Presentation is loading. Please wait.

Presentation is loading. Please wait.

S - 1 Privacy. S - 2 Panel on Privacy Moderator: Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model Presenters: Michelle Chibba, Office of.

Similar presentations


Presentation on theme: "S - 1 Privacy. S - 2 Panel on Privacy Moderator: Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model Presenters: Michelle Chibba, Office of."— Presentation transcript:

1 S - 1 Privacy

2 S - 2 Panel on Privacy Moderator: Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model Presenters: Michelle Chibba, Office of the Privacy Commissioner of Ontario – Privacy, Regulatory Compliance, Enforcement Christine Ravago Ernst & Young, Washington – Assisting Clients Become Privacy Compliant, the Use of GAPP to Address Privacy Requirements. Nicholas Cheung, CICA – GAPP, The AICPA-CICA Privacy Task Force, The Future, Tools and Products Jan McMullen, TD Bank Group, Technology Risk Management and Information Security – Privacy, Regulatory Compliance, etc

3 S - 3 4:00 – 6:00 pm Panel on Privacy Moderator: Robert Parker, UWCISA Presenters: Michelle Chibba, Office of the Privacy Commissioner of Ontario Christine Ravago, Ernst & Young, Washington Nicholas Cheung, CICA Jan McMullen, TD Bank Group Today’s Program This is Friday Afternoon! BAR

4 S - 4 Jan McMullen, TD Bank Group, Technology Risk Management and Information Security – Privacy, Regulatory Compliance, etc Christine Ravago Ernst & Young, Washington – Assisting Clients Become Privacy Compliant, the Use of GAPP to Address Privacy Requirements. Nicholas Cheung, CICA – GAPP, The AICPA-CICA Privacy Task Force, The Future, Tools and Products Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model Michelle Chibba, Office of the Privacy Commissioner of Ontario – Privacy, Regulatory Compliance, Enforcement

5 S - 5 Generally Accepted Privacy Principles GAPP Capability Maturity Model CMM Established Privacy Standard Providing a Global Benchmark Recognized Model For Assessing The Maturity (Status) of Projects & Processes Privacy Maturity Model Privacy Maturity Model Maturity Benchmarks Privacy Maturity Model User Guide CMM Based Privacy Maturity Matrix Data Collection Form Data Analysis Form Internal/External Reporting Examples Privacy Maturity Model

6 S - 6 Generally Accepted Privacy Principles GAPP Established Privacy Standard Providing a Global Benchmark AICPA – CICA Generally Accepted Privacy Principles Privacy Definition Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure and retention of personal information.

7 The 10 Principles Management Notice Choice and Consent Collection Use and Retention Access Disclosure Security Quality Monitoring and enforcement AICPA-CICA Generally Accepted Privacy Principles

8 S - 8 Generally Accepted Privacy Principles Privacy Criteria Illustrative Controls and Procedures Privacy Principle Additional Considerations Need for Customization 1 - Policies & Communications

9 S - 9 Generally Accepted Privacy Principles Privacy Criteria Illustrative Controls and Procedures Additional Considerations Need for Customization 2 - Procedures & Controls

10 S - 10 Generally Accepted Privacy Principles Illustrative Controls & Procedures may Provide Extensive Guidance

11 S - 11 Generally Accepted Privacy Principles Additional Considerations Explore & Explain Concepts & Rationale

12 S - 12 Capability Maturity Model CMM Recognized Model For Assessing The Maturity (Status) of Projects & Processes The Capability Maturity Model (CMM) is a service mark owned by Carnegie Mellon University (CMU). The model is based on data collected from organizations that contracted with the U.S. Department of Defense, who funded the research, and they became the foundation from which CMU created the Software Engineering Institute. The Capability Maturity Model was piloted in 1988 and has been in use for almost 20 years. It has been adopted by many organizations as a means of assessing compliance and performance.

13 S - 13 Levels of the Capability Maturity Model Not including Level 0; doing nothing, there are five levels defined along the continuum of the CMM. It is anticipated that the predictability, effectiveness, and control of an organization's privacy processes will improve as the organization moves up these five levels. Level 1 - Initial It is characteristic of processes at this level that they are typically undocumented and in a state of change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This provides a chaotic or unstable environment for the processes. Level 2 - Repeatable It is characteristic of processes at this level that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress. Capability Maturity Model

14 S - 14 Level 3 - Defined It is characteristic of processes at this level that there are sets of defined and documented standard processes established and subject to some degree of improvement over time. These standard processes are in place (i.e., they are the AS-IS processes) and used to establish consistency of process performance across the organization. Level 4 - Managed It is characteristic of processes at this level that, using process metrics, management can effectively control the business process. In particular, management can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications. Process Capability is established from this level. Level 5 - Optimized It is a characteristic of processes at this level that the focus is on continually improving process performance through both incremental and innovative technological changes/improvements. Capability Maturity Model

