On May 14, Sarbari Gupta presented “Chasing the Privacy Risk Monster Within Your Organization” at The North America CACS 2019 Conference in Anaheim, California. Her presentation comprised part of the IT Governance, Compliance & COBIT track.

In her presentation, Sarbari suggested that an effective privacy risk assessment (PRA) methodology can help organizations that handle personally identifiable information (PII) identify the greatest privacy risks and ways to mitigate them. She  proposed a two-level approach. The first, organizational-level PRA, which focuses on NIST SP 800-53 Rev4 Appendix J privacy controls. The second, a system-level PRA for each information system, which addresses system-level privacy controls and the Privacy Impact Assessment for each system. At each level, the goal is to apply a SP 800-30 Rev1 style risk assessment approach by identifying applicable threats, gaps/weaknesses (vulnerabilities), likelihoods of occurrence and impacts.

Attendees gleaned a better understanding of the criticality of performing risk assessments and gained insights on how to conduct privacy risk assessments at the organizational level; perform privacy risk assessments at the information system level; and mitigate privacy risks within their organization through more effective and timely risk identification.

Sarbari’s presentation slides can be viewed here.