s - 1 privacy. s - 2 panel on privacy moderator: robert parker, uwcisa - the aicpa-cica privacy...
TRANSCRIPT
S - 1
Privacy
S - 2
Panel on PrivacyModerator: Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model
Presenters:
Michelle Chibba, Office of the Privacy Commissioner of Ontario – Privacy, Regulatory Compliance, Enforcement
Christine Ravago Ernst & Young, Washington – Assisting Clients Become Privacy Compliant, the Use of GAPP to Address Privacy Requirements.
Nicholas Cheung, CICA – GAPP, The AICPA-CICA Privacy Task Force, The Future, Tools and Products
Jan McMullen, TD Bank Group, Technology Risk Management and Information Security – Privacy, Regulatory Compliance, etc
S - 3
4:00 – 6:00 pm
Panel on Privacy
Moderator: Robert Parker, UWCISA
Presenters:Michelle Chibba, Office of the Privacy Commissioner of Ontario
Christine Ravago, Ernst & Young, Washington
Nicholas Cheung, CICA
Jan McMullen, TD Bank Group
Today’s Program
This is Friday Afternoon!
BAR
S - 4
Jan McMullen, TD Bank Group, Technology Risk Management and Information Security – Privacy, Regulatory Compliance, etc
Christine Ravago Ernst & Young, Washington – Assisting Clients Become Privacy Compliant, the Use of GAPP to Address Privacy Requirements.
Nicholas Cheung, CICA – GAPP, The AICPA-CICA Privacy Task Force, The Future, Tools and Products
Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model
Michelle Chibba, Office of the Privacy Commissioner of Ontario – Privacy, Regulatory Compliance, Enforcement
S - 5
Generally Accepted Privacy Principles
GAPPCapability Maturity
Model
CMM
Established Privacy Standard Providing a
Global Benchmark
Recognized Model For Assessing The Maturity (Status) of Projects &
Processes
Privacy Maturity Model
Privacy Maturity Model Maturity Benchmarks
Privacy Maturity Model User Guide
CMM BasedPrivacy Maturity Matrix
Data Collection Form
Data Analysis Form
Internal/External Reporting Examples
Privacy Maturity Model
S - 6
Generally Accepted Privacy Principles
Generally Accepted Privacy Principles
GAPP
Established Privacy Standard Providing a
Global Benchmark
AICPA – CICA Generally Accepted Privacy Principles
Privacy Definition
Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure and retention of personal information.
The 10 Principles
• Management• Notice• Choice and
Consent• Collection• Use and Retention
• Access• Disclosure• Security• Quality• Monitoring and
enforcement AICPA-CICA Generally Accepted Privacy Principles
S - 8
Generally Accepted Privacy Principles
Privacy Criteria
Illustrative Controls and Procedures
Privacy Principle
Additional ConsiderationsNeed for Customization
1 - Policies & Communications
S - 9
Generally Accepted Privacy Principles
Privacy Criteria
Illustrative Controls and Procedures
Additional ConsiderationsNeed for Customization
2 - Procedures & Controls
S - 10
Generally Accepted Privacy Principles
Illustrative Controls & Procedures may Provide Extensive Guidance
S - 11
Generally Accepted Privacy Principles
Additional Considerations Explore & Explain Concepts & Rationale
S - 12
Capability Maturity Model
Capability Maturity Model
CMM
Recognized Model For Assessing The Maturity (Status) of Projects &
Processes
The Capability Maturity Model (CMM) is a service mark owned by Carnegie Mellon University (CMU).
The model is based on data collected from organizations that contracted with the U.S. Department of Defense, who funded the research, and they became the foundation from which CMU created the Software Engineering Institute.
The Capability Maturity Model was piloted in 1988 and has been in use for almost 20 years. It has been adopted by many organizations as a means of assessing compliance and performance.
S - 13
Levels of the Capability Maturity ModelNot including Level 0; doing nothing, there are five levels defined along the continuum of the CMM. It is anticipated that the predictability, effectiveness, and control of an organization's privacy processes will improve as the organization moves up these five levels.
Level 1 - InitialIt is characteristic of processes at this level that they are typically undocumented and in a state of change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This provides a chaotic or unstable environment for the processes.
Level 2 - RepeatableIt is characteristic of processes at this level that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.
Capability Maturity Model
S - 14
Level 3 - DefinedIt is characteristic of processes at this level that there are sets of defined and documented standard processes established and subject to some degree of improvement over time. These standard processes are in place (i.e., they are the AS-IS processes) and used to establish consistency of process performance across the organization.
Level 4 - ManagedIt is characteristic of processes at this level that, using process metrics, management can effectively control the business process. In particular, management can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications. Process Capability is established from this level.
Level 5 - OptimizedIt is a characteristic of processes at this level that the focus is on continually improving process performance through both incremental and innovative technological changes/improvements.
Capability Maturity Model
S - 15
Capability Maturity Model
At maturity level 5, products, and the prcesses designed to operate and maintain them, are concerned with addressing changes and improvements
Graphically The Privacy Maturity Model would look like this:
It is not essential to be a maturity level 5 to have an appropriate privacy program
S - 16
Capability Maturity Model (CMM)
CMM is a service mark owned by Carnegie Mellon University (CMU).