15 S - 15 Capability Maturity Model At maturity level 5, products, and the prcesses designed to operate and maintain them, are concerned with addressing changes and improvements Graphically The Privacy Maturity Model would look like this: It is not essential to be a maturity level 5 to have an appropriate privacy program

16 S - 16 Capability Maturity Model (CMM) CMM is a service mark owned by Carnegie Mellon University (CMU). CMM is based on data collected from organizations that contracted with the U.S. Department of Defense CMM resulted in creation of the Software Engineering Institute (SEI) by CMU CMM has 6 levels of maturity; 0=Nothing, 1=Ad Hoc, 2=Repeatable, 3=Defined, 4=Managed and 5=Optimized An entity does not have to be at level 5 to achieve an acceptable level of performance

17 S - 17 Generally Accepted Privacy Principles GAPP Capability Maturity Model CMM Established Privacy Standard Providing a Global Benchmark Recognized Model For Assessing The Maturity (Status) of Projects & Processes Privacy Maturity Model Let’s Look At The Privacy Maturity Model

18 S - 18 Privacy Maturity Model Combines the concepts of the Capability Maturity Model with the standards that comprise Generally Accepted Privacy Principles Provides an effective tool to assess an organization’s privacy initiatives Allows comparisons amongst business units, geographical organizations or enterprise wide Allows time series analysis of progress Provides an effective “snap-shot” of an entity’s privacy initiatives

19 S - 19 Privacy Maturity Model The Privacy Maturity Model consists of a series of matrices that provide information of the expected evidence, documents or performance at each of the maturity levels 1 to 5 The matrices are aligned with, and contain information on, the privacy principles and criteria The privacy maturity requirements are addressed at the criteria level

20 S - 20 Privacy Maturity Model Privacy Principle Privacy CriteriaExpected Privacy Attributes for Each Maturity Level Privacy Maturity Levels

21 S - 21 Privacy Maturity Model An entity may determine that their Privacy Policies cover notice, choice and consent, collection, use, retention and disposal They may also cover security However, they may determine that they do not address quality (accurate, timely, relevant, etc) Nor do their Privacy Policies address monitoring and enforcement This scenario would probably warrant a rating of slightly less that 3.0 PMM AttributesFindings

22 S - 22 Privacy Maturity Model User Guide Privacy Maturity User Guide

23 S - 23 Privacy Maturity User Guide Using the PMM Data Analysis form, assess and document information for each of the 73 criteria Data Reporting Form PMM Corporate Privacy Policies CPP Generally Accepted Privacy Principles GAPP Data Analysis Form PMM Management Reports Internal Independent Reports External Remediation Plans

24 S - 24 Privacy Principle Privacy Criteria Findings and Observations Privacy Maturity Level Preliminary Assessment Attribute Link (Optional) Privacy Maturity Data Collection Form

25 S - 25 Review Enterprise GAPP Add Additional Requirements CPP Develop Interview Guides Conduct Interviews Enterprise Specific GAPP Documented Current State Form A Complete Comments Column GAPP Corporate Privacy Policies Privacy Maturity Model Form B Complete Assessment Column Form B Complete Recommendation Column Using The Privacy Maturity Model c

26 S - 26 Maturity Reporting By Principle Maturity Level Management Notice Choice & Consent Collection Use, Retention & Disposal Access Disclosure to 3 rd Parties Security for Privacy Quality Monitoring & Enforcement Entity’s Expected Maturity Level

27 S - 27 Maturity Reporting By Criteria Maturity Level Privacy Policies Communication to Individuals Provision of Notice Entities & Activities Clear & Conspicuous Criteria Assessment Entity’s Expected Maturity Level Entity’s Actual Maturity Level Notice

28 S - 28 Maturity Reporting By Principle By Time Period Maturity Level Management Notice Choice & Consent Collection Use, Retention & Disposal Access Disclosure to 3 rd Parties Security for Privacy Quality Monitoring & Enforcement Entity’s Expected Maturity Level

29 S - 29 Privacy Maturity Model An effective means of assessing an entity’s privacy program using: GAPP - A recognized privacy standard based on international requirements PMM – Based on CMM – a recognized project/program assessment technique A useful tool for management, auditors and advisors and privacy professionals PMM is a tool that will be integrated with the AICPA-CICA Privacy Assessment Tool to provide greater flexibility and ease of use PMM is a tool that is, and will continue to be, supported and maintained by the AICPA – CICA professional organizations with over half a million members Provides insightful information in a easy to understand format Provides information for a meaningful path to privacy compliance and sustainability PMM is based of GAPP and appropriate for use by US and Canadian as well as multinational entities with international privacy requirements

30 S - 30 We Would Appreciate Your Comments

31 S - 31 v Thank You Enjoy the Bar If you are interested in using the Privacy Maturity Model we would welcome your comments Nicholas Cheung (416) Eastern Time Zone Robert Parker (250) Pacific Time Zone Nancy Cohen (201) Eastern Time Zone


Download ppt "S - 1 Privacy. S - 2 Panel on Privacy Moderator: Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model Presenters: Michelle Chibba, Office of."

Similar presentations


Ads by Google