A portrait of Rebecca Herold

Rebecca Herold & Associates, LLC

Your trusted source for effective information security,
privacy and compliance tools, education and consulting.
The Privacy Professor

Privacy Impact Assessments

A high-level privacy impact assessment (PIA) can identify the issues that should be addressed and help prioritize them based upon information I collect from the key stakeholders answering a PIA survey, along with follow-up questions, a review of the privacy policies posted on your websites, and research into any publicized incidents within companies within the same industry.

Comprehensive Privacy Impact Assessment

A comprehensive privacy impact assessment (PIA) is based upon empirical research information obtained to determine current state of privacy within the company, facilitated information gathering activities, stakeholder interviews and communicating industry standard practices to achieve the in-depth knowledge required to identify and measure risks related to obtaining, handling, and maintaining employee, consumer, and customer/partner personally identifiable information (PII).

The objective of a comprehensive PIA is to identify risks and impacts to business processes, and their related technology, associated with employee and consumer information privacy, data protection compliance, and customer expectations.

Privacy Policy Privacy Impact Assessment

For more information, contact me.

Defined Scope Privacy Impact Assessment

For more information, contact me.

Other Services

Corporate Privacy Governance Plan and Information Security Governance Plan Creation

All organizations that collect, store, process and otherwise handle PII need tohave a comprehensive privacy governance plan and information security governance plan to ensure PII is appropriately used and protected.

PII Identification and Inventory

It is important to know what personally identifiable information (PII) exists within the organization. You cannot protect PII if you do not know what PII you have or where it is located! To do this you must first define PII, and then determine where PII is collected and stored, assign responsibility for the PII, and determine the risks for the PII. This is most efficiently accomplished by looking at each application and system.

Create Information Security and Privacy Policies

Organizations need to have information security and privacy policies and procedures for their personnel to follow based on the enterprise risk, gap determination and international privacy leading practices, such as the Organization for Economic Cooperation and Development (OECD) privacy principles paired with the ISO27001 security standards.

Create Procedures to Support Information Security and Privacy Policies

Procedures must exist to support each policy for each area for which the policy applies. Procedures must be detailed and specific to the areas that must follow them.

Vendor / Business Partner Security and Privacy Program Review

Organizations must perform due diligence activities to ensure businesspartners, to whom they entrust PII, have appropriate security programs and activities in place. My business partner security and privacy program review uses a methodology based upon ISO 27002 and the OECD privacy principles.

Create Information Security and Privacy Incident Response Plans

At least 45 privacy breach laws exist in the U.S. Organizations must be able to resolve the issues as quickly as possible by following established incident response procedures and then analyzing the incident to determine if privacy breach notices are necessary, followed by updating and implementing changes to prevent recurrences of the same type of incident.

Create Privacy Program and Information Security Maintenance Plan

Your organization must continuously ensure compliance with the corporate privacy policies as well as applicable laws and contractual requirements. This can be accomplishing following a well-thought-out privacy program maintenance plan.

Create Information Security and Privacy Awareness and Training Strategy

Organizations need to have a formally documented information security and privacy awareness and training program to make education efforts effective, as well as to demonstrate compliance with the multiple laws and regulations that require training and awareness.

Virtual Privacy Officer / Virtual Information Security Officer

All organizations are faced with unanticipated information security, privacy and compliance issues on an ongoing basis beyond the specific projects previously described. To understand these issues it is good to have an experienced and trusted source to be able to meet with, do research, and provide opinions and recommendations.

Many organizations also do not have personnel dedicated to addressing the vast and growing information security, privacy and compliance issues that all businesses must be concerned with. I will provide regular updates and recommendations for an organization based not only upon general information security and privacy issues, requirements and concerns, but also upon my client's specific industry and risks. I also offer the option of providing monthly or quarterly calls to discuss with business leaders their information security, privacy and compliance issues, and let them know the types of actions that they can take to address them.

Create Standards To Support Information Security and Privacy Policies

Standards must exist to support each policy for each area for which the policy applies. Standards must be detailed and apply to all the areas that use each of the specific technology standard topic.

Create Guidelines To Support Information Security and Privacy Policies

Guidelines are extremely useful in supporting each policy, procedure and standard for each area where they apply.

Provide On-site Presentations

I can come on-site to speak with your executives, help desk personnel, or other target group or general employee base. The cost depends upon the topic and whether I use some of my existing training, or if I need to create some customized training for based upon your learning goals. When you let me know the specific topic you have in mind, the amount of time for the event, the location(s) and numbers of people anticipated, I can give you the cost for an event.

For more information about services, contact me