One of the more significant changes brought about by the proposed Consumer Privacy Protection Act is the introduction of an exception to consent based on an organization’s legitimate interest.
Take each of your business objectives and plans. Now, figure out what might result from a technology-related failure (noting that ‘technology’ extends beyond the IT function). Then, what are you going to do about it?
This is a new world and we need to re-examine traditional techniques for addressing technology risk. Before assessing and testing controls, challenge management on whether they believe effective security is in place and why. An internal audit team can help with this.