Presentation is loading. Please wait.

Presentation is loading. Please wait.

S - 1 Privacy. S - 2 Panel on Privacy Moderator: Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model Presenters: Michelle Chibba, Office of.

Published byShayna Reuben Modified over 9 years ago

Similar presentations

Presentation on theme: "S - 1 Privacy. S - 2 Panel on Privacy Moderator: Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model Presenters: Michelle Chibba, Office of."— Presentation transcript:

1 S - 1 Privacy

2 S - 2 Panel on Privacy Moderator: Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model Presenters: Michelle Chibba, Office of the Privacy Commissioner of Ontario – Privacy, Regulatory Compliance, Enforcement Christine Ravago Ernst & Young, Washington – Assisting Clients Become Privacy Compliant, the Use of GAPP to Address Privacy Requirements. Nicholas Cheung, CICA – GAPP, The AICPA-CICA Privacy Task Force, The Future, Tools and Products Jan McMullen, TD Bank Group, Technology Risk Management and Information Security – Privacy, Regulatory Compliance, etc

3 S - 3 4:00 – 6:00 pm Panel on Privacy Moderator: Robert Parker, UWCISA Presenters: Michelle Chibba, Office of the Privacy Commissioner of Ontario Christine Ravago, Ernst & Young, Washington Nicholas Cheung, CICA Jan McMullen, TD Bank Group Today’s Program This is Friday Afternoon! BAR

4 S - 4 Jan McMullen, TD Bank Group, Technology Risk Management and Information Security – Privacy, Regulatory Compliance, etc Christine Ravago Ernst & Young, Washington – Assisting Clients Become Privacy Compliant, the Use of GAPP to Address Privacy Requirements. Nicholas Cheung, CICA – GAPP, The AICPA-CICA Privacy Task Force, The Future, Tools and Products Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model Michelle Chibba, Office of the Privacy Commissioner of Ontario – Privacy, Regulatory Compliance, Enforcement

5 S - 5 Generally Accepted Privacy Principles GAPP Capability Maturity Model CMM Established Privacy Standard Providing a Global Benchmark Recognized Model For Assessing The Maturity (Status) of Projects & Processes Privacy Maturity Model Privacy Maturity Model Maturity Benchmarks Privacy Maturity Model User Guide CMM Based Privacy Maturity Matrix Data Collection Form Data Analysis Form Internal/External Reporting Examples Privacy Maturity Model

6 S - 6 Generally Accepted Privacy Principles GAPP Established Privacy Standard Providing a Global Benchmark AICPA – CICA Generally Accepted Privacy Principles Privacy Definition Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure and retention of personal information.

7 The 10 Principles Management Notice Choice and Consent Collection Use and Retention Access Disclosure Security Quality Monitoring and enforcement AICPA-CICA Generally Accepted Privacy Principles

8 S - 8 Generally Accepted Privacy Principles Privacy Criteria Illustrative Controls and Procedures Privacy Principle Additional Considerations Need for Customization 1 - Policies & Communications

9 S - 9 Generally Accepted Privacy Principles Privacy Criteria Illustrative Controls and Procedures Additional Considerations Need for Customization 2 - Procedures & Controls

10 S - 10 Generally Accepted Privacy Principles Illustrative Controls & Procedures may Provide Extensive Guidance

11 S - 11 Generally Accepted Privacy Principles Additional Considerations Explore & Explain Concepts & Rationale

12 S - 12 Capability Maturity Model CMM Recognized Model For Assessing The Maturity (Status) of Projects & Processes The Capability Maturity Model (CMM) is a service mark owned by Carnegie Mellon University (CMU). The model is based on data collected from organizations that contracted with the U.S. Department of Defense, who funded the research, and they became the foundation from which CMU created the Software Engineering Institute. The Capability Maturity Model was piloted in 1988 and has been in use for almost 20 years. It has been adopted by many organizations as a means of assessing compliance and performance.

