compliance by design (cbd) · • software • strategy • supply chain ops chief ethics &...

Compliance by Design (CbD)

Dale Skivington

Executive Director, Global Compliance and Privacy

Building an Effective & Sustainable Compliance Program

Global Compliance and Data Privacy

Dell today

“Technology has always been about enabling human potential.”

-Michael Dell

2

Next generation computing solutions and intelligent data

management

Services, Security,

Cloud

End-user computing

Create

What we do best

Manage

Deliver

Compliance by Design (CbD) Overview

• Based on Privacy by Design, the governance model is about organizations taking responsibility & holding themselves accountable for meeting key expectations such as protecting the privacy of personal information.

• At Dell we plan to use this model across the compliance portfolio to provide effective governance & controls to ensure we meet these responsibilities.

• Our plan is to provide the framework to strategically move the needle to the highest maturity level for each component of the program.

3

Governance Consulting Compliance Training & Communications + + +


Executive Compliance Council

4

CECO

VP Legal

SVP HR

GC

CFO

CAO

VP Audit

VP Security

Rotational ELT

Rotational ELT

Tom Sweet *CAO

Rich Rothberg *VP Legal

Global Risk and Compliance Steering Committee

Coordinates Dell’s Risk Management Process working closely with ELT Exec Teams

Global Risk & Compliance Council (GRCC)

Regional Risk & Compliance Council

ELT Risk & Compliance Council


CECO Organizational Structure

5

Global Compliance and Privacy Program Strategic Programs Office Investigations & Operations

Listen, Investigate, Fix and Learn

Influence and Inspire

Design and Build Set Standards,

Policies & Processes

Protect, Manage & Dispose of Dell Information

Mike McLaughlin

Chief Ethics & Compliance Officer

Chief Ethics & Compliance Officer (CECO)

Knowledge Assurance


Brian O’Connor

Compliance Manager

Ashlen Cherry Compliance Manager

Dale Skivington Chief Privacy Officer & Global Operations Compliance Manager

Ruth Cullinane Compliance Manager

Stuart Muir

Compliance Manager

Global Team aligned to meet the compliance & privacy challenges worldwide for our

developing businesses

Nina Barakzai EMEA

DP Counsel

Global Compliance & Data Privacy Staff

Sooji Seo APJ

DP Counsel

Lisa Zolidis Americas

DP Counsel

6

Barbara Silverberg Canada

DP Counsel

Victoria Battaglia Latin America DP Counsel


7

Business Unit Data Management Stewards - Roles and Responsibilities

• Lead Business Unit Data Management Stewards are responsible for driving the coordination and implementation of Data Privacy and Knowledge Assurance (information governance/information lifecycle management) initiatives within their business unit or function. Their role is to facilitate extending the reach of the Data Privacy and Knowledge Assurance functions and helping to build a cross-company network for effective awareness building and integrating data protection and knowledge assurance best practices into daily business operations.

Overview

• Identify and confirm business unit (BU) /function privacy and data management priorities and gain BU/function leader's alignment with proposed priorities.

• Serve as BU/function contact to identify resources in the BU/function to drive the development and implementation of agreed strategic initiatives (including the formation of an incident response plan/team for personal and commercial data incidents) to address the targeted priorities.

• Serve on a (to be named) Council as a representative of the Data Stewards respective BU/function to provide an enterprise-wide forum for privacy and data management issues that may inform the Privacy and Knowledge Assurance programs.

• Engage in the above activities with the ultimate goal of driving accountability in the business for privacy and data management.

