compliance by design (cbd) · • software • strategy • supply chain ops chief ethics &...
TRANSCRIPT
Compliance by Design (CbD)
Dale Skivington
Executive Director, Global Compliance and Privacy
Building an Effective & Sustainable Compliance Program
Global Compliance and Data Privacy
Dell today
“Technology has always been about enabling human potential.”
-Michael Dell
2
Next generation computing solutions and intelligent data
management
Services, Security,
Cloud
End-user computing
Create
What we do best
Manage
Deliver
Compliance by Design (CbD) Overview
• Based on Privacy by Design, the governance model is about organizations taking responsibility & holding themselves accountable for meeting key expectations such as protecting the privacy of personal information.
• At Dell we plan to use this model across the compliance portfolio to provide effective governance & controls to ensure we meet these responsibilities.
• Our plan is to provide the framework to strategically move the needle to the highest maturity level for each component of the program.
3
Governance Consulting Compliance Training & Communications + + +
Global Compliance and Data Privacy
Executive Compliance Council
4
CECO
VP Legal
SVP HR
GC
CFO
CAO
VP Audit
VP Security
Rotational ELT
Rotational ELT
Tom Sweet *CAO
Rich Rothberg *VP Legal
Global Risk and Compliance Steering Committee
Coordinates Dell’s Risk Management Process working closely with ELT Exec Teams
Global Risk & Compliance Council (GRCC)
Regional Risk & Compliance Council
ELT Risk & Compliance Council
Global Compliance and Data Privacy
CECO Organizational Structure
5
Global Compliance and Privacy Program Strategic Programs Office Investigations & Operations
Listen, Investigate, Fix and Learn
Influence and Inspire
Design and Build Set Standards,
Policies & Processes
Protect, Manage & Dispose of Dell Information
Mike McLaughlin
Chief Ethics & Compliance Officer
Chief Ethics & Compliance Officer (CECO)
Knowledge Assurance
Global Compliance and Data Privacy
Brian O’Connor
Compliance Manager
Ashlen Cherry Compliance Manager
Dale Skivington Chief Privacy Officer & Global Operations Compliance Manager
Ruth Cullinane Compliance Manager
Stuart Muir
Compliance Manager
Global Team aligned to meet the compliance & privacy challenges worldwide for our
developing businesses
Nina Barakzai EMEA
DP Counsel
Global Compliance & Data Privacy Staff
Sooji Seo APJ
DP Counsel
Lisa Zolidis Americas
DP Counsel
6
Barbara Silverberg Canada
DP Counsel
Victoria Battaglia Latin America DP Counsel
Global Compliance and Data Privacy
7
Business Unit Data Management Stewards - Roles and Responsibilities
• Lead Business Unit Data Management Stewards are responsible for driving the coordination and implementation of Data Privacy and Knowledge Assurance (information governance/information lifecycle management) initiatives within their business unit or function. Their role is to facilitate extending the reach of the Data Privacy and Knowledge Assurance functions and helping to build a cross-company network for effective awareness building and integrating data protection and knowledge assurance best practices into daily business operations.
Overview
• Identify and confirm business unit (BU) /function privacy and data management priorities and gain BU/function leader's alignment with proposed priorities.
• Serve as BU/function contact to identify resources in the BU/function to drive the development and implementation of agreed strategic initiatives (including the formation of an incident response plan/team for personal and commercial data incidents) to address the targeted priorities.
• Serve on a (to be named) Council as a representative of the Data Stewards respective BU/function to provide an enterprise-wide forum for privacy and data management issues that may inform the Privacy and Knowledge Assurance programs.
• Engage in the above activities with the ultimate goal of driving accountability in the business for privacy and data management.
