S - 1 Privacy. S - 2 Panel on Privacy Moderator: Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model Presenters: Michelle Chibba, Office of.

Slides:



Advertisements
Similar presentations
Organizational Governance
Advertisements

. . . a step-by-step guide to world-class internal auditing
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Chapter 2 The Software Process
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (QAIP)
©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 28 Slide 1 Process Improvement.
Capability Maturity Model (CMM) in SW design
Quality evaluation and improvement for Internal Audit
CMMI Overview Quality Frameworks.
Standardization. Introduction A standard is a document. It is a set of rules that control how people should develop and manage materials, products, services,
Capability Maturity Model
COBIT 5: Framework, BMIS, Implementation and future Information Security Guidance Presented by.
Internal Auditing and Outsourcing
Chapter : Software Process
Software Project Management
COBIT®. COBIT - Control Objectives for Information and related Technology C OBI T was initially created by the Information Systems Audit & Control Foundation.
Integrated Capability Maturity Model (CMMI)
Service Organization Control (SOC) Reporting Options and Information
Capability Maturity Model. Reflection Have you ever been a part of, or observed, a “difficult” software development effort? How did the difficulty surface?
D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.
N By: Md Rezaul Huda Reza n
J. R. Burns, Texas Tech University Capability Maturity Model -- CMM n Developed by the Software Engineering Institute (SEI) in 1989 –SEI is a spinoff.
CMMi What is CMMi? Basic terms Levels Common Features Assessment process List of KPAs for each level.
College of Engineering and Computer Science Computer Science Department CSC 131 Computer Software Engineering Fall 2006 Lecture # 1 (Ch. 1, 2, & 3)
Introduction to Software Engineering LECTURE 2 By Umm-e-Laila 1Compiled by: Umm-e-Laila.
Privacy by Design Discussions Dr. Marilyn Prosch, CIPP Arizona State University September 22, 2009.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 25 Slide 1 Process Improvement l Understanding, Modelling and Improving the Software Process.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Quality Concepts within CMM and PMI G.C.Reddy
SWEN 5130 Requirements Engineering 1 Dr Jim Helm SWEN 5130 Requirements Engineering Requirements Management Under the CMM.
Chapter 21 Internal, Operational, and Compliance Auditing McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Michael Campe U.S. Army Aviation and Missile Command NDIA TID Technical Information Division Symposium Royal Sonesta Hotel, New Orleans, LA August 2003.
Requirements Development in CMMI
Page 1 The Capability Maturity Model (CMM) distinguishes between immature and mature software organizations. Immature software organizations are typically.
COBIT®. COBIT® - Control Objectives for Information and related Technology. C OBI T was initially created by the Information Systems Audit & Control Foundation.
PMI is a registered trademark of the Project Management Institute Knowledge Exchange Forum October 28, 2003 Assessing Project Management in Your Organization.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Or How to Gain and Sustain a Competitive Advantage for Your Sales Team Key’s to Consistently High Performing Sales Organizations © by David R. Barnes Jr.
SOFTWARE PROCESS IMPROVEMENT
Software Engineering (CSI 321) Software Process: A Generic View 1.
SE513 Software Quality Assurance Lecture12: Software Reliability and Quality Management Standards.
CMMI Overview Quality Frameworks. Slide 2 of 146 Outline Introduction High level overview of CMMI Questions and comments.
1 COSO ERM Framework Update Our Next Challenge and Opportunity September 2015.
SAS No. 70, Service Organizations A standard for reporting on a service organization’s controls affecting user entities' financial statements. Only for.
Technology Services – National Institute of Standards and Technology Conformity Assessment ANSI-HSSP Workshop Emergency Communications December 2, 2004.
Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16.
Canberra Chapter July PMI Chapter Meeting July 2007 PMCDF Competence Framework A presentation by Chris Cartwright.
Internal Audit Quality Assessment Guide
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
1 Using CobiT to Enhance IT Security Governance LHS © John Mitchell John Mitchell PhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, CIA, CISA, QiCA, CFE LHS Business.
Capability Maturity Model. What is CMM? n CMM: Capability Maturity Model n Developed by the Software Engineering Institute of the Carnegie Mellon University.
Software Quality Control and Quality Assurance: Introduction
Project Management PTM721S
Software Project Management
CS4311 Spring 2011 Process Improvement Dr
CMMI Overview Quality Frameworks.
Software Engineering (CSI 321)
Service Organization Control (SOC)
CMMI Overview.
Following Up on Internal Audit Reports Workshop on IIA Standard 2500
Capability Maturity Model
The ICGFM Conference Miami, Florida May 21, 2007
Taking the STANDARDS Seriously
Capability Maturity Model
Requirements Development in CMMI
Presentation transcript:

