Attention: CISA Learning is now available! If you are an EXTERNAL (non-CISA) user access the new system using this url: CISA Learning. The Federal Virtual Training Environment (FedVTE) has been permanently decommissioned and replaced by CISA Learning. Please reference the CISA Learning page for the latest information. Please note: CISA Users (staff and contractors) should access CISA Learning through the internal site. You should have received an email on December 4, 2024, titled “CISA Learning is LIVE!” with more information.

OG-WRL-008

Privacy Compliance

Responsible for developing and overseeing an organization’s privacy compliance program and staff, including establishing and managing privacy-related governance, policy, and incident response needs.

Task statements

T0898: Establish an internal privacy audit program
T1014: Determine if security incidents require legal action
T1020: Determine the operational and safety impacts of cybersecurity lapses
T1054: Scope analysis reports to various audiences that accounts for data sharing classification restrictions
T1058: Advise senior management on risk levels and security posture
T1059: Perform cost/benefit analyses of cybersecurity programs, policies, processes, systems, and elements
T1060: Advise senior management on organizational cybersecurity efforts
T1084: Identify anomalous network activity
T1092: Conduct functional and connectivity testing
T1096: Perform privacy impact assessments (PIAs)
T1118: Identify vulnerabilities
T1119: Recommend vulnerability remediation strategies
T1145: Develop strategic plans
T1146: Maintain strategic plans
T1189: Determine if contracts comply with funding, legal, and program requirements
T1224: Determine impact of noncompliance on organizational risk levels
T1225: Determine impact of noncompliance on effectiveness of the enterprise's cybersecurity program
T1279: Prepare audit reports
T1334: Produce cybersecurity instructional materials
T1335: Promote cybersecurity awareness to management
T1336: Verify the inclusion of sound cybersecurity principles in the organization's vision and goals
T1476: Promote awareness of cybersecurity policy and strategy among management
T1489: Correlate incident data
T1492: Integrate laws and regulations into policy
T1549: Evaluate the impact of legal, regulatory, policy, standard, or procedural changes
T1853: Determine if new and existing services comply with privacy and data security obligations
T1854: Develop and maintain privacy and confidentiality consent forms
T1855: Develop and maintain privacy and confidentiality authorization forms
T1856: Integrate civil rights and civil liberties in organizational programs, policies, and procedures
T1857: Integrate privacy considerations in organizational programs, policies, and procedures
T1858: Serve as liaison to regulatory and accrediting bodies
T1859: Register databases with local privacy and data protection authorities
T1860: Promote privacy awareness to management
T1861: Establish organizational Privacy Oversight Committee
T1862: Establish cybersecurity risk assessment processes
T1863: Develop information sharing strategic plans
T1864: Develop organizational information infrastructure
T1865: Implement organizational information infrastructure
T1866: Develop self-disclosure policies and procedures
T1867: Oversee consumer information access rights
T1868: Serve as information privacy liaison to technology system users
T1869: Serve as liaison to information systems department
T1870: Create privacy training materials
T1871: Prepare privacy awareness communications
T1872: Deliver privacy awareness orientations
T1873: Deliver privacy awareness trainings
T1874: Manage organizational participation in public privacy and cybersecurity events
T1875: Prepare privacy program status reports
T1876: Respond to press and other public data security inquiries
T1877: Develop organizational privacy program
T1878: Apply sanctions for failure to comply with privacy policies
T1879: Develop sanctions for failure to comply with privacy policies
T1880: Resolve allegations of noncompliance with privacy policies and notice of information practices
T1881: Develop a risk management and compliance framework for privacy
T1882: Determine if projects comply with organizational privacy and data security policies
T1883: Develop organizational privacy policies and procedures
T1884: Establish complaint processes
T1885: Establish mechanisms to track access to protected health information
T1886: Maintain the organizational policy program
T1887: Conduct privacy impact assessments
T1888: Conduct privacy compliance monitoring
T1889: Align cybersecurity and privacy practices in system information security plans
T1890: Determine if protected information releases comply with organizational policies and procedures
T1891: Administer requests for release or disclosure of protected information
T1892: Develop vendor review procedures
T1893: Develop vendor auditing procedures
T1894: Determine if partner and business agreements address privacy requirements and responsibilities
T1895: Provide legal advice for business partner contracts
T1896: Mitigate Personal Identifiable Information (PII) breaches
T1897: Administer action on organizational privacy complaints
T1898: Determine if the organization's privacy program complies with federal and state privacy laws and regulations
T1899: Identify organizational privacy compliance gaps
T1900: Correct organizational privacy compliance gaps
T1901: Manage privacy breaches
T1902: Implement and maintain organizational privacy policies and procedures
T1903: Develop and maintain privacy and confidentiality information notices
T1905: Monitor advancements in information privacy technologies
T1907: Establish organizational risk management strategies