Key Responsibilities
Global Compliance and Data Privacy
8
Data Protection and Management Council (DPMC) Structure
DPMC Permanent Members Data Management Stewards: • Commercial • Dell Financial Services • Domain Solutions • eDell • Finance • HR • IT • Legal • Marketing • Services • Software • Strategy • Supply Chain Ops
Chief Ethics & Compliance Officer Chief Security Officer Corporate Communications
Chief Information Security Officer Regional Business Reps
Global Audit & Transformation
(GAT) Legal Reps Business Controls Management Rep
DPMC Chairs
Deborah Butler, Esq. Director, Knowledge Assurance
Dale Skivington, Esq. Chief Privacy Officer
Global Compliance and Data Privacy
Compliance Assessment Framework
Level Description
1 Ad Hoc Processes not documented In a state of dynamic change Tending to be driven in an ad hoc, uncontrolled, or reactive manner
2 Initial Repeatable, possibly with consistent results Lacks rigorous process discipline Minimal documentation Processes executed regularly but infrequently, & difficult to standardize
3 Formal Defined & documented standard procedures Subject to some degree of improvement over time Consistency across the organization
4 Validated Steps taken to formally approve & validate the effectiveness of the processes Formal processes subject to the approval of senior management, or are subject to independent assessment or audit
5 Monitored Processes monitored using formal measures & procedures Changes made to maintain effectiveness over time May involve in-process monitoring or frequent assessment or audit
9 Global Compliance and Data Privacy
Framework Components
POLICY Written management expectations for complying with specific laws, business conduct rules, or standards of behavior.
GOVERNANCE Awareness of program goals, operational oversight, & accountability for effectiveness exercised by organization’s governing authority & management at all applicable levels.
RISK MANAGEMENT Based on current business activities & planned initiatives, proactively identifying & assessing inherent risk as well as impl ementing activities, policies & controls in response.
PROCEDURES & CONTROLS Preventative & detective activities designed to support policy. If effective, mitigate identified risks (includes assessment of operating effectiveness).
THIRD PARTY MANAGEMENT Oversight of sales partners, vendors, & other 3rd parties.
COMPLIANCE & MONITORING Proactively detecting anomalies requiring further review & monitoring adherence to policy.
INCIDENT MANAGEMENT Process for receiving & investigating suspected policy violations.
TRAINING & AWARENESS Process for communicating policy & guidance to those with a need-to-know.
10 Global Compliance and Data Privacy
Privacy Maturity Model 1
Ad hoc 2
Initial 3
Formal 4
Validated 5
Monitored
Policy None written Limited distribution & understanding
Formal but may be inconsistent
Globally consistent & enforceable
Regularly reviewed & updated
Governance None established Discrete, informal, & limited Corporate oversight & exec level
Management involvement at all levels
Scorecard reporting
Risk management Incomplete & inconsistent Risk assessment, not management
Risk assessment & management
Cross-functional, executive validation
Component of ERM
Procedures & controls None written Limited coverage Consistent & global Subject to self-assessment &
audit
Exception reporting & resolution
3rd party management No standards Some standards May be inconsistent
Consistent, cross-functional coordination
Proactive monitoring & self-assessment Independent external audits
Compliance & monitoring None established Informal & limited Audit-driven, remedial
actions endorsed Analytics technology; cross-
functional Accountability-driven,
extends beyond enterprise
Incident management Ad hoc & inconsistent Some consistency Little analysis
Root cause analysis, global standards
Issue tracking Technology in place
Effectiveness & efficiency metrics
Training & awareness None General, infrequent, single media
Custom-tailored, recurring, multi-media
Role-specific awareness; 3rd parties Ongoing awareness
11 Global Compliance and Data Privacy
Anti-Corruption Maturity Model 1
Ad hoc 2
Initial 3
Formal 4
Validated 5
Monitored
Policy None written Limited distribution & understanding
Formal but may be inconsistent
Globally consistent & enforceable Regularly reviewed & updated
Governance None established Discrete, informal & limited Corporate oversight & exec level
Management involvement at all levels Scorecard reporting
Risk management Incomplete & inconsistent Risk assessment, not management
Risk assessment & management
Cross-functional, executive validation Component of ERM
Procedures & controls None written Limited coverage Consistent & global Subject to self-assessment & audit Exception reporting & resolution
3rd party management No standards Some standards, inconsistent and incomplete
Consistent, cross-functional coordination
