Privacy S-1 Panel on Privacy Moderator: Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model Presenters: Michelle Chibba, Office of the Privacy Commissioner of Ontario – Privacy, Regulatory Compliance, Enforcement Christine Ravago Ernst & Young, Washington – Assisting Clients Become Privacy Compliant, the Use of GAPP to Address Privacy Requirements. Nicholas Cheung, CICA – GAPP, The AICPA-CICA Privacy Task Force, The Future, Tools and Products Jan McMullen, TD Bank Group, Technology Risk Management and Information Security – Privacy, Regulatory Compliance, etc S-2 Today’s Program This is Friday Afternoon! Panel on Privacy Moderator: Robert Parker, UWCISA BARpm 4:00 – 6:00 Presenters: Michelle Chibba, Office of the Privacy Commissioner of Ontario Christine Ravago, Ernst & Young, Washington Nicholas Cheung, CICA Jan McMullen, TD Bank Group S-3 Michelle Chibba, Office of the Privacy Commissioner of Ontario – Privacy, Regulatory Compliance, Enforcement Christine Ravago Ernst & Young, Washington – Assisting Clients Become Privacy Compliant, the Use of GAPP to Address Privacy Requirements. Nicholas Cheung, CICA – GAPP, The AICPA-CICA Privacy Task Force, The Future, Tools and Products Jan McMullen, TD Bank Group, Technology Risk Management and Information Security – Privacy, Regulatory Compliance, etc Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model S-4 Privacy Maturity Model GAPP CMM Generally Accepted Privacy Principles Capability Maturity Model Established Privacy Standard Providing a Global Benchmark Recognized Model For Assessing The Maturity (Status) of Projects & Processes Privacy Maturity Model S-5 Privacy Maturity Model Maturity Benchmarks Privacy Maturity Model User Guide CMM Based Privacy Maturity Matrix Data Collection Form Data Analysis Form Internal/External Reporting Examples Generally Accepted Privacy Principles GAPP Generally Accepted Privacy Principles AICPA – CICA Established Privacy Standard Providing a Global Benchmark Generally Accepted Privacy Principles Privacy Definition Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure and retention of personal information. S-6 The 10 Principles • Management • Access • Notice • Disclosure • Choice and • Security Consent • Collection • Use and Retention • Quality • Monitoring and enforcement AICPA-CICA Generally Accepted Privacy Principles Generally Accepted Privacy Principles Privacy Principle Additional Considerations Need for Customization Privacy Criteria 1 - Policies & Communications S-8 Illustrative Controls and Procedures Generally Accepted Privacy Principles Illustrative Controls and Procedures Privacy Criteria 2 - Procedures & Controls S-9 Additional Considerations Need for Customization Generally Accepted Privacy Principles Illustrative Controls & Procedures may Provide Extensive Guidance S - 10 Generally Accepted Privacy Principles Additional Considerations Explore & Explain Concepts & Rationale S - 11 Capability Maturity Model CMM Capability Maturity Model Recognized Model For Assessing The Maturity (Status) of Projects & Processes The Capability Maturity Model (CMM) is a service mark owned by Carnegie Mellon University (CMU). The model is based on data collected from organizations that contracted with the U.S. Department of Defense, who funded the research, and they became the foundation from which CMU created the Software Engineering Institute. The Capability Maturity Model was piloted in 1988 and has been in use for almost 20 years. It has been adopted by many organizations as a means of assessing compliance and performance. S - 12 Capability Maturity Model Levels of the Capability Maturity Model Not including Level 0; doing nothing, there are five levels defined along the continuum of the CMM. It is anticipated that the predictability, effectiveness, and control of an organization's privacy processes will improve as the organization moves up these five levels. Level 1 - Initial It is characteristic of processes at this level that they are typically undocumented and in a state of change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This provides a chaotic or unstable environment for the processes. Level 2 - Repeatable It is characteristic of processes at this level that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress. S - 13 Capability Maturity Model Level 3 - Defined It is characteristic of processes at this level that there are sets of defined and documented standard processes established and subject to some degree of improvement over time. These standard processes are in place (i.e., they are the AS-IS processes) and used to establish consistency of process performance across the organization. Level 4 - Managed It is characteristic of processes at this level that, using process metrics, management can effectively control the business process. In particular, management can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications. Process Capability is established from this level. Level 5 - Optimized It is a characteristic of processes at this level that the focus is on continually improving process performance through both incremental and innovative technological changes/improvements. S - 14 Capability Maturity Model At maturity level 5, products, and the prcesses designed to operate and maintain them, are concerned with addressing changes and improvements Graphically The Privacy Maturity Model would look like this: It is not essential to be a maturity level 5 to have an appropriate privacy program S - 15 Capability Maturity Model (CMM) CMM is a service