Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
#privacysummit
#privacysummit
PRIVACY AND INFORMATION GOVERNANCE:
Completing the Compliance Circle
Diane K. Carlisle, IGP, CRM
ARMA International
#privacysummit
TODAY’S LEARNING OBJECTIVES
After today’s session, participants will be able to:
• Define the relationship between RIM & IG
• Describe the importance of IG to compliance
• Identify opportunities to collaborate in your own organization
• Identify tools that RIM & Privacy can share in unified information governance
• Identify 2-3 “next steps” to complete the circle
#privacysummit
ABOUT ARMA INTERNATIONAL
• Not-for-profit professional association
• Leaders in information governance
• Premiered first IGP certification in 2013
• Worldwide membership -27,000+
• Education and resources
– Live & online education
– Technology news & trends
– Standards, best practices
– Books, newsletters, magazine
– Web seminars
#privacysummit
THE COMPLIANCE CIRCLE
#privacysummit
INFORMATION: ASSET? LIABILITY?
• Basis for sound business decisions
• Enables compliance with regulations, litigation obligations
• Evidence for claims made in court
#privacysummit
BENEFITS OF GOOD IG
• Ensure integrity of information
• Ensure availability of information for decisions
• Efficient and effective processes
• Compliance with laws and regulations
• Legally defensible recordkeeping practices
• Reduced risk
• Reduced costs
#privacysummit
RIM – THE HEART OF IG
A RIM program defines the rules and controls that allow a company to manage records and information from creation/receipt until no longer needed:
• Legal/regulatory compliance
• Retention policy/process
• Risk assessment
• Litigation/e-discovery
• Taxonomies / indexing
• Email management
#privacysummit
GENERALLY ACCEPTED RECORDKEEPING PRINCIPLES
• Framework for information governance
• Introduced in 2009
• Carefully vetted “best practices”
• Derived from international & national standards
• Industry independent
• Recognized by standards organizations and legal counsel
#privacysummit
THE PRINCIPLES
• Accountability
• Transparency
• Integrity
• Protection
• Compliance
• Availability
• Retention
• Disposition
www.arma.org/principles
#privacysummit
KEY CHARACTERISTICS
Taken together, they provide the framework for effective IG.
• Objective
• Reasonable
• Reality-based
• Scalable
• Standards-based
#privacysummit
STANDARDS ARE CRUCIAL
• Objective foundation for judging an IG program
• Represent best thinking & practices
• Standards evolve toward greater consistency
• They provide a body of guidance applicable to many
#privacysummit
WHAT THE PRINCIPLES ADD
• Better control over increasing volumes of ESI & regulations
• Promote risk-based, cost-effective solutions that are scalable
• Objective foundation for comparison & use
#privacysummit
CONTEXT IS CRUCIAL
• Application varies from organization to
organization
– Mission
– Compliance requirements
– Laws and regulations
– Jurisdictions
– Constituency
– Operations and workflows
– Litigation profile
– Speed of technology adoption
#privacysummit
IG REQUIRES COLLABORATION
• Key Stakeholders
– Business units
– Legal
– IT
– Regulatory / Compliance
– Privacy officers
• IG professionals integrate these various perspectives & needs into unified solutions
#privacysummit
ALIGNING OUR INTERESTS • Business units
– Quick retrieval during workflow, decisions – Accuracy and integrity of information – Maximize profits
• Legal – Legally defensible processes – Quick retrieval during discovery phases
• IT – Efficient technology use – Reduce costs
• Regulatory / Compliance – Compliance with laws & regulations
• Privacy officers – Compliance with privacy requirements – Ability to respond effectively to privacy breaches
• RIM – Compliance with laws & regulations – Reduce risk through effective policy implementation
#privacysummit
BAD PRACTICES, BAD RESULTS
• Evidence comes from the records & information
• BP rig explosion and oil spill litigation – $4.5 Billion to government – $7.8 Billion to businesses – Engineer charged for deleting 200 text
messages – Claims against Halliburton - $20
Billion – Emails are the “smoking gun” – Contractors – who is at fault?
