Spring2026_4

Project 4 – Privacy Compliance Strategy

Description

For this project, you will leverage your research from Projects #1, #2, and #3 to develop a privacy

compliance strategy for your chosen company. The deliverable for this project will be a Privacy

Compliance Strategy that includes a legal and regulatory analysis for privacy laws and regulations. The

scope for this project will be laws and regulations from the United States (federal and state) and the

European Union.

Research

1. Begin your research by reviewing the privacy concepts and requirements presented in the (ISC)2

SSCP Systems Security Certified Practitioner Official Study Guide (the course textbook).

2. Review your selected company’s Form 10-K to identify privacy related risks which the company

disclosed to investors and shareholders. You will use these and additional privacy-related risks,

identified through your readings and research, to construct a privacy compliance profile.

3. Read Chapters 1 and 2 of the NIST Privacy Framework: A tool for improving privacy through

enterprise risk management. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pdf

4. Review the Audit and Compliance control family in NIST SP 800-53 (section 3.3).

5. Review one or more reports written by privacy analysts about privacy issues affecting global

businesses:

a. 2010 Ponemon Report: How Global Organizations Approach the Challenge of Protecting

Personal Data

https://www.ponemon.org/local/upload/file/ATC_DPP%20report_FINAL.pdf

b. 2019 Thomson Reuters GDPR Report Business’ struggle with data privacy: Regulatory

environment continues to evolve rapidly

https://legalsolutions.thomsonreuters.co.uk/blog/wp-content/uploads/sites/14/2019/1

2/Thomson-Reuters-GDPR-Report.pdf

c. 2021 blog from PrivacyPolicies.com Global Privacy Laws Explained

https://www.privacypolicies.com/blog/global-privacy-laws-explained/

6. Review existing and proposed privacy legislation for U.S. jurisdictions (states): Association of

Privacy Professionals (IAPP)

https://iapp.org/resources/article/us-state-privacy-legislation-tracker/

7. Review the privacy guidance for the European Union’s General Data Protection Regulation

https://gdpr.eu/

8. Review the Fact Sheet for the Trans-Atlantic Data Privacy Framework

https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-united-

states-and-european-commission-announce-trans-atlantic-data-privacy-framework/

9. Find and review additional authoritative sources which discuss (a) specific privacy-related legal

or regulatory non-compliance events (lawsuits, fines, etc.) impacting large, global companies and

(b) the business and financial impacts arising from compliance failures (violations) for privacy

laws and regulations.

Analyze Privacy Compliance Issues, Risks, and Mitigations

1. Identify the five most important privacy issues which your chosen company must address as part

of its enterprise risk management program. You should focus on strategic issues, e.g. lack of

management support, lack of resources, rapidly changing external politico-legal privacy

environment, lawsuits and fines arising from non-compliance, etc. For each issue, identify the

legal and regulatory drivers from both the U.S. (federal and state) and the European Union.

2. Identify 10 or more privacy-related legal or regulatory compliance risks arising from your

identified privacy issues. For each risk, identify the specific law or regulation that imposes

privacy requirements upon your selected company. You may reuse privacy-related risks from

your previous projects. Present your risks using the Table 1 template found at the end of this file.

3. For each identified compliance risk, identify one or more security controls (from NIST SP 800-53)

which could be implemented to reduce or mitigate the compliance risk. Audit and Compliance

Controls should be included in your mitigation profile. Remember that you need one or more

controls that will be the audit targets. You may reuse work from your previous projects but you

should make sure that the selected controls actually address mitigations for PRIVACY

COMPLIANCE risks. If they do not, you must select controls which do address compliance. Enter

this information into Table 2 found at the end of this file.

Write

1. An introduction section which identifies the company being discussed and provides a brief

introduction to the company (you may reuse some of your narrative from Project #1 and/or

Project #2). Your introduction should include a brief overview of the company’s business

operations and include a description of the purpose and contents of this Privacy Compliance

Strategy deliverable.

2. A separate analysis section (Privacy Issues Impacting [company]) in which you present 10 or

more Privacy Issues which you identified from your reading and research. For each issue, you

should present your analysis of why this issue is important for your selected company. You

should also discuss the legal and regulatory drivers which make this issue important for your

company. What are the non-compliance risks associated with these issues? (Discuss at least 3.)

3. A separate analysis section (Privacy Compliance Risk Profile) in which you present your

privacy-related compliance risks. Provide an introductory paragraph that explains the

relationship between the previously identified privacy issues and your privacy compliance risk

profile. You should discuss the type of information presented in Table #1 Privacy Compliance Risk

Profile (use the template at the end of this file – this is a different table than used in previous

projects) and what sources were used to obtain this information. Your completed table should

have 10 or more entries. Describe the process and documents used to construct Privacy

Compliance Risk Profile. Place Table #1 at the end of this section (remember to delete the

sample text).