Knowledge statements

K0498: Knowledge of operational planning processes
K0644: Knowledge of cybersecurity operation policies and procedures
K0645: Knowledge of standard operating procedures (SOPs)
K0659: Knowledge of information privacy technologies
K0674: Knowledge of computer networking protocols
K0675: Knowledge of risk management processes
K0676: Knowledge of cybersecurity laws and regulations
K0677: Knowledge of cybersecurity policies and procedures
K0678: Knowledge of privacy laws and regulations
K0679: Knowledge of privacy policies and procedures
K0680: Knowledge of cybersecurity principles and practices
K0681: Knowledge of privacy principles and practices
K0682: Knowledge of cybersecurity threats
K0683: Knowledge of cybersecurity vulnerabilities
K0684: Knowledge of cybersecurity threat characteristics
K0687: Knowledge of business operations standards and best practices
K0718: Knowledge of network communications principles and practices
K0748: Knowledge of Privacy Impact Assessment (PIA) principles and practices
K0751: Knowledge of system threats
K0752: Knowledge of system vulnerabilities
K0773: Knowledge of telecommunications principles and practices
K0792: Knowledge of network configurations
K0881: Knowledge of learning assessment tools and techniques
K0885: Knowledge of instructional design principles and practices
K0886: Knowledge of instructional design models and frameworks
K0892: Knowledge of cyber defense laws and regulations
K0915: Knowledge of network architecture principles and practices
K0925: Knowledge of wireless communication tools and techniques
K0926: Knowledge of signal jamming tools and techniques
K0962: Knowledge of targeting laws and regulations
K0963: Knowledge of exploitation laws and regulations
K0973: Knowledge of system persistence tools and techniques
K0983: Knowledge of computer networking principles and practices
K0990: Knowledge of cyber operations principles and practices
K1014: Knowledge of network security principles and practices
K1030: Knowledge of operational planning tools and techniques
K1070: Knowledge of privacy disclosure statement laws and regulations
K1111: Knowledge of application security design principles and practices
K1120: Knowledge of Confidentiality, Integrity, Availability, Authenticity, and Non-repudiation (CIAAN) principles and practices
K1138: Knowledge of cybersecurity standards and best practices
K1160: Knowledge of federal and state accreditation standards
K1183: Knowledge of organizational cybersecurity policies and procedures
K1192: Knowledge of organizational privacy policies and procedures
K1194: Knowledge of Personally Identifiable Information (PII) attributes
K1198: Knowledge of privacy and data security regulators
K1200: Knowledge of privacy technologies
K1212: Knowledge of security controls
K1240: Knowledge of privacy laws and regulations

Skill statements

S0395: Skill in developing instructional materials
S0406: Skill in developing policy plans
S0407: Skill in developing standard operating procedures (SOPs)
S0408: Skill in maintaining standard operating procedures (SOPs)
S0447: Skill in aligning privacy and cybersecurity objectives
S0450: Skill in authoring privacy disclosure statements
S0537: Skill in designing wireless communications systems
S0540: Skill in identifying network threats
S0601: Skill in developing curricula
S0602: Skill in teaching training programs
S0610: Skill in communicating effectively
S0687: Skill in performing administrative planning activities
S0791: Skill in presenting to an audience
S0796: Skill in creating privacy policies
S0797: Skill in negotiating vendor agreements
S0798: Skill in evaluating vendor privacy practices
S0818: Skill in building internal and external stakeholder relationships
S0821: Skill in collaborating with internal and external stakeholders
S0850: Skill in performing cost/benefit analysis
S0858: Skill in performing economic analysis
S0878: Skill in performing risk analysis

Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)