SlideShare a Scribd company logo
1 of 2
Download to read offline
Security Industry Association Privacy Framework
TheSecurityIndustryAssociation(SIA)iscommittedtoprotecting
privacy when a security solution requires the collection,
protection or storage of personally identifiable information (PII).
Originally released in 2010 and updated in 2014, the SIA Privacy
Framework outlines a core set of principles and best practices the
industry is working to implement in the deployment of electronic
security technologies protecting people and assets.
Purpose
This SIA Privacy Framework has three intended purposes:
•	 To identify a set of privacy principles to serve as a guide for
manufacturers, integrators and distributors of electronic
security technologies (both physical and logical), including
but not limited to access control devices, biometrics, CCTV,
video analysis, IP-based technology and RFID; 1
•	 To inform policymakers about how the security industry
protects privacy when collecting, securing and storing PII;
•	 To help educate end users on the implementation of privacy
protections.
SIA Privacy Principles:
1.	 Mitigation by Design. Privacy-enhancing solutions are ideally incorporated during the design phase of elec-
tronic security products, services or systems to the maximum extent possible—without increasing the risk of
compromising the security provided by the products, services or systems.
2.	 Assessment. Privacy impact assessments help to provide integrators, system owners and managers a method-
ology to analyze how personally identifiable information is collected, stored, protected, shared and managed—
as well as the length of time it is retained and how it is disposed.
3.	 Legal Compliance. An assessment of applicable legal or regulatory requirements, including, but not limited to,
the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA)
and the HITECH Act, is performed to help monitor compliance with these legal requirements.
4.	 Use Limitation. Work to ensure access to PII captured by a physical or online security system is limited to
authorized individuals for authorized purposes.
5.	 Database Safeguards. The database where any PII is collected and stored is protected, including both physical
and logical security of the database.
6.	 Secure Communications. Data transmitted between systems or components is protected from unauthorized
disclosure, commensurate with risk.
7.	 Transparency. Individuals whose PII may be collected are notified of the reason for collection and how the data
may be used.
8.	 Breach Notification and Response. End users adopt a privacy-breach notification plan that includes:
a.	 means of determining whether notification is required to individuals with PII in the database
b.	 responsive action if a privacy breach does occur
1	 Note: This document does not constitute legal advice and is only a guide.
securityindustry.org
c.	 a mitigation procedure to address potential harm from unauthorized disclosure
9.	 Data Retention Policy. End users establish a policy on the retention and disposal of PII—a policy that may include:
a.	 for video, a policy establishing a time period for retaining (storing) video for both non-incident and incident video
b.	 for a physical access control system (PACS), a policy that dictates when PII is destroyed after an individual
is no longer authorized access
c.	 for online, deletion of PII once that PII is determined to be no longer relevant
d.	 a procedure to ensure that deleted PII is not recoverable
10.	Accountability. Collaboration between service providers and end users of electronic security systems helps
ensure compliance with best practices for privacy protections.
Example Steps to Implement the Framework through a
Privacy Impact Assessment (PIA)2
Step One
Work to identify information—including PII—that is collected and stored by the physical or online security system,
including areas within the system where such data might be stored. Such information could include name, date
of birth, mailing address, telephone number, social security number, e-mail address, zip code, certificate/license
number, vehicle identifier including license plate, device identifiers and serial numbers, biometric identifiers, photo-
graphic facial images or any other unique identifying numbers or characteristics.
Step Two
Follow the Fair Information Practice Principles (FIPPs) in determining how the information collected by the system
may be used and protected.
•	 Purpose Specification: Examine why the information is collected so that the system is collecting information
that is relevant to achieving the security purpose.
•	 Data Minimization: Limit collection of information to what is determined necessary to achieve the system’s
security goals.
•	 Notice and Awareness: Determine when and how individuals affected by the security system may be notified of
the information collection and its purpose.
•	 Data Security: Examine the potential for both internal and external threats to unauthorized disclosure of PII. Use
encryption, mutual authentication and other logical security measures to help protect against potential threats.
Step Three
Determine the controls that are in place, or may be needed, to help minimize risks to collected PII, consistent with the
security purpose—and to identify and address points of potential weakness in the collection, sharing and storage of PII.
Step Four
Examine how long and for what reasons collected PII may be retained. Maintain information for the minimum amount of time
determined to be necessary, consistent with the security purpose, in order to mitigate the risk of unauthorized disclosure.
Step Five
Determine how and when collected PII may be removed from the system and destroyed to help eliminate potential
risks from improperly disposed of PII.
2	 This template is only a guide. It could be modified or expanded depending on the requirements of a specific application. Ideally, a PIA
is performed before a system is deployed but the process can also be used to evaluate existing systems, or when an existing system is
being considered for upgrade.