4. A separate analysis section (Privacy Compliance Controls Profile) in which you present your

Privacy Compliance Controls Profile. Provide an introductory paragraph that explains the privacy

compliance controls profile, e.g., what information is contained in the table and what sources

were used to obtain this information. Describe the process and documents used to construct the

Privacy Compliance Controls Profile. Your profile should have 10 or more rows entered into Table

#2. Place Table #2 at the end of this section (remember to delete the sample text).

5. A separate section (Privacy Compliance Risk Mitigation Strategy) in which you present a

high-level strategy for implementing the risk mitigations (security controls) presented earlier in

this deliverable. This section should include a summary of the business problem (reduce

privacy-related risks arising from legal and regulatory requirements for privacy protections), the

general types of privacy-related risks to be mitigated (focus on the CIA triad and summarize the

risks you previously identified), the timeframe for implementing each element of your strategy,

and the benefits of implementing an enterprise strategy for reducing privacy-related compliance

risks.

6. A separate Recommendations and Conclusions section which provides a summary of the

information contained in this deliverable and presents your concluding statements regarding the

business need and business benefits which support implementing your Privacy Compliance Risk

Mitigation Strategy and the allocation of resources by the company.

Submit Your Work for Grading and Feedback

Before you submit your work, check the rubric (displayed in the Assignment Folder entry) to make sure

that you have covered all required content including citations and references.

Submit your work in MS Word format (.docx or .doc file) using the Project #4 Assignment in your

assignment folder. (Attach the file.)

Additional Information

1. Your 8 to 10 page deliverable should be professional in appearance with consistent use of fonts,

font sizes, colors, margins, etc. You should use headings and sub-headings to organize your

paper. Use headings which correspond to the content rows in the rubric – this will make it easier

for your instructor to find required content elements and will help you ensure that you have

covered all required sections and content in your paper.

2. The stated page length is a recommendation based upon the content requirements of the

assignment. All pages submitted will be graded but, for the highest grades, your work must be

clear, concise, and accurate. Exceeding the recommended length will not necessarily result in a

higher grade. Shorter submissions may not fully meet the content requirements resulting in a

lower grade.

3. The INFA program requires that graduate students follow standard APA style guidance for both

formatting and citing/reference sources. Your file submission must be in MS Word format

(.docx). PDF, ODF, and other types of files are not acceptable.

4. You must include a cover page with the course, the assignment title, your name, your

instructor’s name, and the due date. Your reference list must be on a separate page at the end of

your file. These pages do not count towards the assignment’s minimum page count.

5. You are expected to write grammatically correct English in every assignment that you submit for

grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c)

verifying that your punctuation is correct and (d) reviewing your work for correct word usage

and correctly structured sentences and paragraphs.

6. You are expected to credit your sources using in-text citations and reference list entries. Both

your citations and your reference list entries must follow APA Style guidance. Use of required

readings from the course as sources is expected and encouraged. Where used, you must cite and

provide references for these readings.

7. When using Security and Privacy controls from NIST SP 800-53, you must use the exact

numbering and names (titles) when referring to those controls. This information does not need

to be treated as quotations. You may paraphrase or quote from the descriptions of the controls

provided that you appropriately mark copied text (if any) and attach a citation for both quoted

and paraphrased information.

8. Consult the grading rubric for specific content and formatting requirements for this assignment.

9. All work submitted to the Assignment Folder will be scanned by the Turn It In service. We use

this service to help identify areas for improvement in student writing.

Table 1. Privacy Compliance Risk Profile for [company]

Risk ID Privacy Risk Title Description Risk Category

Impact Level

001 Unauthorized disclosure of privacy-related customer information.

Unauthorized disclosure or access to privacy-related customer data could result in non-compliance with [law], [law], [regulation: section].

People Medium

002 003 004 005 006 007 008 009 010

Table 2. Privacy Compliance Controls Profile

Risk ID

Risk Title Compliance Risk Mitigation Strategy Security Controls

001 Unauthorized disclosure of privacy-related customer information.

Implementation of role-based access controls will reduce the compliance related risk arising from failure to control access to privacy-related customer information. Compliance will be improved by (a) auditing access and access permissions to ensure that least privilege is implemented and enforced and (b) review of audit records and external sources to detect unauthorized disclosures of privacy-related information.

AC-3 (7) Access Enforcement | Role Based Access Control; AC-3 (11) Access Enforcement | Restrict Access to Specific Information Types; AU-2 Event Logging; AU-6 Audit Record Review, Analysis, and Reporting; AU-13 Monitoring for information Disclosure

002 003 004 005 006 007 008 009 010