Data Privacy

1) Identity, Access & Directory

Identity is the new perimeter. Govern the full lifecycle and reduce standing privilege.

• MFA everywhere; phishing-resistant methods preferred (FIDO2/WebAuthn).
• Conditional access by risk, geo, device health, and user role.
• JIT/JEA admin with approvals; short-lived credentials and break-glass with hardware tokens.
• Automated provisioning/deprovisioning (HRIS → IdP) with SCIM/Graph.
• PAM for privileged sessions; session recording where lawful and disclosed.
• Strong passwordless or passkeys; disable legacy auth (IMAP/POP/NTLM) where possible.

2) Workstations & Laptops

Harden endpoints to protect data at the point of creation and access.

• Full-disk encryption (BitLocker/FileVault) with escrowed recovery keys; pre-boot auth.
• Remove local admin; just-in-time elevation with audit trails.
• Application allow-listing; exploit protection; host firewall baselines.
• Patch SLAs and automated update rings; rapid vulnerability remediation.
• EDR with privacy-conscious telemetry retention and role-based views.
• Screen lock, idle timeouts, privacy filters for shared/field work.

Data-at-rest

Encrypt user profiles and key app data folders; protect hibernation files.

Data-in-use

Harden clipboard, print, and screenshot policies for regulated apps.

3) Servers (On-prem & IaaS)

• Disk/volume encryption; secrets in KMS/HSM; rotate service creds.
• Prod vs non-prod segmentation; east-west filtering; admin via jump hosts.
• Baseline configs (CIS), golden images, drift detection, immutable infra where feasible.
• Log minimal necessary fields; tamper-evident storage; time-sync with secure NTP.

4) Network Devices: Firewalls, Routers, Switches

• Mgmt plane: TLS/SSH only, IP allowlists, MFA; disable telnet/HTTP/SNMPv1.
• Versioned backups; signed configs; out-of-band management.
• VLANs/micro-segmentation; ACLs default-deny; DHCP/DNS guard; storm control.
• NetFlow/IPFIX to analytics; DoS rate-limits; automatic config compliance.

5) Wireless & Guest

• 802.1X/EAP-TLS with certificate identity; separate corp/BYOD/guest SSIDs.
• Client isolation; WIDS/WIPS; disable open auth; rotate keys.
• Guest portal with rate limits; DNS and content filtering.
• Coverage planning & privacy zoning for cameras/meeting spaces.

6) Email & Messaging

• Inbound: anti-phish, DMARC/DKIM/SPF, BEC defenses, sandboxing.
• Outbound: DLP policies; label-triggered encryption (TLS/S/MIME/portal).
• Safe links/attachments; legal hold; retention by policy.
• External sharing boundaries; watermarking; recording governance.

7) DNS, Web Filtering & Proxies

• DoH/DoT resolvers with domain risk scoring and block lists.
• Block newly registered/DGA domains; isolate risky browsing.
• TLS inspection with privacy guardrails and user notice where lawful.
• DNS logging with PII minimization and documented retention.

8) Zero-Trust Access & Modern VPN

• Per-app micro-tunnels; device posture checks; short-lived tokens.
• MFA + device cert binding; split tunnel with DNSSEC/DoH.
• Granular logging; session recording for admin flows (with notice).
• Auto-quarantine on posture failure; self-remediation prompts.

9) Mobile & BYOD

• MDM/MAM: Android work profile; iOS user enrollment; app-level policies.
• Prevent copy/paste to unmanaged apps; block unsanctioned cloud saves.
• Per-app VPN; jailbreak/root detection; remote wipe of work data only.
• Minimal telemetry with clear user notices and consent where required.

10) IoT, OT, Printers & Cameras

• Dedicated VLANs; egress allow-lists; deny lateral movement.
• Rotate credentials; sign/verify firmware; disable cloud backdoors.
• Mute mics/cameras by policy; privacy masking where applicable.
• Inventory & SBOM where feasible; retire end-of-support gear.

11) Voice & Collaboration

• SRTP/TLS; role-based access to recordings; retention schedules.
• Meeting classification, lobbies, watermarking, external controls.
• PII-aware transcripts; redact sensitive content when possible.
• Contact center PCI pause/resume; DLP for omnichannel.

12) Databases & Storage (NAS/SAN/Object)

• Transparent encryption; key separation of duties; column masking.
• RBAC/ABAC; no shared admin creds; rotate service accounts.
• Snapshot/backup encryption; immutability (WORM) for archives.
• Query & activity logging with periodic access reviews.

13) Web Apps, APIs & Reverse Proxies

• WAF, bot management, rate limiting, geo controls; mTLS where apt.
• Cookie flags, CSRF defenses, session hardening; no secrets in code.
• Collect minimum necessary data with clear consent & notices.
• API gateways with OAuth2/OIDC, scopes, throttling, auditing.

14) Backups, DR & Recovery

• Immutable backups in separate trust zone; distinct credentials.
• Regular restore tests; documented RTO/RPO; evidence capture.
• PII minimization in logs/backups; selective restores to reduce scope.
• Forensic chain-of-custody and hash verification where needed.

15) Vendors & Third-Party Access

• DPA/BAA where applicable; data mapping & transfer impact assessment.
• SSO + MFA; scoped API keys; IP allowlists; short token TTL; event hooks.
• Evidence of controls (SOC 2/ISO); continuous vendor risk monitoring.
• Automated offboarding revokes accounts, keys, and tunnels immediately.

16) Logging, Monitoring & SIEM

• Data minimization and tokenization/redaction for PII in logs.
• UEBA to detect anomalies; tuned alerts; duty segregation for analysts.
• Retention aligned to policy with immutable tiers and legal hold.
• Runbooks for privacy incidents: contain → notify → eradicate → learn.