13 S - 13 Levels of the Capability Maturity Model Not including Level 0; doing nothing, there are five levels defined along the continuum of the CMM. It is anticipated that the predictability, effectiveness, and control of an organization's privacy processes will improve as the organization moves up these five levels. Level 1 - Initial It is characteristic of processes at this level that they are typically undocumented and in a state of change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This provides a chaotic or unstable environment for the processes. Level 2 - Repeatable It is characteristic of processes at this level that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress. Capability Maturity Model

14 S - 14 Level 3 - Defined It is characteristic of processes at this level that there are sets of defined and documented standard processes established and subject to some degree of improvement over time. These standard processes are in place (i.e., they are the AS-IS processes) and used to establish consistency of process performance across the organization. Level 4 - Managed It is characteristic of processes at this level that, using process metrics, management can effectively control the business process. In particular, management can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications. Process Capability is established from this level. Level 5 - Optimized It is a characteristic of processes at this level that the focus is on continually improving process performance through both incremental and innovative technological changes/improvements. Capability Maturity Model

15 S - 15 Capability Maturity Model At maturity level 5, products, and the prcesses designed to operate and maintain them, are concerned with addressing changes and improvements Graphically The Privacy Maturity Model would look like this: It is not essential to be a maturity level 5 to have an appropriate privacy program

16 S - 16 Capability Maturity Model (CMM) CMM is a service mark owned by Carnegie Mellon University (CMU). CMM is based on data collected from organizations that contracted with the U.S. Department of Defense CMM resulted in creation of the Software Engineering Institute (SEI) by CMU CMM has 6 levels of maturity; 0=Nothing, 1=Ad Hoc, 2=Repeatable, 3=Defined, 4=Managed and 5=Optimized An entity does not have to be at level 5 to achieve an acceptable level of performance

17 S - 17 Generally Accepted Privacy Principles GAPP Capability Maturity Model CMM Established Privacy Standard Providing a Global Benchmark Recognized Model For Assessing The Maturity (Status) of Projects & Processes Privacy Maturity Model Let’s Look At The Privacy Maturity Model

18 S - 18 Privacy Maturity Model Combines the concepts of the Capability Maturity Model with the standards that comprise Generally Accepted Privacy Principles Provides an effective tool to assess an organization’s privacy initiatives Allows comparisons amongst business units, geographical organizations or enterprise wide Allows time series analysis of progress Provides an effective “snap-shot” of an entity’s privacy initiatives

19 S - 19 Privacy Maturity Model The Privacy Maturity Model consists of a series of matrices that provide information of the expected evidence, documents or performance at each of the maturity levels 1 to 5 The matrices are aligned with, and contain information on, the privacy principles and criteria The privacy maturity requirements are addressed at the criteria level

20 S - 20 Privacy Maturity Model Privacy Principle Privacy CriteriaExpected Privacy Attributes for Each Maturity Level Privacy Maturity Levels

21 S - 21 Privacy Maturity Model An entity may determine that their Privacy Policies cover notice, choice and consent, collection, use, retention and disposal They may also cover security However, they may determine that they do not address quality (accurate, timely, relevant, etc) Nor do their Privacy Policies address monitoring and enforcement This scenario would probably warrant a rating of slightly less that 3.0 PMM AttributesFindings

22 S - 22 Privacy Maturity Model User Guide Privacy Maturity User Guide

23 S - 23 Privacy Maturity User Guide Using the PMM Data Analysis form, assess and document information for each of the 73 criteria Data Reporting Form PMM Corporate Privacy Policies CPP Generally Accepted Privacy Principles GAPP Data Analysis Form PMM Management Reports Internal Independent Reports External Remediation Plans

24 S - 24 Privacy Principle Privacy Criteria Findings and Observations Privacy Maturity Level Preliminary Assessment Attribute Link (Optional) Privacy Maturity Data Collection Form