S - 1 Privacy

S - 2 Panel on Privacy Moderator: Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model Presenters: Michelle Chibba, Office of the Privacy Commissioner of Ontario – Privacy, Regulatory Compliance, Enforcement Christine Ravago Ernst & Young, Washington – Assisting Clients Become Privacy Compliant, the Use of GAPP to Address Privacy Requirements. Nicholas Cheung, CICA – GAPP, The AICPA-CICA Privacy Task Force, The Future, Tools and Products Jan McMullen, TD Bank Group, Technology Risk Management and Information Security – Privacy, Regulatory Compliance, etc

S - 3 4:00 – 6:00 pm Panel on Privacy Moderator: Robert Parker, UWCISA Presenters: Michelle Chibba, Office of the Privacy Commissioner of Ontario Christine Ravago, Ernst & Young, Washington Nicholas Cheung, CICA Jan McMullen, TD Bank Group Today’s Program This is Friday Afternoon! BAR

S - 4 Jan McMullen, TD Bank Group, Technology Risk Management and Information Security – Privacy, Regulatory Compliance, etc Christine Ravago Ernst & Young, Washington – Assisting Clients Become Privacy Compliant, the Use of GAPP to Address Privacy Requirements. Nicholas Cheung, CICA – GAPP, The AICPA-CICA Privacy Task Force, The Future, Tools and Products Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model Michelle Chibba, Office of the Privacy Commissioner of Ontario – Privacy, Regulatory Compliance, Enforcement

S - 5 Generally Accepted Privacy Principles GAPP Capability Maturity Model CMM Established Privacy Standard Providing a Global Benchmark Recognized Model For Assessing The Maturity (Status) of Projects & Processes Privacy Maturity Model Privacy Maturity Model Maturity Benchmarks Privacy Maturity Model User Guide CMM Based Privacy Maturity Matrix Data Collection Form Data Analysis Form Internal/External Reporting Examples Privacy Maturity Model

S - 6 Generally Accepted Privacy Principles GAPP Established Privacy Standard Providing a Global Benchmark AICPA – CICA Generally Accepted Privacy Principles Privacy Definition Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure and retention of personal information.

The 10 Principles Management Notice Choice and Consent Collection Use and Retention Access Disclosure Security Quality Monitoring and enforcement AICPA-CICA Generally Accepted Privacy Principles

S - 8 Generally Accepted Privacy Principles Privacy Criteria Illustrative Controls and Procedures Privacy Principle Additional Considerations Need for Customization 1 - Policies & Communications

S - 9 Generally Accepted Privacy Principles Privacy Criteria Illustrative Controls and Procedures Additional Considerations Need for Customization 2 - Procedures & Controls

S - 10 Generally Accepted Privacy Principles Illustrative Controls & Procedures may Provide Extensive Guidance

S - 11 Generally Accepted Privacy Principles Additional Considerations Explore & Explain Concepts & Rationale

S - 12 Capability Maturity Model CMM Recognized Model For Assessing The Maturity (Status) of Projects & Processes The Capability Maturity Model (CMM) is a service mark owned by Carnegie Mellon University (CMU). The model is based on data collected from organizations that contracted with the U.S. Department of Defense, who funded the research, and they became the foundation from which CMU created the Software Engineering Institute. The Capability Maturity Model was piloted in 1988 and has been in use for almost 20 years. It has been adopted by many organizations as a means of assessing compliance and performance.

S - 13 Levels of the Capability Maturity Model Not including Level 0; doing nothing, there are five levels defined along the continuum of the CMM. It is anticipated that the predictability, effectiveness, and control of an organization's privacy processes will improve as the organization moves up these five levels. Level 1 - Initial It is characteristic of processes at this level that they are typically undocumented and in a state of change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This provides a chaotic or unstable environment for the processes. Level 2 - Repeatable It is characteristic of processes at this level that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress. Capability Maturity Model

S - 14 Level 3 - Defined It is characteristic of processes at this level that there are sets of defined and documented standard processes established and subject to some degree of improvement over time. These standard processes are in place (i.e., they are the AS-IS processes) and used to establish consistency of process performance across the organization. Level 4 - Managed It is characteristic of processes at this level that, using process metrics, management can effectively control the business process. In particular, management can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications. Process Capability is established from this level. Level 5 - Optimized It is a characteristic of processes at this level that the focus is on continually improving process performance through both incremental and innovative technological changes/improvements. Capability Maturity Model

S - 15 Capability Maturity Model At maturity level 5, products, and the prcesses designed to operate and maintain them, are concerned with addressing changes and improvements Graphically The Privacy Maturity Model would look like this: It is not essential to be a maturity level 5 to have an appropriate privacy program

