfeelcompletelyorsomewhatconfidentinthisability,comparedto35percentoftotalrespondents.hosewhoalwayspracticeprivacybydesignarelesslikelytohaveboardsthatviewprivacyprogramsasrelycompliancedrivenpercentvspercentkeytenetofprivacybydesignisthatbeproactiveandnotreactiveandpurelycompliancedrivenprogramsareoftenreactive,itmakessensethatenterprisesthatalwayspracticeprivacybydesigndonotoperatereactively.thatprivacyisimportant,andtheworkofprivacyprofessionalsiscrucialtoanenterprise’ssuccess.Giventhevariousrequirementsprivacyteamsmustmeetandthegrowingnumberofinternationalprivacylawsandregulations,itmakessensethatthedemandforprivacyprofessionalsisexpectedtogrowinthenextyearSixtytwopercentofrespondentssaythedemandforlegal/complianceroleswillincreaseinthenextyear,and69percentsaythedemandfortechnicalprivacypositionswillincrease.Howlikelyisitthatyourorganizationwillexperienceamaterialprivacybreachnextyear?EcytissWhatareyourorga