mark owned by Carnegie Mellon University (CMU). CMM is based on data collected from organizations that contracted with the U.S. Department of Defense CMM resulted in creation of the Software Engineering Institute (SEI) by CMU CMM has 6 levels of maturity; 0=Nothing, 1=Ad Hoc, 2=Repeatable, 3=Defined, 4=Managed and 5=Optimized An entity does not have to be at level 5 to achieve an acceptable level of performance S - 16 Privacy Maturity Model GAPP CMM Generally Accepted Privacy Principles Capability Maturity Model Established Privacy Standard Providing a Global Benchmark Recognized Model For Assessing The Maturity (Status) of Projects & Processes Privacy Maturity Model Let’s Look At The Privacy Maturity Model S - 17 Privacy Maturity Model Privacy Maturity Model Combines the concepts of the Capability Maturity Model with the standards that comprise Generally Accepted Privacy Principles Provides an effective tool to assess an organization’s privacy initiatives Allows comparisons amongst business units, geographical organizations or enterprise wide Allows time series analysis of progress Provides an effective “snap-shot” of an entity’s privacy initiatives S - 18 Privacy Maturity Model Privacy Maturity Model The Privacy Maturity Model consists of a series of matrices that provide information of the expected evidence, documents or performance at each of the maturity levels 1 to 5 GAPP CMM Generally Accepted Privacy Principles Capability Maturity Model Established Privacy Standard Providing a Global Benchmark Recognized Model For Assessing The Maturity (Status) of Projects & Processes Privacy Maturity Model Privacy Maturity Model Maturity Benchmarks Privacy Maturity Model Implementation Guide CMM Based Privacy Maturity Matrix Data Collection Form Data Analysis Form Internal/External Reporting Examples The matrices are aligned with, and contain information on, the privacy principles and criteria The privacy maturity requirements are addressed at the criteria level S - 19 Privacy Maturity Model Privacy Maturity Levels Privacy Principle Privacy Criteria S - 20 Expected Privacy Attributes for Each Maturity Level Privacy Maturity Model PMM Attributes Findings An entity may determine that their Privacy Policies cover notice, choice and consent, collection, use, retention and disposal They may also cover security However, they may determine that they do not address quality (accurate, timely, relevant, etc) Nor do their Privacy Policies address monitoring and enforcement This scenario would probably warrant a rating of slightly less that 3.0 S - 21 Privacy Maturity User Guide Privacy Maturity Model User Guide S - 22 Privacy Maturity User Guide PMM Data Analysis Form CPP GAPP Generally Accepted Privacy Principles Using the PMM Data Analysis form, assess and document information for each of the 73 criteria Corporate Privacy Policies PMM Data Reporting Form S - 23 Internal External Management Reports Independent Reports Remediation Plans Privacy Maturity Data Collection Form Privacy Maturity Level Preliminary Assessment Attribute Link (Optional) Privacy Principle Privacy Criteria S - 24 Findings and Observations Using The Privacy Maturity Model Review Enterprise GAPP Add Additional Requirements CPP GAPP Corporate Privacy Policies Develop Interview Guides Conduct Interviews c Enterprise Specific GAPP Documented Current State Form A Complete Comments Column Privacy Maturity Model S - 25 Form B Complete Assessment Column Form B Complete Recommendation Column S - 26 Monitoring & Enforcement Quality Security for Privacy 5 Disclosure to 3rd Parties Access Use, Retention & Disposal Collection Choice & Consent Notice Management Maturity Level Maturity Reporting By Principle Entity’s Expected Maturity Level 4 3 2 1 0 S - 27 Entity’s Actual Maturity Level Criteria Assessment Clear & Conspicuous 5 Entities & Activities Provision of Notice Communication to Individuals Privacy Policies Maturity Level Maturity Reporting By Criteria Notice Entity’s Expected Maturity Level 4 3 2 1 0 S - 28 5 Monitoring & Enforcement 2009 Quality Security for Privacy Disclosure to 3rd Parties Access Use, Retention & Disposal Collection Choice & Consent Notice Management Maturity Level 2010 Maturity Reporting By Principle By Time Period Entity’s Expected Maturity Level 4 3 2 1 0 Privacy Maturity Model An effective means of assessing an entity’s privacy program using: GAPP - A recognized privacy standard based on international requirements PMM – Based on CMM – a recognized project/program assessment technique A useful tool for management, auditors and advisors and privacy professionals PMM is a tool that will be integrated with the AICPA-CICA Privacy Assessment Tool to provide greater flexibility and ease of use PMM is a tool that is, and will continue to be, supported and maintained by the AICPA – CICA professional organizations with over half a million members Provides insightful information in a easy to understand format Provides information for a meaningful path to privacy compliance and sustainability PMM is based of GAPP and appropriate for use by US and Canadian as well as multinational entities with international privacy requirements S - 29 We Would Appreciate Your Comments S - 30 Thank You Enjoy the Bar If you are interested in using the Privacy Maturity Model we would welcome your comments Robert Parker Nicholas Cheung robertgparker@shaw.ca v Nancy Cohen nicholas.cheung@cica.ca (250) 658-0250 ncohen@aicpa.org (416) 204-3251 Eastern Time Zone S - 31 Pacific Time Zone (201) 938-3298 Eastern Time Zone