Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Minimization Framework

Published byAusten Booker Modified over 6 years ago

Similar presentations

Presentation on theme: "Data Minimization Framework"— Presentation transcript:

1 Data Minimization Framework
1. Create and Maintain an Accurate Data Inventory. Information governance starts with knowing your data. An accurate, up-to-date datamap identifies what information you have, where it exists, media types, applications, third-party access, reference value and sensitive elements. 2. Use Industry-Specific Retention Standards. Generic record naming and retention standards are of little value. Adopt standards that are specific to your industry and incorporate valid business needs unique to your organization. 3. Tag Records to Relevant Sensitive Elements. The sensitivity of data is a critical factor in determining retention decisions. It’s not only a good idea, it’s often the law. 4. Address Obsolete and Redundant Information. Information that is retained longer than valid regulatory requirements or business needs should be systematically disposed of through an appropriate and defensible process. 5. Target Sensitive Data Immediately at Risk. Review the data inventory for unauthorized movement, access, storage, retention and disclosure of sensitive employee, customer and corporate data. Get rid of all records as soon as they are eligible! 6. Prioritize . 90% of discovery and review costs go toward . is a prime target for cyber criminals. Prioritize appropriate deletion in your data minimization strategy. 8 .

2 Human Risk Framework 1. Conduct an Enterprise-Wide Risk Assessment Annually. You can’t address risks you don’t know exist. Evaluate existing safeguards and practices of key subject matter experts, department mangers as well as employees. 2. Establish Clear Guidelines. Review and update existing policies and establish clear guidelines that are easy for employees to understand and comply with. 3. Evaluate Policy Awareness Levels and Training. Policies are only effective if employees are aware of and comply with them, and the company can demonstrate they are consistently enforced. 4. Communicate Policy Expectations Consistently. Establish a set frequency for communicating policies and guidelines to increase awareness and improve policy effectiveness and defensibility. 5. Track Compliance Verification. Require employees to certify their awareness and compliance with policies and guidelines. This establishes an audit trail and evidence of diligence. 6. Address Risky Employee Practices. Identify employee behaviors that put sensitive information at risk and are out of compliance with policies. 7 .

3 Information Governance Framework
1. Create and Maintain an Accurate Data Inventory. Information governance starts with knowing your data. An accurate, up-to-date datamap identifies what information you have, where it exists, media types, applications, third-party access, reference value and sensitive elements. 2. Tag Records to Relevant Sensitive Elements. Appropriate security needs are determined by the sensitive content each record type contains and is a critical factor in determining retention and disposal decisions. 3. Use Industry-Specific Retention Standards. Generic record naming and retention standards are of little value. Adopt standards that are specific to your industry and incorporate valid business needs unique to your organization. 4. Address Obsolete and Redundant Information. Information that has been retained longer than valid regulatory or business needs should be systematically disposed of through an appropriate and defensible process. 5. Communicate Policies and Security Guidelines Consistently. People forget. When they forget, they don’t comply. Routinely communicate program expectations and diligently track compliance verification. 6. Demand Strict Compliance with Retention Rules and Policy. Retention rules aren’t minimum standards – they are absolute standards. Program adherence – including disposal consistency – provides a strong defense. 7. Keep Your Program Up-To-Date. Review and update your program annually and send out appropriate communications to improve employee awareness and compliance. 6 .

4 Vendor Diligence Framework
1. Assess Every Vendor - Not Just Your Largest. Every third party, including law firms and small companies, with access to your systems or data poses a threat. Their data breach is your data breach. 2. Use Relevant Standards. Evaluate your vendors’ current security practices against recognized standards. 3. Segment Vendors By Risk. Identify high-risk and (presumed) low-risk vendors to balance effective evaluation with process efficiency. 4. Eliminate Manual Processes. Manual diligence processes are resource-intensive and error-prone. The right technology eliminates bandwidth restrictions and provides consistent, documented evidence of your controls. 5. Consider Both the Letter and Spirit of Regulations. Vendor diligence standards must be comprehensive and consider existing technical controls as well as compliance with applicable regulations. 6. Make It Easy for Vendors to Respond. The right technology, process and question sets enable accurate, timely responses from your vendors. You’ll identify issues faster so you can stop problems before they happen. 7. Assess Law Firms Against the ACC Model Controls. Law firms have some of your most sensitive information. The ACC Model Controls provide a recognized starting point for evaluating your law firms’ cybersecurity practices. 8. Conduct Annual Assessments. The cyber threat landscape is continually changing and relationships with vendors evolve. Every vendor should complete a vendor risk profile at least annually. 6 .

5 PROFESSIONAL SERVICES. PERFECTLY DELIVERED.
About Jordan Lawrence For over a decade, Jordan Lawrence has served as an ACC Alliance Partner providing services that enable members around the world to effectively and defensibly meet legal obligations, mitigate risks and reduce the costs of information compliance and control. Senior executives and corporate counsel depend on our specialty risk-assessment services to address critical areas of risk and to stay in compliance with international and domestic regulations. Third-Party Diligence for Cybersecurity Risks Data Minimization for , ESI and Paper Records Data Inventory Development for Information Privacy and Litigation Readiness Records Retention Standards and Defensible Deployment Human Factors of Cybersecurity Risks Our innovative service delivery model provides predictability, accuracy and speed for every client. Our industry benchmarking and world-class best practices are relied upon and proven defensible in the most vital areas of corporate risk. PROFESSIONAL SERVICES. PERFECTLY DELIVERED.

6 (636)

Download ppt "Data Minimization Framework"

Similar presentations

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Clean-up Days!.

Clean-up Days!.
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
1 E-Discovery Changes to Federal Rules of Civil Procedure Concerning Discovery of Electronically Stored Information (ESI) Effective Date: 12/01/2006 October,

1 E-Discovery Changes to Federal Rules of Civil Procedure Concerning Discovery of Electronically Stored Information (ESI) Effective Date: 12/01/2006 October,
Managing Records in SharePoint Step 1: Develop Retention Rules that Work.

Managing Records in SharePoint Step 1: Develop Retention Rules that Work.
SAFA- IFAC Regional SMP Forum

SAFA- IFAC Regional SMP Forum
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM 817.352.4929 or

Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or
Information Assurance and Information Sharing IMKS Public Sector Forum 7 February 2011 Clare Cowling, Senior Information Governance Adviser Transport for.

Information Assurance and Information Sharing IMKS Public Sector Forum 7 February 2011 Clare Cowling, Senior Information Governance Adviser Transport for.
LAW SEMINARS INTERNATIONAL New Developments in Internet Marketing & Selling November 13 & 14, 2006 San Francisco, California Moderator : Maureen A. Young.

LAW SEMINARS INTERNATIONAL New Developments in Internet Marketing & Selling November 13 & 14, 2006 San Francisco, California Moderator : Maureen A. Young.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Presenting The Broker-Dealer Certification Tool The Compliance Department Inc. Broker Dealer Compliance Consultants Compliance SCORE Powered by Keane BRMS.

Presenting The Broker-Dealer Certification Tool The Compliance Department Inc. Broker Dealer Compliance Consultants Compliance SCORE Powered by Keane BRMS.
Electronic Records Management: What Management Needs to Know May 2009.

Electronic Records Management: What Management Needs to Know May 2009.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc.

STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc.
Compliance Management Platform ™. Compliance Management Platform Compliance is the New Marketing – Position yourself to thrive in the new regulatory and.

Compliance Management Platform ™. Compliance Management Platform Compliance is the New Marketing – Position yourself to thrive in the new regulatory and.
Chapter 8 8-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Similar presentations

Ads by Google