PCHG-02

Do you have policy and procedure, currently implemented, guiding how privacy risks are mitigated until they can be resolved?

Explanation

This question is asking whether your organization has formal, documented policies and procedures that specifically address how to handle privacy risks when they are identified but before they can be fully resolved. Privacy risks are potential threats to personal data that could lead to unauthorized access, disclosure, alteration, or destruction of that data. The question is being asked in a security assessment because privacy risk management is a critical component of an organization's overall security posture. When privacy risks are identified, organizations need a systematic approach to mitigate them while permanent solutions are being developed. Without such procedures, organizations might leave identified privacy risks unaddressed for extended periods, increasing the likelihood of privacy breaches. To best answer this question, you should: 1. Describe your formal policy that addresses privacy risk mitigation 2. Outline the specific procedures used to mitigate privacy risks temporarily 3. Explain how these mitigations are monitored until permanent resolutions are implemented 4. Mention any roles responsible for overseeing this process 5. Reference any frameworks or standards your policy aligns with (such as NIST Privacy Framework, GDPR requirements, etc.) If your organization doesn't have such policies and procedures, it would be honest to acknowledge this gap and describe any plans to develop them.

Guidance

Policy and procedure should include specific steps to take in the process of mitigating privacy risks.

Example Responses

Example Response 1

Yes, our organization has implemented a comprehensive Privacy Risk Mitigation Policy and associated procedures When privacy risks are identified through our risk assessment process, our Privacy Incident Response Team follows our documented Privacy Risk Mitigation Procedure This procedure includes: 1) Immediate containment actions to limit exposure (such as restricting access to affected systems or data); 2) Implementation of compensating controls while permanent solutions are developed; 3) Weekly review of all privacy risks under mitigation by our Privacy Officer; 4) Required documentation of mitigation plans with timelines for permanent resolution; and 5) Executive reporting for any high-risk issues that remain in mitigation status for more than 30 days Our approach aligns with NIST Privacy Framework and includes specific guidance for different categories of privacy risks (e.g., data minimization issues, consent management problems, or access control weaknesses) All mitigations are tracked in our GRC platform until permanent resolution is achieved.

Example Response 2

Yes, we have implemented our Privacy Risk Management Policy which includes specific procedures for mitigating identified privacy risks Our policy follows a risk-based approach where each identified privacy risk is assigned a risk level (Critical, High, Medium, Low) that determines the required mitigation timeframe and interim controls For example, Critical risks require same-day mitigation measures and daily monitoring until resolved Our Privacy Risk Mitigation Procedure outlines a standard set of temporary controls that can be applied based on risk type, such as enhanced logging, additional approval workflows, or temporary data access restrictions Our Privacy Steering Committee meets bi-weekly to review all risks under mitigation, and our CISO must approve any mitigation plan lasting longer than 60 days We maintain a Privacy Risk Register that tracks all identified risks, applied mitigations, and progress toward permanent resolution This approach is integrated with our broader Enterprise Risk Management framework and is audited annually for effectiveness.

Example Response 3

No, we currently do not have a formal policy and procedure specifically addressing how privacy risks are mitigated until they can be resolved While we do have a general Incident Response Plan that covers security incidents, it does not contain specific guidance for privacy risk mitigation When privacy issues are identified, they are handled on a case-by-case basis by our IT team in consultation with legal counsel We recognize this as a gap in our privacy program and are developing a formal Privacy Risk Management Policy that will include specific mitigation procedures We expect to have this policy implemented within the next quarter, along with staff training on the new procedures In the interim, we are using industry best practices as guidance when privacy risks are identified, but we acknowledge the need for a more structured approach.

Context

Tab
Privacy
Category
Privacy Change Management

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron