finding your privacy pulse: how to use kris to measure ... · focusing on key risk indicators in...
TRANSCRIPT
| Franchesca Sanabria, Principal National Privacy Practice| Eric Dieterich, GM of Advisors & National Privacy Practice Lead| IIA Miami Chapter Conference| January 25, 2019
Finding your Privacy Pulse:How to Use KRIs to MeasureYour Privacy Risk
Focal Point Data Risk
Our Integrated Risk Management Portfolio
2
Technology Risk ConsultingSolve pressing IT and businesschallenges with expert consultingservices, with a focus on cybersecurity, data privacy, and advanceddata management.
Cyber Workforce DevelopmentBuild your cyber security workforcedevelopment program, evolving yoursecurity capabilities throughprescriptive learning programs andlab-intensive courses.
Technology IntegrationDelivers system implementationsand managed services forthe leading Identity Governanceand Access Management (IAM)and eGRC systems.
Audit and ComplianceOffers assessments, co-sourcing,and managed support to solveinternal audit and compliancechallenges, including SOX,HIPAA, and GDPR.
CoreServiceAreas
CYBERSECURITY
IDENTITYGOVERNANCE
CYBER WORKFORCEDEVELOPMENT
DATAPRIVACY
TECHNOLOGYINTEGRATION
DATAANALYTICS
INTERNALAND IT AUDIT
Our Holistic Approach
3
What are KRIs?• Key Risk Indicators (KRIs) can be used across an organizational to measure how risky an
activity is.1. Leading Indicators: Emerging risk trends for events that might happen in the future and
need to be addressed.• An increased amount of personal information being collected due to change in operations.• An increase in social engineering and phishing attacks.
2. Current Indicators: Where you currently sit with your risk exposure.• The number of staff that have yet to completed a new privacy regulation training.• The number of systems without encryption of data-at rest.
3. Lagging Indicators: Events that took place in the past that have the possibility of takingplace again.
• A breach of personal information.• A natural disaster impacting continuity of operations.
4
Attributes of a KRI
• Thresholds can be based on industry tolerance or internal acceptance• Senior Management should be aware / approve thresholds• Should coincide with risk appetite of the organization
5
AttributesQuantifiable Numbers, percentagesPredictable Show early warning signsAuditable Measure the status of risk and controlComparable Tracks trends over a period timeThresholds A pre-defined level that will trigger an action
Case Study: Wimbledon Investments• Wimbledon has established an Executive Management Risk Committee and framework as part
of their Enterprise Risk Management (ERM) program to assess risks.• Wimbledon used analytical data to identify and monitor their major risks.• KRIs have been most helpful for the company when they are used to manage uncontrollable
risks.• Success Story:
• Wimbledon has a concentration of mortgage borrowers employed by China’s miningindustry.
• They recognized that the health of mining companies was necessary for continuedemployment of borrowers.
• So a KRI they needed to consider was how can we predict when mining companies willexperience a downturn?
• In response Wimbledon's ERM began monitoring China’s economy including theemployment rate of mining companies, factors that could contribute to or affect theorganization’s investments.
6
The Difference between a KRI and KPI
Indicator Metric What does it measure? What is its purpose? Who is theaudience?
Key Risk Indicator(KRI)
Quantify risk
A snapshot of an organization’scurrent risk posture and riskmitigation techniques
Non-operational and focuses on riskidentification
Helps organizations understand therisks involved and the likelihood ofnot having a positive result
ExecutiveManagement andthe Board
Key PerformanceIndicator (KPI)
Measure performance (i.e., howeffectively something is operating)
Measures how well individuals,business units, projects areperforming according to their goals
Provide metrics for operationalperformance
Operations andMiddleManagement
7
The Challenges of Understanding Privacy Risks• Complex ecosystem of data sharing models, internally and externally.• Limited awareness of what data is most important to the organization and the
life cycle of the data (i.e., defining you crown jewels)• Legacy storage terms and uses of data conflicting with privacy-by-design
concepts (i.e., minimum necessary).• Potential alignment with a broad range of regulatory and industry standards.• Shared responsibilities for privacy across the enterprise, no single point of
ownership.
8
Benefits of Measuring Privacy RisksIn response to growing challenges, many organizations have begunfocusing on key risk indicators in addition to compliance assessments.• Enables and enhances continuous risk monitoring/reporting• Aids in decision making• Identifies privacy risks that may inhibit an organization’s ability to achieve
specific objectives• Enhances the risk management posture of the organization
9
What is a Privacy KRI?
What would causethis event to
happen?
RiskEvent
What would theconsequences be
if it occurs?
What are we doingto prevent it?
What plans are inplace to minimize
the damage?
Causes Consequences
• Privacy KRIs measure control effectiveness across a defined privacy riskframework.
• The goal of privacy KRIs are to identify actionable and measurable metrics forkey controls supporting an organization’s privacy program.
• Privacy KRIs also help an organization better understand their risk appetite.
KRIs measure both thecause and the consequences
of a possible risk:
How to Build the Privacy KRI Framework
11
4. Define privacy risks3. Identify existing privacyprocesses and practices
5. Define privacy controls
1. Identify Privacy andregulatory requirements of
the organization6. Define KRIs
2. Review the dataclassification and privacy
policy
Key Contributors
LegalPrivacyAudit
Information SecurityComplianceMarketing
Human Resources
Privacy KRIs - ExamplesPrivacy Domain Risk Control KRI
Third Party RiskManagement
Unauthorizedaccess that resultswhen a third party
exceeds ormisuses access
Third parties security due diligence isperformed over third parties upon
onboarding and throughout the duration ofthe relationship
% of vendors withaccess control
issues identified as“high risk”
Privacy Policiesand Frameworks
The act of notfollowing policies,
standards orprocedures
Exceptions to the Privacy Policies arereviewed and approved through a formal risk
acceptance process and revisitedperiodically
# of approvedexceptions to the
policy not revisitedwithin a definedperiod of time
Privacy-by-Design
New types of datacollected onwebsite notunderstood
Privacy Impact Assessments (PIA) areperformed during the design of new featureson website, including adding/modifying data
collected from customers
% of PIAs with amoderate or above
risk ranking
12
Privacy KRIs - Examples
13
Key privacy areas for which KRIs can be defined:• Privacy Notice• Consent Management• Privacy Complaints• Data Retention
How to Monitor the KRI Program• Track and report on KRIs• Leverage tools and dashboard reporting• Establish risk mitigation plans to address KRI limits• Reassess KRI inventory on a regular basis
14
Eric DieterichGM of Advisors & NationalPrivacy Practice [email protected]
Franchesca SanabriaPrincipal, National [email protected]