S - 16 Capability Maturity Model (CMM) CMM is a service mark owned by Carnegie Mellon University (CMU). CMM is based on data collected from organizations that contracted with the U.S. Department of Defense CMM resulted in creation of the Software Engineering Institute (SEI) by CMU CMM has 6 levels of maturity; 0=Nothing, 1=Ad Hoc, 2=Repeatable, 3=Defined, 4=Managed and 5=Optimized An entity does not have to be at level 5 to achieve an acceptable level of performance

S - 17 Generally Accepted Privacy Principles GAPP Capability Maturity Model CMM Established Privacy Standard Providing a Global Benchmark Recognized Model For Assessing The Maturity (Status) of Projects & Processes Privacy Maturity Model Let’s Look At The Privacy Maturity Model

S - 18 Privacy Maturity Model Combines the concepts of the Capability Maturity Model with the standards that comprise Generally Accepted Privacy Principles Provides an effective tool to assess an organization’s privacy initiatives Allows comparisons amongst business units, geographical organizations or enterprise wide Allows time series analysis of progress Provides an effective “snap-shot” of an entity’s privacy initiatives

S - 19 Privacy Maturity Model The Privacy Maturity Model consists of a series of matrices that provide information of the expected evidence, documents or performance at each of the maturity levels 1 to 5 The matrices are aligned with, and contain information on, the privacy principles and criteria The privacy maturity requirements are addressed at the criteria level

S - 20 Privacy Maturity Model Privacy Principle Privacy CriteriaExpected Privacy Attributes for Each Maturity Level Privacy Maturity Levels

S - 21 Privacy Maturity Model An entity may determine that their Privacy Policies cover notice, choice and consent, collection, use, retention and disposal They may also cover security However, they may determine that they do not address quality (accurate, timely, relevant, etc) Nor do their Privacy Policies address monitoring and enforcement This scenario would probably warrant a rating of slightly less that 3.0 PMM AttributesFindings

S - 22 Privacy Maturity Model User Guide Privacy Maturity User Guide

S - 23 Privacy Maturity User Guide Using the PMM Data Analysis form, assess and document information for each of the 73 criteria Data Reporting Form PMM Corporate Privacy Policies CPP Generally Accepted Privacy Principles GAPP Data Analysis Form PMM Management Reports Internal Independent Reports External Remediation Plans

S - 24 Privacy Principle Privacy Criteria Findings and Observations Privacy Maturity Level Preliminary Assessment Attribute Link (Optional) Privacy Maturity Data Collection Form

S - 25 Review Enterprise GAPP Add Additional Requirements CPP Develop Interview Guides Conduct Interviews Enterprise Specific GAPP Documented Current State Form A Complete Comments Column GAPP Corporate Privacy Policies Privacy Maturity Model Form B Complete Assessment Column Form B Complete Recommendation Column Using The Privacy Maturity Model c

S - 26 Maturity Reporting By Principle Maturity Level Management Notice Choice & Consent Collection Use, Retention & Disposal Access Disclosure to 3 rd Parties Security for Privacy Quality Monitoring & Enforcement Entity’s Expected Maturity Level

S - 27 Maturity Reporting By Criteria Maturity Level Privacy Policies Communication to Individuals Provision of Notice Entities & Activities Clear & Conspicuous Criteria Assessment Entity’s Expected Maturity Level Entity’s Actual Maturity Level Notice

S - 28 Maturity Reporting By Principle By Time Period Maturity Level Management Notice Choice & Consent Collection Use, Retention & Disposal Access Disclosure to 3 rd Parties Security for Privacy Quality Monitoring & Enforcement Entity’s Expected Maturity Level

S - 29 Privacy Maturity Model An effective means of assessing an entity’s privacy program using: GAPP - A recognized privacy standard based on international requirements PMM – Based on CMM – a recognized project/program assessment technique A useful tool for management, auditors and advisors and privacy professionals PMM is a tool that will be integrated with the AICPA-CICA Privacy Assessment Tool to provide greater flexibility and ease of use PMM is a tool that is, and will continue to be, supported and maintained by the AICPA – CICA professional organizations with over half a million members Provides insightful information in a easy to understand format Provides information for a meaningful path to privacy compliance and sustainability PMM is based of GAPP and appropriate for use by US and Canadian as well as multinational entities with international privacy requirements

S - 30 We Would Appreciate Your Comments

S - 31 v Thank You Enjoy the Bar If you are interested in using the Privacy Maturity Model we would welcome your comments Nicholas Cheung (416) Eastern Time Zone Robert Parker (250) Pacific Time Zone Nancy Cohen (201) Eastern Time Zone

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.