25 S - 25 Review Enterprise GAPP Add Additional Requirements CPP Develop Interview Guides Conduct Interviews Enterprise Specific GAPP Documented Current State Form A Complete Comments Column GAPP Corporate Privacy Policies Privacy Maturity Model Form B Complete Assessment Column Form B Complete Recommendation Column Using The Privacy Maturity Model c

26 S - 26 Maturity Reporting By Principle Maturity Level 5 4 3 2 1 0 Management Notice Choice & Consent Collection Use, Retention & Disposal Access Disclosure to 3 rd Parties Security for Privacy Quality Monitoring & Enforcement Entity’s Expected Maturity Level

27 S - 27 Maturity Reporting By Criteria Maturity Level 5 4 3 2 1 0 Privacy Policies Communication to Individuals Provision of Notice Entities & Activities Clear & Conspicuous Criteria Assessment Entity’s Expected Maturity Level Entity’s Actual Maturity Level Notice

28 S - 28 Maturity Reporting By Principle By Time Period Maturity Level 5 4 3 2 1 0 Management Notice Choice & Consent Collection Use, Retention & Disposal Access Disclosure to 3 rd Parties Security for Privacy Quality Monitoring & Enforcement 2009 2010 Entity’s Expected Maturity Level

29 S - 29 Privacy Maturity Model An effective means of assessing an entity’s privacy program using: GAPP - A recognized privacy standard based on international requirements PMM – Based on CMM – a recognized project/program assessment technique A useful tool for management, auditors and advisors and privacy professionals PMM is a tool that will be integrated with the AICPA-CICA Privacy Assessment Tool to provide greater flexibility and ease of use PMM is a tool that is, and will continue to be, supported and maintained by the AICPA – CICA professional organizations with over half a million members Provides insightful information in a easy to understand format Provides information for a meaningful path to privacy compliance and sustainability PMM is based of GAPP and appropriate for use by US and Canadian as well as multinational entities with international privacy requirements

30 S - 30 We Would Appreciate Your Comments

31 S - 31 v Thank You Enjoy the Bar If you are interested in using the Privacy Maturity Model we would welcome your comments Nicholas Cheung nicholas.cheung@cica.ca (416) 204-3251 Eastern Time Zone Robert Parker robertgparker@shaw.ca (250) 658-0250 Pacific Time Zone Nancy Cohen ncohen@aicpa.org (201) 938-3298 Eastern Time Zone

Download ppt "S - 1 Privacy. S - 2 Panel on Privacy Moderator: Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model Presenters: Michelle Chibba, Office of."

Similar presentations

Organizational Governance

Organizational Governance
. . . a step-by-step guide to world-class internal auditing

. . . a step-by-step guide to world-class internal auditing
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.

PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Chapter 2 The Software Process

Chapter 2 The Software Process
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (QAIP)

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (QAIP)
©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.

©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 28 Slide 1 Process Improvement.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 28 Slide 1 Process Improvement.
Capability Maturity Model (CMM) in SW design

Capability Maturity Model (CMM) in SW design
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
CMMI Overview Quality Frameworks.

CMMI Overview Quality Frameworks.
Standardization. Introduction A standard is a document. It is a set of rules that control how people should develop and manage materials, products, services,

Standardization. Introduction A standard is a document. It is a set of rules that control how people should develop and manage materials, products, services,
Capability Maturity Model

Capability Maturity Model
COBIT 5: Framework, BMIS, Implementation and future Information Security Guidance Presented by.

COBIT 5: Framework, BMIS, Implementation and future Information Security Guidance Presented by.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Chapter : Software Process

Chapter : Software Process
Software Project Management

Software Project Management
COBIT®. COBIT - Control Objectives for Information and related Technology C OBI T was initially created by the Information Systems Audit & Control Foundation.

COBIT®. COBIT - Control Objectives for Information and related Technology C OBI T was initially created by the Information Systems Audit & Control Foundation.

Similar presentations

Ads by Google