Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Information Asset Management
GARP®, Privacy, and Security-
Perfect Together!
Today’s Presenters
Galina Datskovsky, Ph.D. CRM
President, ARMA International
SVP Information Governance Solutions, Autonomy, an HP Company
Sandy Hughes, CIPP, CCEP
Past Chairman, International Association of Privacy Professionals
Global Information Governance and Privacy Executive, The Procter and Gamble Company
Today’s Session Objectives
• Gain an understanding of the Generally Accepted Recordkeeping Principles (GARP®)
• Discover the considerations brought forth when managing information as an asset, particularly as more companies make the leap into the cloud
• Discuss the ways the two professions can collaborate in the future to ensure a holistic approach to managing information
Generally Accepted Recordkeeping Principles®
Understand the intent of the GARP® maturity model and various levels and its application.
Understand the inputs require to measure the maturity level of an organization
What is GARP®?
Generally Accepted Recordkeeping Principles®
In order to achieve recognition at the regulator, business and association level, ARMA International has developed Generally Accepted Recordkeeping Principles (GARP®) so as to allow organizations to adhere to and measure objective records and information governance standards.
What is GARP®?
A
T
I
P
C
A
R
D
accountability
transparency
integrity
protection
compliance
availability
retention
disposition
Similar Models Used by CPOs (examples)
AICPa/CICA Privacy Maturity Model Principles: •Management/Accountability •Notice •Choice and Consent •Collection •Use, retention and disposal •Access •Disclosure to third parties •Security for Privacy •Quality •Monitoring and enforcement
FSG Elements of Effective Compliance (CEB/CELC has MaturityModels)
Elements: •Responsibility & Oversight •Standards, Procedures & Systems •Awareness, Training & Communication •Monitoring & Auditing •Reporting & Response •Risk Assessment •Culture
Principles Underlying GARP®
Principle of Accountability
A senior executive (or person of comparable authority) oversees the recordkeeping program and delegates program responsibility to appropriate individuals. The organization adopts policies and procedures to guide personnel, and ensure the program can be audited.
Principles Underlying GARP®
Principle of Transparency
The processes and activities of an organization’s recordkeeping program are documented in a manner that is open and verifiable and is available to all personnel and appropriate interested parties.
Principles Underlying GARP®
Principle of Integrity
A recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity
and reliability.
Principles Underlying GARP®
Principle of Protection
A recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, or essential to business
continuity.
Principles Underlying GARP®
Principle of Compliance
The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies.
Principles Underlying GARP®
Principle of Availability
An organization shall maintain records in a manner that ensures timely, efficient, and accurate retrieval of needed information.
Principles Underlying GARP®
Principle of Retention
An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements.
Principles Underlying GARP®
Principle of Disposition
An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization’s policies.
Maturity by GARP® Principle
• Implies certain rules of behavior
• Dictates certain controls
• Carries oversight requirements
• Carries recordkeeping requirements
• Carries audit implications
• Carries continuous improvement implications
GARP® - Compliance - Principle and Maturity
Level Definitions
GARP® - Compliance - Principle and
Maturity Level Definitions
GARP® - Compliance - Principle and
Maturity Level Definitions
GARP® - Compliance - Principle and
Maturity Level Definitions
GARP® - Compliance - Principle and
Maturity Level Definitions
GARP® - Compliance - Principle and
Maturity Level Definitions
GARP® - Accountability-Principle and
Maturity Level Definitions
GARP® Maturity Model
• A qualitative and quantitative measurement
– By principle
– Overall or average across all principles
• Rating of an organization’s overall information governance
• Systematic process guiding the evaluation of an organization’s maturity with respect to information governance activities.
GARP® Maturity Model
• Five levels
• Less than 5 may be acceptable because of:
- Organization risk tolerance
- As measured against peers or competitors
ARMA International Resources
White Papers:
– How the Information Governance Reference Model (IGRM) Complements ARMA International’s Generally Accepted Recordkeeping Principles (GARP ®)
– The Information Governance Maturity Model: A Foundation for Responding to Litigation
Online Courses:
–Introduction to the GARP ® Principles
–GARP ® and Legally Defensible Information Governance
–Applying GARP ® to organizational Excellence
These and more resources available at:
http://www.arma.org/GARP
Laws & Regulations Cover all Aspects (And it’s just going to get worse)
Existing: GLBA, HIPAA, PIPEDA, EU Directive/e-Privacy Directive, etc.
External - Tightening Control / Complex global landscape (2011)
• High profile Data Breaches (Epsilon, Sony, Honda Canada, iPhone location recording) - resulting in closer regulatory scrutiny, class action suits and large fines.
• US Privacy and Breach legislation – 6 bills in congress, multiple states with Online Behavioral Advertising (OBA) bills, 48 states with data breach laws
• New Privacy laws in Mexico, Canada (anti-SPAM), India, South Korea, Peru
• Pending Privacy Laws in Philippines, Ukraine, Turkey, Pakistan, South Africa and Morocco
• OBA self regulatory implementation in US, EU, Australia
• Anti-Cookie Law in EU / Do Not Track in US
• Breach Laws outside of US, including heavy fines and possible imprisonment
• EU Data Directive Update – Tough!
Real-World Examples
How GARP®, Privacy, and Security can be
Perfect Together!
www.privacyassociation.org www.arma.org
Professional Collaboration Opportunities?
Similarities: Newsfeeds, Monthly publications, Global/Regional Conferences, Webinars, Certifications & Training, Online Stores, Linked-In, Twitter, Facebook
Additional Features:
IAPP – Book Publications, Global ‘affiliates’: Privacy After Hours, KnowledgeNet Lunch & Learns ARMA –Local Conferences, Local Chapters, Bi-Monthly ‘Information Management’ Publication
Collaboration Opportunities –Audience Fill in the Blanks Research? Best Practices?
QUESTIONS?