CMM is based on data collected from organizations that contracted with the U.S. Department of Defense
CMM resulted in creation of the Software Engineering Institute (SEI) by CMU
CMM has 6 levels of maturity; 0=Nothing, 1=Ad Hoc, 2=Repeatable, 3=Defined, 4=Managed and 5=Optimized
An entity does not have to be at level 5 to achieve an acceptable level of performance
S - 17
Generally Accepted Privacy Principles
GAPPCapability Maturity
Model
CMM
Established Privacy Standard Providing a
Global Benchmark
Recognized Model For Assessing The Maturity (Status) of Projects &
Processes
Privacy Maturity Model
Privacy Maturity Model
Let’s Look At The Privacy Maturity Model
S - 18
Privacy Maturity Model
Privacy Maturity Model
Combines the concepts of the Capability Maturity Model with the standards that comprise Generally Accepted Privacy Principles
Provides an effective tool to assess an organization’s privacy initiatives
Allows comparisons amongst business units, geographical organizations or enterprise wide
Allows time series analysis of progress
Provides an effective “snap-shot” of an entity’s privacy initiatives
S - 19
Generally Accepted Privacy Principles
GAPPCapability Maturity
Model
CMM
Established Privacy Standard Providing a
Global Benchmark
Recognized Model For Assessing The Maturity (Status) of Projects &
Processes
Privacy Maturity Model
Privacy Maturity Model Maturity Benchmarks
Privacy Maturity Model Implementation Guide
CMM BasedPrivacy Maturity Matrix
Data Collection Form
Data Analysis Form
Internal/External Reporting Examples
Privacy Maturity Model
Privacy Maturity Model
The Privacy Maturity Model consists of a series of matrices that provide information of the expected evidence, documents or performance at each of the maturity levels 1 to 5
The matrices are aligned with, and contain information on, the privacy principles and criteria
The privacy maturity requirements are addressed at the criteria level
S - 20
Privacy Maturity Model
Privacy PrinciplePrivacy Criteria Expected Privacy
Attributes for Each Maturity Level
Privacy Maturity Levels
S - 21
Privacy Maturity Model
An entity may determine that their Privacy Policies cover notice, choice and consent, collection, use, retention and disposal
They may also cover security
However, they may determine that they do not address quality (accurate, timely, relevant, etc)
Nor do their Privacy Policies address monitoring and enforcement
This scenario would probably warrant a rating of slightly less that 3.0
PMM AttributesFindings
S - 22
Privacy Maturity Model User Guide
Privacy Maturity User Guide
S - 23
Privacy Maturity User Guide
Using the PMM Data Analysis form, assess and document information for
each of the 73 criteria
Data Reporting Form
PMM
Corporate Privacy Policies
CPP
Generally Accepted Privacy Principles
GAPP
Data Analysis Form
PMM
Management Reports
InternalIndependent
Reports
External
Remediation Plans
S - 24
Privacy Principle
Privacy Criteria
Findings and Observations
Privacy Maturity Level
Preliminary Assessment
Attribute Link (Optional)
Privacy Maturity Data Collection Form
S - 25
Review Enterprise GAPP
Add Additional Requirements CPP
Develop Interview Guides
Conduct Interviews
Enterprise Specific GAPP
Documented Current State
Form A Complete Comments Column
GAPP
Corporate Privacy Policies
Privacy Maturity Model Form B Complete
Assessment Column
Form B Complete Recommendation
Column
Using The Privacy Maturity Model
c
S - 26
Maturity Reporting By Principle
Matu
rity
Level
5
4
3
2
1
0
Man
ag
em
ent
Noti
ce
Choic
e &
C
onse
nt
Colle
ctio
n
Use
, R
ete
nti
on &
D
isposa
l Acc
ess
Dis
closu
re t
o
3rd P
art
ies
Secu
rity
for
Pri
vacy Qu
alit
y
Mon
itori
ng &
En
forc
em
ent
Entity’s Expected Maturity Level
S - 27
Maturity Reporting By Criteria
Matu
rity
Level
5
4
3
2
1
0
Pri
vacy
Po
licie
s
Com
mun
icati
on
to
Ind
ivid
uals
Pro
vis
ion
of
Noti
ce
En
titi
es
&
Act
ivit
ies
Cle
ar
&
Consp
icuous
Cri
teri
a
Ass
ess
ment
Entity’s Expected Maturity Level
Entity’s Actual Maturity Level
Notice
S - 28
Maturity Reporting By Principle By Time Period
Matu
rity
Level
5
4
3
2
1
0
Man
ag
em
ent
Noti
ce
Choic
e &
C
onse
nt
Colle
ctio
n
Use
, R
ete
nti
on &
D
isposa
l Acc
ess
Dis
closu
re t
o
3rd P
art
ies
Secu
rity
for
Pri
vacy Qu
alit
y
Mon
itori
ng &
En
forc
em
ent
2009
2010
Entity’s Expected Maturity Level
S - 29
Privacy Maturity Model
An effective means of assessing an entity’s privacy program using:
GAPP - A recognized privacy standard based on international requirements
PMM – Based on CMM – a recognized project/program assessment technique
A useful tool for management, auditors and advisors and privacy professionals
PMM is a tool that will be integrated with the AICPA-CICA Privacy Assessment Tool to provide greater flexibility and ease of use
PMM is a tool that is, and will continue to be, supported and maintained by the AICPA – CICA professional organizations with over half a million members
Provides insightful information in a easy to understand format
Provides information for a meaningful path to privacy compliance and sustainability
PMM is based of GAPP and appropriate for use by US and Canadian as well as multinational entities with international privacy requirements
S - 30
We Would Appreciate Your Comments
S - 31
v
Thank You
Enjoy the Bar If you are interested in using the Privacy Maturity Model we would
welcome your comments
Nicholas Cheung
(416) 204-3251 Eastern Time Zone
Robert Parker
(250) 658-0250Pacific Time Zone
Nancy Cohen
(201) 938-3298Eastern Time Zone