#privacysummit
MEASURING INFORMATION GOVERNANCE
18
#privacysummit
WHY IG METRICS ARE IMPORTANT
• Transform strategy into action
– Specific & quantifiable goals
– Monitor progress toward goals
• Document improvements and “good faith efforts”
• Demonstrate impact of program
• Support compliance/litigation efforts
#privacysummit
INFORMATION GOVERNANCE MATURITY MODEL
• 1st generation assessment tool
• Defines characteristics of IG at different levels
• Use to identify gaps between current state and desirable state
• Quantitative & qualitative measures
• Systematic process
– Evaluate program & assess risks
– Plan program improvements
#privacysummit
THE MATURITY MODEL
Maturity Level Status
1
Sub-Standard RED
2
In Development ORANGE
3
Essential AMBER
4
Proactive BLUE
5
Transformational GREEN
• No need to stair step
through levels
• Level may vary
across principles
• Level 3 – minimum
acceptable
• Less than 5 may be
acceptable: - Risk tolerance
- Level of regulation
#privacysummit
USING THE MATURITY MODEL
• Target the optimum level for your organization for each principle
– Different levels for different principles is ok
• Determine maturity of existing practices
– DIY based on maturity model, or
– Information Governance Assessment product
• Rank gaps between current and optimum levels
• Define corrective actions & implement work plan
#privacysummit
Practical Applications: Privacy
23
#privacysummit
PRIVACY CONSIDERATIONS
• Striking the balance
– Trust vs. business intelligence
• Opt in vs. Opt out
• Data protection
• Data breach prevention
– 46 states have notification laws
– Cost per record: $194
– Cost per organization: $5.5M
#privacysummit
KEY FACTORS IN DATA BREACHES
Protections – Cost Reduction
• CISO appointment
• Strong security posture
• Established incident response plan
• Use of consultants to guide response actions
Primary root causes of a breach
• Malicious or criminal attack (37%); especially true for Germany, Australia, Japan
• Human error (35%); especially in Brazil
• System glitch (29%); especially in India
Ponemon Institute Cost of Data Breach study, 2013
#privacysummit
IMPACT ON COSTS
#privacysummit
IG AND PRIVACY COMPLIANCE
ITEM Principle IG Tools
Security at the C-level Accountability Enterprise IG Program
Quick response process
Transparency;
Compliance
Availability
Defined policies
Data map
Metadata index
Get outside help Accountability Proactive discussions
Identify confidential info Transparency
Availability
Protection
Data map
Business process analysis
Data loss prevention measures Accountability
Protection
Defined policies
Employee training
Technology
Integrate protection practices
into business process
Protection Work process analysis
Technology application
Passwords; encryption
Measured response process See above Risk assessment
Third-party providers Accountability SLAs – negotiated
#privacysummit
ALIGNING OUR TOOLS
IAPP 10 Steps ARMA
Principle
Existing tools
Roadmap of
laws/regulations
Compliance Records Retention Schedule
Perform risk assessment Protection Information risk assessments
Privacy by Design Tools
Privacy Impact Assessments ARMA IGA
Audit prep plan / program Throughout ARMA IGA
Test your incident response Protection Disaster Recovery Plans in both
RIM and IT
ID root cause; corrective
actions; document impact
Apply lessons from other
areas
Written plan for known
issues
Monitoring / trending Throughout Emphasis on continuing
improvement & benchmarking
#privacysummit
ALIGNING OUR TOOLS
AICPA Privacy Principles ARMA
Principle
Existing tools
Management Accountability Senior leader; Documented
policies; defined roles; training
programs re: information
responsibility; compliance audits
Notice Transparency Consistent systems that
contribute to effective notice;
clearly defined
policies/procedures
Choice & Consent -- Consistent systems that enable
implementation of consumer
choice
Collection Transparency,
Availability
Use, retention, disposal Retention,
Disposition
Access
Disclosure to 3rd parties
Security for privacy
Quality Integrity Metadata management
Monitoring / enforcement Throughout Continuing improvement plans,
benchmarking
#privacysummit
ALIGNING OUR TOOLS
AICPA Privacy Principles ARMA
Principle
Existing IG tools
Access Availability Defined security levels for access
to information; metadata &
indexing to facilitate access
Disclosure to 3rd parties Availability Defined processes for disclosure,
approvals, access to electronic
systems
Security for privacy Protection Defined schemes for security;
implementation with IT support;
protection is both physical &
virtual
Quality Integrity Metadata management; random
checks for appropriate indexing
Monitoring / enforcement Throughout Audits, continuing improvement
plans, benchmarking
#privacysummit
NEXT STEPS
• Identify key stakeholders in your organization, by name
• Conduct an overall IG assessment
– AICPA maturity model
– ARMA maturity model and assessment product
• Build a coalition with stakeholders to determine best course for your organization
• Learn more
– www.arma.org/principles
– www.privacyassociation.org
#privacysummit
CLOSING THOUGHTS
• Unified information governance relies on an effective collaborative team
– Power in numbers
– Comprehensive identification of issues & solutions
• Harmonize principles, models, standards for your organization
• Exploit existing IG tools
– Mitigates costs
– Maximizes resource usage
– Facilitates adoption of new processes
#privacysummit
QUESTIONS?
33
Diane Carlisle, CRM
Executive Director of Content
ARMA International
For more information:
www.arma.org
#privacysummit
INSTRUCTIONS FOR USING THIS TEMPLATE
Congratulations on presenting at the Summit! If you wish, please feel free to use this template for your presentation. Please note that if you do use it, we ask that you follow these simple guidelines:
The slides have been preformatted with Verdana font. Please maintain
this font throughout the presentation.
Please use the slides for the full presentation. Avoid using the title page slide only and switching to different slides for the remainder of the presentation.
To use an IAPP logo, please e-mail [email protected] and request a high-resolution file. Please do not copy a logo from our website and use it in the presentation.