Key Responsibilities


8

Data Protection and Management Council (DPMC) Structure

DPMC Permanent Members Data Management Stewards: • Commercial • Dell Financial Services • Domain Solutions • eDell • Finance • HR • IT • Legal • Marketing • Services • Software • Strategy • Supply Chain Ops

Chief Ethics & Compliance Officer Chief Security Officer Corporate Communications

Chief Information Security Officer Regional Business Reps

Global Audit & Transformation

(GAT) Legal Reps Business Controls Management Rep

DPMC Chairs

Deborah Butler, Esq. Director, Knowledge Assurance

Dale Skivington, Esq. Chief Privacy Officer


Compliance Assessment Framework

Level Description

1 Ad Hoc Processes not documented In a state of dynamic change Tending to be driven in an ad hoc, uncontrolled, or reactive manner

2 Initial Repeatable, possibly with consistent results Lacks rigorous process discipline Minimal documentation Processes executed regularly but infrequently, & difficult to standardize

3 Formal Defined & documented standard procedures Subject to some degree of improvement over time Consistency across the organization

4 Validated Steps taken to formally approve & validate the effectiveness of the processes Formal processes subject to the approval of senior management, or are subject to independent assessment or audit

5 Monitored Processes monitored using formal measures & procedures Changes made to maintain effectiveness over time May involve in-process monitoring or frequent assessment or audit

9 Global Compliance and Data Privacy

Framework Components

POLICY Written management expectations for complying with specific laws, business conduct rules, or standards of behavior.

GOVERNANCE Awareness of program goals, operational oversight, & accountability for effectiveness exercised by organization’s governing authority & management at all applicable levels.

RISK MANAGEMENT Based on current business activities & planned initiatives, proactively identifying & assessing inherent risk as well as impl ementing activities, policies & controls in response.

PROCEDURES & CONTROLS Preventative & detective activities designed to support policy. If effective, mitigate identified risks (includes assessment of operating effectiveness).

THIRD PARTY MANAGEMENT Oversight of sales partners, vendors, & other 3rd parties.

COMPLIANCE & MONITORING Proactively detecting anomalies requiring further review & monitoring adherence to policy.

INCIDENT MANAGEMENT Process for receiving & investigating suspected policy violations.

TRAINING & AWARENESS Process for communicating policy & guidance to those with a need-to-know.


Privacy Maturity Model 1

Ad hoc 2

Initial 3

Formal 4

Validated 5

Monitored

Policy None written Limited distribution & understanding

Formal but may be inconsistent

Globally consistent & enforceable

Regularly reviewed & updated

Governance None established Discrete, informal, & limited Corporate oversight & exec level

Management involvement at all levels

Scorecard reporting

Risk management Incomplete & inconsistent Risk assessment, not management

Risk assessment & management

Cross-functional, executive validation

Component of ERM

Procedures & controls None written Limited coverage Consistent & global Subject to self-assessment &

audit

Exception reporting & resolution

3rd party management No standards Some standards May be inconsistent

Consistent, cross-functional coordination

Proactive monitoring & self-assessment Independent external audits

Compliance & monitoring None established Informal & limited Audit-driven, remedial

actions endorsed Analytics technology; cross-

functional Accountability-driven,

extends beyond enterprise

Incident management Ad hoc & inconsistent Some consistency Little analysis

Root cause analysis, global standards

Issue tracking Technology in place

Effectiveness & efficiency metrics

Training & awareness None General, infrequent, single media

Custom-tailored, recurring, multi-media

Role-specific awareness; 3rd parties Ongoing awareness


Anti-Corruption Maturity Model 1

Ad hoc 2

Initial 3

Formal 4

Validated 5

Monitored

Policy None written Limited distribution & understanding

Formal but may be inconsistent

Globally consistent & enforceable Regularly reviewed & updated

Governance None established Discrete, informal & limited Corporate oversight & exec level

Management involvement at all levels Scorecard reporting

Risk management Incomplete & inconsistent Risk assessment, not management

Risk assessment & management

Cross-functional, executive validation Component of ERM

Procedures & controls None written Limited coverage Consistent & global Subject to self-assessment & audit Exception reporting & resolution

