Oversight and Governance
OG-WRL-008
Privacy Compliance
Responsible for developing and overseeing an organization’s privacy compliance program and staff, including establishing and managing privacy-related governance, policy, and incident response needs.
- T0898: Establish an internal privacy audit program
- T1014: Determine if security incidents require legal action
- T1020: Determine the operational and safety impacts of cybersecurity lapses
- T1054: Scope analysis reports to various audiences that accounts for data sharing classification restrictions
- T1058: Advise senior management on risk levels and security posture
- T1059: Perform cost/benefit analyses of cybersecurity programs, policies, processes, systems, and elements
- T1060: Advise senior management on organizational cybersecurity efforts
- T1084: Identify anomalous network activity
- T1092: Conduct functional and connectivity testing
- T1096: Perform privacy impact assessments (PIAs)
- T1118: Identify vulnerabilities
- T1119: Recommend vulnerability remediation strategies
- T1145: Develop strategic plans
- T1146: Maintain strategic plans
- T1189: Determine if contracts comply with funding, legal, and program requirements
- T1224: Determine impact of noncompliance on organizational risk levels
- T1225: Determine impact of noncompliance on effectiveness of the enterprise's cybersecurity program
- T1279: Prepare audit reports
- T1334: Produce cybersecurity instructional materials
- T1335: Promote cybersecurity awareness to management
- T1336: Verify the inclusion of sound cybersecurity principles in the organization's vision and goals
- T1476: Promote awareness of cybersecurity policy and strategy among management
- T1489: Correlate incident data
- T1492: Integrate laws and regulations into policy
- T1549: Evaluate the impact of legal, regulatory, policy, standard, or procedural changes
- T1853: Determine if new and existing services comply with privacy and data security obligations
- T1854: Develop and maintain privacy and confidentiality consent forms
- T1855: Develop and maintain privacy and confidentiality authorization forms
- T1856: Integrate civil rights and civil liberties in organizational programs, policies, and procedures
- T1857: Integrate privacy considerations in organizational programs, policies, and procedures
- T1858: Serve as liaison to regulatory and accrediting bodies
- T1859: Register databases with local privacy and data protection authorities
- T1860: Promote privacy awareness to management
- T1861: Establish organizational Privacy Oversight Committee
- T1862: Establish cybersecurity risk assessment processes
- T1863: Develop information sharing strategic plans
- T1864: Develop organizational information infrastructure
- T1865: Implement organizational information infrastructure
- T1866: Develop self-disclosure policies and procedures
- T1867: Oversee consumer information access rights
- T1868: Serve as information privacy liaison to technology system users
- T1869: Serve as liaison to information systems department
- T1870: Create privacy training materials
- T1871: Prepare privacy awareness communications
- T1872: Deliver privacy awareness orientations
- T1873: Deliver privacy awareness trainings
- T1874: Manage organizational participation in public privacy and cybersecurity events
- T1875: Prepare privacy program status reports
- T1876: Respond to press and other public data security inquiries
- T1877: Develop organizational privacy program
- T1878: Apply sanctions for failure to comply with privacy policies
- T1879: Develop sanctions for failure to comply with privacy policies
- T1880: Resolve allegations of noncompliance with privacy policies and notice of information practices
- T1881: Develop a risk management and compliance framework for privacy
- T1882: Determine if projects comply with organizational privacy and data security policies
- T1883: Develop organizational privacy policies and procedures
- T1884: Establish complaint processes
- T1885: Establish mechanisms to track access to protected health information
- T1886: Maintain the organizational policy program
- T1887: Conduct privacy impact assessments
- T1888: Conduct privacy compliance monitoring
- T1889: Align cybersecurity and privacy practices in system information security plans
- T1890: Determine if protected information releases comply with organizational policies and procedures
- T1891: Administer requests for release or disclosure of protected information
- T1892: Develop vendor review procedures
- T1893: Develop vendor auditing procedures
- T1894: Determine if partner and business agreements address privacy requirements and responsibilities
- T1895: Provide legal advice for business partner contracts