More Related Content

What's hot

ISO_27001___2005_OASIS
ISO_27001___2005_OASISISO_27001___2005_OASIS
ISO_27001___2005_OASIS
Dermot Clarke
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
Ali Sadhik Shaik
 
Network security policies
Network security policiesNetwork security policies
Network security policies
Usman Mukhtar
 
Compliance to privacy act and mandatory data breach reporting for corporates
Compliance to privacy act and mandatory data breach reporting for corporatesCompliance to privacy act and mandatory data breach reporting for corporates
Compliance to privacy act and mandatory data breach reporting for corporates
e-Safe Systems
 

What's hot (20)

ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
 
ISO_27001___2005_OASIS
ISO_27001___2005_OASISISO_27001___2005_OASIS
ISO_27001___2005_OASIS
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
 
Cloud and Data Privacy
Cloud and Data PrivacyCloud and Data Privacy
Cloud and Data Privacy
 
Information Security : Is it an Art or a Science
Information Security : Is it an Art or a ScienceInformation Security : Is it an Art or a Science
Information Security : Is it an Art or a Science
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 
Information Security
Information SecurityInformation Security
Information Security
 
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
 
Network security policies
Network security policiesNetwork security policies
Network security policies
 
Information Security and Privacy - Public Sector actions, policies and regula...
Information Security and Privacy - Public Sector actions, policies and regula...Information Security and Privacy - Public Sector actions, policies and regula...
Information Security and Privacy - Public Sector actions, policies and regula...
 
It Policies
It PoliciesIt Policies
It Policies
 
Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introduction
 
develop security policy
develop security policydevelop security policy
develop security policy
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Compliance to privacy act and mandatory data breach reporting for corporates
Compliance to privacy act and mandatory data breach reporting for corporatesCompliance to privacy act and mandatory data breach reporting for corporates
Compliance to privacy act and mandatory data breach reporting for corporates
 
Information security group presentation ppt
Information security group presentation   pptInformation security group presentation   ppt
Information security group presentation ppt
 

Viewers also liked

Zoey's Room Press Kit 2007
Zoey's Room Press Kit 2007Zoey's Room Press Kit 2007
Zoey's Room Press Kit 2007
Erin Reilly
 
графические новеллы для молодежи
графические новеллы для молодежиграфические новеллы для молодежи
графические новеллы для молодежи
Alex Yankov
 
Www netnanny com_learn_center_safety_tips
Www netnanny com_learn_center_safety_tipsWww netnanny com_learn_center_safety_tips
Www netnanny com_learn_center_safety_tips
Dr. Conrath
 
Edublogs Ppld
Edublogs PpldEdublogs Ppld
Edublogs Ppld
rgriep
 
Geek out @ your library® cyberbullying
Geek out @ your library® cyberbullyingGeek out @ your library® cyberbullying
Geek out @ your library® cyberbullying
Melissa McDonald
 
Technology in the classroom 2
Technology in the classroom 2Technology in the classroom 2
Technology in the classroom 2
kschermerhorn
 

Viewers also liked (20)

Shaping our Shadow
Shaping our ShadowShaping our Shadow
Shaping our Shadow
 
Zoey's Room Press Kit 2007
Zoey's Room Press Kit 2007Zoey's Room Press Kit 2007
Zoey's Room Press Kit 2007
 
Gorman pla
Gorman plaGorman pla
Gorman pla
 
графические новеллы для молодежи
графические новеллы для молодежиграфические новеллы для молодежи
графические новеллы для молодежи
 
Www netnanny com_learn_center_safety_tips
Www netnanny com_learn_center_safety_tipsWww netnanny com_learn_center_safety_tips
Www netnanny com_learn_center_safety_tips
 