3rd party management No standards Some standards, inconsistent and incomplete

Consistent, cross-functional coordination

Proactive monitoring & self-assessment Independent external audits

Compliance & monitoring None established Informal & limited Audit-driven, remedial

actions endorsed Analytics technology; cross-

functional Accountability-driven, extends

beyond enterprise

Incident management Ad hoc & inconsistent Some consistency, minimal analysis

Root cause analysis, global standards

Robust reporting, clearly defined roles

Effectiveness & efficiency metrics

Training & awareness None provided General, infrequent, single media

Custom-tailored, recurring, multi-media

Role-specific awareness; third parties Effectiveness metrics



Dell CbD Program – 2012 Program Deliverables

13

Policy • Propose & support streamline system for adopting new and revising existing Global Corporate Policies • Identify any gaps in existing Global Corporate policies & address by either proposing, revising and/or deleting existing policy • Develop or enhance supporting standards and guidelines including: anti-bribery, gifts, social media, cloud, online behavioral marketing,

email and telemarketing, data classification • Provide enhanced online notices including all relevant fair information practices Governance • Establish Global Compliance Forum to provide strategic alignment and integration of compliance activities across the enterprise • Realign Global Compliance resources to cover both geography and BUs • Develop Privacy & KA compliance infrastructure with designated business sponsors Risk Management • Develop compliance scorecards for each BU/function • Assist in the development & monitoring of applicable CSAs • Enhance incident response & investigation protocols


Dell CbD Program – 2012 Program Deliverables

14

Training and Awareness • Review annual training strategy and revise as appropriate, provide specialized training for key risk areas • Provide website and self service tools such as FAQs • Develop public affairs and external communications strategy 3rd Party Management • Provide playbook and governance of 3rd party contractors including MSAs and IPSAs • Develop protocols for onboarding and periodic assessment of third parties • Support audit of 3rd parties Compliance and Monitoring • Review metrics and assess trends from case management tool • Assist in annual GAT planning and execution of relevant audits • External review of high risk areas Procedure and Controls • Wherever possible commercialize guidelines and protocols • Ensure complaint and investigation process is operational

Phase:

FY12 Q1 FY12 Q2 FY12 Q3 FY12 Q4

Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan

15

LAUNCH DEVELOP exit

PLAN exit

DEFINE exit

Off target but not at risk On target

Cloud Computing Risk Framework - Example


Concept Define Plan Deliver Monitor

Core Team Deliverable Status

Establish CSCC Complete

Establish framework for risk assessments Complete

Review, assess, manage risks for FY12 offerings Complete

Review, assess, manage risks for FY13 offerings

Ongoing

Talking points regarding Patriot Act Complete

Assess key vendors supporting cloud offerings Ongoing

Project Objective/Moving the Needle Accomplishments & Status

• Establish and maintain framework for assessing risk early in lifecycle of new offering, addressing those risks, and documenting controls

• Cross-functional Cloud Compliance Security Council (CSCC) established as group responsible for governance over cloud offerings.

• Offerings reviewed through risk assessment framework. • Patriot Act questions—talking points developed.

Next Steps Key Issues & Risks

• Support expansion of cloud offerings in Europe. • Monitor developments in EU DP law • Identify additional data management champions in the lines of

business. • Enhance incident response processes.

• International data transfer, incl proposed changes to EU DP law • Risk assessments • Security and incident response • Availability of info to third parties • Vendor management • Sensitive information • Managing contractual obligations • Data subject access rights • Record retention/disposition

Cloud Security and Compliance Council

• Cross-functional body to provide oversight and guidance on Legal,

Compliance and Security matters • Ensure Legal, Compliance and Security issues are considered in

product roadmap development • Establish and enforce applicable controls • Evaluate third parties • Provide input to audits • Provide training and awareness

Global Compliance and Data Privacy 16

EMEA CSCC APJ CSCC

FEEDBACK

AUGMENT

Standard Framework

NA CSCC

Leverage Documentation, Data Security and Compliance Artifacts

Common Goals and Objectives

Controlled/Consistent Communication

Regional Product Launch Support

Products

Delivery

Secure Works

Advisory

Legal

Executive Sponsors

Positioned to drive this consistent strategy across clouds and across regions.

Global Compliance and Data Privacy 17

Cloud Security and Compliance Council

compliance by design (cbd) · • software • strategy • supply chain ops chief ethics &...

Documents