- T1896: Mitigate Personal Identifiable Information (PII) breaches
- T1897: Administer action on organizational privacy complaints
- T1898: Determine if the organization's privacy program complies with federal and state privacy laws and regulations
- T1899: Identify organizational privacy compliance gaps
- T1900: Correct organizational privacy compliance gaps
- T1901: Manage privacy breaches
- T1902: Implement and maintain organizational privacy policies and procedures
- T1903: Develop and maintain privacy and confidentiality information notices
- T1905: Monitor advancements in information privacy technologies
- T1907: Establish organizational risk management strategies
- K0498: Knowledge of operational planning processes
- K0644: Knowledge of cybersecurity operation policies and procedures
- K0645: Knowledge of standard operating procedures (SOPs)
- K0659: Knowledge of information privacy technologies
- K0674: Knowledge of computer networking protocols
- K0675: Knowledge of risk management processes
- K0676: Knowledge of cybersecurity laws and regulations
- K0677: Knowledge of cybersecurity policies and procedures
- K0678: Knowledge of privacy laws and regulations
- K0679: Knowledge of privacy policies and procedures
- K0680: Knowledge of cybersecurity principles and practices
- K0681: Knowledge of privacy principles and practices
- K0682: Knowledge of cybersecurity threats
- K0683: Knowledge of cybersecurity vulnerabilities
- K0684: Knowledge of cybersecurity threat characteristics
- K0687: Knowledge of business operations standards and best practices
- K0718: Knowledge of network communications principles and practices
- K0748: Knowledge of Privacy Impact Assessment (PIA) principles and practices
- K0751: Knowledge of system threats
- K0752: Knowledge of system vulnerabilities
- K0773: Knowledge of telecommunications principles and practices
- K0792: Knowledge of network configurations
- K0881: Knowledge of learning assessment tools and techniques
- K0885: Knowledge of instructional design principles and practices
- K0886: Knowledge of instructional design models and frameworks
- K0892: Knowledge of cyber defense laws and regulations
- K0915: Knowledge of network architecture principles and practices
- K0925: Knowledge of wireless communication tools and techniques
- K0926: Knowledge of signal jamming tools and techniques
- K0962: Knowledge of targeting laws and regulations
- K0963: Knowledge of exploitation laws and regulations
- K0973: Knowledge of system persistence tools and techniques
- K0983: Knowledge of computer networking principles and practices
- K0990: Knowledge of cyber operations principles and practices
- K1014: Knowledge of network security principles and practices
- K1030: Knowledge of operational planning tools and techniques
- K1070: Knowledge of privacy disclosure statement laws and regulations
- K1111: Knowledge of application security design principles and practices
- K1120: Knowledge of Confidentiality, Integrity, Availability, Authenticity, and Non-repudiation (CIAAN) principles and practices
- K1138: Knowledge of cybersecurity standards and best practices
- K1160: Knowledge of federal and state accreditation standards
- K1183: Knowledge of organizational cybersecurity policies and procedures
- K1192: Knowledge of organizational privacy policies and procedures
- K1194: Knowledge of Personally Identifiable Information (PII) attributes
- K1198: Knowledge of privacy and data security regulators
- K1200: Knowledge of privacy technologies
- K1212: Knowledge of security controls
- K1240: Knowledge of privacy laws and regulations
- S0395: Skill in developing instructional materials
- S0406: Skill in developing policy plans
- S0407: Skill in developing standard operating procedures (SOPs)
- S0408: Skill in maintaining standard operating procedures (SOPs)
- S0447: Skill in aligning privacy and cybersecurity objectives
- S0450: Skill in authoring privacy disclosure statements
- S0537: Skill in designing wireless communications systems
- S0540: Skill in identifying network threats
- S0601: Skill in developing curricula
- S0602: Skill in teaching training programs
- S0610: Skill in communicating effectively
- S0687: Skill in performing administrative planning activities
- S0791: Skill in presenting to an audience
- S0796: Skill in creating privacy policies
- S0797: Skill in negotiating vendor agreements
- S0798: Skill in evaluating vendor privacy practices
- S0818: Skill in building internal and external stakeholder relationships
- S0821: Skill in collaborating with internal and external stakeholders
- S0850: Skill in performing cost/benefit analysis
- S0858: Skill in performing economic analysis
- S0878: Skill in performing risk analysis
Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)