Trf
TrfTrf
Trf
 
Tammie lee A
Tammie lee ATammie lee A
Tammie lee A
 
Rev competition
Rev competitionRev competition
Rev competition
 
Cyberbullyslides2010 100413153744-phpapp02
Cyberbullyslides2010 100413153744-phpapp02Cyberbullyslides2010 100413153744-phpapp02
Cyberbullyslides2010 100413153744-phpapp02
 
All Together Now
All Together NowAll Together Now
All Together Now
 
What is cyberbullying
What is cyberbullyingWhat is cyberbullying
What is cyberbullying
 
Marketing in Digital Age
Marketing in Digital AgeMarketing in Digital Age
Marketing in Digital Age
 
Tammie lee a
Tammie lee aTammie lee a
Tammie lee a
 
Pln spr14
Pln spr14Pln spr14
Pln spr14
 
Edublogs Ppld
Edublogs PpldEdublogs Ppld
Edublogs Ppld
 
Informationonthego 100915102353-phpapp02
Informationonthego 100915102353-phpapp02Informationonthego 100915102353-phpapp02
Informationonthego 100915102353-phpapp02
 
Geek out @ your library® cyberbullying
Geek out @ your library® cyberbullyingGeek out @ your library® cyberbullying
Geek out @ your library® cyberbullying
 
Technology in the classroom 2
Technology in the classroom 2Technology in the classroom 2
Technology in the classroom 2
 
Making Your Class More Social
Making Your Class More SocialMaking Your Class More Social
Making Your Class More Social
 
Tpack intro
Tpack introTpack intro
Tpack intro
 

Similar to Security Industry Association Privacy Framework

Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1.  Describe the fiv.docxHomework AssignmentShort Answer Responses.1.  Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
adampcarr67227
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
Sagar Rahurkar
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
Md. Sajjat Hossain
 

Similar to Security Industry Association Privacy Framework (20)

Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1.  Describe the fiv.docxHomework AssignmentShort Answer Responses.1.  Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
 
Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...
 
12 security policies
12 security policies12 security policies
12 security policies
 
DR PANKAJ SIR (1).pptx
DR PANKAJ SIR (1).pptxDR PANKAJ SIR (1).pptx
DR PANKAJ SIR (1).pptx
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
 
Ch.5 rq (1)
Ch.5 rq (1)Ch.5 rq (1)
Ch.5 rq (1)
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standards
 
Policy on ia 1st assignment
Policy on ia   1st assignmentPolicy on ia   1st assignment
Policy on ia 1st assignment
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
 
Cybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdfCybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdf
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
Security and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptxSecurity and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptx
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
Privacy and Data Security | Data Collection | Social Media
Privacy and Data Security | Data Collection | Social MediaPrivacy and Data Security | Data Collection | Social Media
Privacy and Data Security | Data Collection | Social Media
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacy
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
 
Ais Romney 2006 Slides 08 Is Control2
Ais Romney 2006 Slides 08 Is Control2Ais Romney 2006 Slides 08 Is Control2
Ais Romney 2006 Slides 08 Is Control2
 

More from - Mark - Fullbright

Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018
- Mark - Fullbright
 

More from - Mark - Fullbright (20)

ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019
 
IC3 2019 Internet Crime Report
IC3 2019 Internet Crime ReportIC3 2019 Internet Crime Report
IC3 2019 Internet Crime Report
 
Police, Protesters, Press, 2020
Police, Protesters, Press, 2020Police, Protesters, Press, 2020
Police, Protesters, Press, 2020
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)
 
FCPA Guidance 2020
FCPA Guidance 2020FCPA Guidance 2020
FCPA Guidance 2020
 
Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019
 
CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019
 
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
 
2018 IC3 Report
2018 IC3 Report2018 IC3 Report
2018 IC3 Report
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report
 
Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018
 
Credit Score Explainer
Credit Score ExplainerCredit Score Explainer
Credit Score Explainer
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft
 
Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017
 
Protecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for BusinessProtecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for Business
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report
 
Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016
 
Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015
 

Recently uploaded

BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK  LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK  LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
SoniaTolstoy
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
fonyou31
 

Recently uploaded (20)

Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK  LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK  LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 