Proactive monitoring & self-assessment Independent external audits
Compliance & monitoring None established Informal & limited Audit-driven, remedial
actions endorsed Analytics technology; cross-
functional Accountability-driven, extends
beyond enterprise
Incident management Ad hoc & inconsistent Some consistency, minimal analysis
Root cause analysis, global standards
Robust reporting, clearly defined roles
Effectiveness & efficiency metrics
Training & awareness None provided General, infrequent, single media
Custom-tailored, recurring, multi-media
Role-specific awareness; third parties Effectiveness metrics
12 Global Compliance and Data Privacy
Global Compliance and Data Privacy
Dell CbD Program – 2012 Program Deliverables
13
Policy • Propose & support streamline system for adopting new and revising existing Global Corporate Policies • Identify any gaps in existing Global Corporate policies & address by either proposing, revising and/or deleting existing policy • Develop or enhance supporting standards and guidelines including: anti-bribery, gifts, social media, cloud, online behavioral marketing,
email and telemarketing, data classification • Provide enhanced online notices including all relevant fair information practices Governance • Establish Global Compliance Forum to provide strategic alignment and integration of compliance activities across the enterprise • Realign Global Compliance resources to cover both geography and BUs • Develop Privacy & KA compliance infrastructure with designated business sponsors Risk Management • Develop compliance scorecards for each BU/function • Assist in the development & monitoring of applicable CSAs • Enhance incident response & investigation protocols
Global Compliance and Data Privacy
Dell CbD Program – 2012 Program Deliverables
14
Training and Awareness • Review annual training strategy and revise as appropriate, provide specialized training for key risk areas • Provide website and self service tools such as FAQs • Develop public affairs and external communications strategy 3rd Party Management • Provide playbook and governance of 3rd party contractors including MSAs and IPSAs • Develop protocols for onboarding and periodic assessment of third parties • Support audit of 3rd parties Compliance and Monitoring • Review metrics and assess trends from case management tool • Assist in annual GAT planning and execution of relevant audits • External review of high risk areas Procedure and Controls • Wherever possible commercialize guidelines and protocols • Ensure complaint and investigation process is operational
Phase:
FY12 Q1 FY12 Q2 FY12 Q3 FY12 Q4
Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
15
LAUNCH DEVELOP exit
PLAN exit
DEFINE exit
Off target but not at risk On target
Cloud Computing Risk Framework - Example
Global Compliance and Data Privacy
Concept Define Plan Deliver Monitor
Core Team Deliverable Status
Establish CSCC Complete
Establish framework for risk assessments Complete
Review, assess, manage risks for FY12 offerings Complete
Review, assess, manage risks for FY13 offerings
Ongoing
Talking points regarding Patriot Act Complete
Assess key vendors supporting cloud offerings Ongoing
Project Objective/Moving the Needle Accomplishments & Status
• Establish and maintain framework for assessing risk early in lifecycle of new offering, addressing those risks, and documenting controls
• Cross-functional Cloud Compliance Security Council (CSCC) established as group responsible for governance over cloud offerings.
• Offerings reviewed through risk assessment framework. • Patriot Act questions—talking points developed.
Next Steps Key Issues & Risks
• Support expansion of cloud offerings in Europe. • Monitor developments in EU DP law • Identify additional data management champions in the lines of
business. • Enhance incident response processes.
• International data transfer, incl proposed changes to EU DP law • Risk assessments • Security and incident response • Availability of info to third parties • Vendor management • Sensitive information • Managing contractual obligations • Data subject access rights • Record retention/disposition
Cloud Security and Compliance Council
• Cross-functional body to provide oversight and guidance on Legal,
Compliance and Security matters • Ensure Legal, Compliance and Security issues are considered in
product roadmap development • Establish and enforce applicable controls • Evaluate third parties • Provide input to audits • Provide training and awareness
Global Compliance and Data Privacy 16
EMEA CSCC APJ CSCC
FEEDBACK
AUGMENT
Standard Framework
NA CSCC
Leverage Documentation, Data Security and Compliance Artifacts
Common Goals and Objectives
Controlled/Consistent Communication
Regional Product Launch Support
Products
Delivery
Secure Works
Advisory
Legal
Executive Sponsors
Positioned to drive this consistent strategy across clouds and across regions.
Global Compliance and Data Privacy 17
Cloud Security and Compliance Council