Security Industry Association Privacy Framework

  • 1. Security Industry Association Privacy Framework TheSecurityIndustryAssociation(SIA)iscommittedtoprotecting privacy when a security solution requires the collection, protection or storage of personally identifiable information (PII). Originally released in 2010 and updated in 2014, the SIA Privacy Framework outlines a core set of principles and best practices the industry is working to implement in the deployment of electronic security technologies protecting people and assets. Purpose This SIA Privacy Framework has three intended purposes: • To identify a set of privacy principles to serve as a guide for manufacturers, integrators and distributors of electronic security technologies (both physical and logical), including but not limited to access control devices, biometrics, CCTV, video analysis, IP-based technology and RFID; 1 • To inform policymakers about how the security industry protects privacy when collecting, securing and storing PII; • To help educate end users on the implementation of privacy protections. SIA Privacy Principles: 1. Mitigation by Design. Privacy-enhancing solutions are ideally incorporated during the design phase of elec- tronic security products, services or systems to the maximum extent possible—without increasing the risk of compromising the security provided by the products, services or systems. 2. Assessment. Privacy impact assessments help to provide integrators, system owners and managers a method- ology to analyze how personally identifiable information is collected, stored, protected, shared and managed— as well as the length of time it is retained and how it is disposed. 3. Legal Compliance. An assessment of applicable legal or regulatory requirements, including, but not limited to, the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act, is performed to help monitor compliance with these legal requirements. 4. Use Limitation. Work to ensure access to PII captured by a physical or online security system is limited to authorized individuals for authorized purposes. 5. Database Safeguards. The database where any PII is collected and stored is protected, including both physical and logical security of the database. 6. Secure Communications. Data transmitted between systems or components is protected from unauthorized disclosure, commensurate with risk. 7. Transparency. Individuals whose PII may be collected are notified of the reason for collection and how the data may be used. 8. Breach Notification and Response. End users adopt a privacy-breach notification plan that includes: a. means of determining whether notification is required to individuals with PII in the database b. responsive action if a privacy breach does occur 1 Note: This document does not constitute legal advice and is only a guide. securityindustry.org
  • 2. c. a mitigation procedure to address potential harm from unauthorized disclosure 9. Data Retention Policy. End users establish a policy on the retention and disposal of PII—a policy that may include: a. for video, a policy establishing a time period for retaining (storing) video for both non-incident and incident video b. for a physical access control system (PACS), a policy that dictates when PII is destroyed after an individual is no longer authorized access c. for online, deletion of PII once that PII is determined to be no longer relevant d. a procedure to ensure that deleted PII is not recoverable 10. Accountability. Collaboration between service providers and end users of electronic security systems helps ensure compliance with best practices for privacy protections. Example Steps to Implement the Framework through a Privacy Impact Assessment (PIA)2 Step One Work to identify information—including PII—that is collected and stored by the physical or online security system, including areas within the system where such data might be stored. Such information could include name, date of birth, mailing address, telephone number, social security number, e-mail address, zip code, certificate/license number, vehicle identifier including license plate, device identifiers and serial numbers, biometric identifiers, photo- graphic facial images or any other unique identifying numbers or characteristics. Step Two Follow the Fair Information Practice Principles (FIPPs) in determining how the information collected by the system may be used and protected. • Purpose Specification: Examine why the information is collected so that the system is collecting information that is relevant to achieving the security purpose. • Data Minimization: Limit collection of information to what is determined necessary to achieve the system’s security goals. • Notice and Awareness: Determine when and how individuals affected by the security system may be notified of the information collection and its purpose. • Data Security: Examine the potential for both internal and external threats to unauthorized disclosure of PII. Use encryption, mutual authentication and other logical security measures to help protect against potential threats. Step Three Determine the controls that are in place, or may be needed, to help minimize risks to collected PII, consistent with the security purpose—and to identify and address points of potential weakness in the collection, sharing and storage of PII. Step Four Examine how long and for what reasons collected PII may be retained. Maintain information for the minimum amount of time determined to be necessary, consistent with the security purpose, in order to mitigate the risk of unauthorized disclosure. Step Five Determine how and when collected PII may be removed from the system and destroyed to help eliminate potential risks from improperly disposed of PII. 2 This template is only a guide. It could be modified or expanded depending on the requirements of a specific application. Ideally, a PIA is performed before a system is deployed but the process can also be used to evaluate existing systems, or when an existing system is being considered for upgrade.