Panel on PrivacyModerator:Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model Presenters: Michelle Chibba, Office of the Privacy Commissioner of Ontario – Privacy, Regulatory Compliance, Enforcement Christine RavagoErnst & Young, Washington – Assisting Clients Become Privacy Compliant, the Use of GAPP to Address Privacy Requirements. Nicholas Cheung, CICA – GAPP, The AICPA-CICA Privacy Task Force, The Future, Tools and Products Jan McMullen, TD Bank Group, Technology Risk Management and Information Security – Privacy, Regulatory Compliance, etc
Today’s Program BAR This is Friday Afternoon!
Michelle Chibba, Office of the Privacy Commissioner of Ontario – Privacy, Regulatory Compliance, Enforcement Christine RavagoErnst & Young, Washington – Assisting Clients Become Privacy Compliant, the Use of GAPP to Address Privacy Requirements. Nicholas Cheung, CICA – GAPP, The AICPA-CICA Privacy Task Force, The Future, Tools and Products Jan McMullen, TD Bank Group, Technology Risk Management and Information Security – Privacy, Regulatory Compliance, etc Robert Parker, UWCISA - The AICPA-CICA Privacy Maturity Model
GAPP CMM Generally Accepted Privacy Principles Capability Maturity Model Recognized Model For Assessing The Maturity (Status) of Projects & Processes Established Privacy Standard Providing a Global Benchmark Privacy Maturity Model Privacy Maturity Model Maturity Benchmarks Privacy Maturity Model User Guide CMM Based Privacy Maturity Matrix Data Collection Form Data Analysis Form Internal/External Reporting Examples Privacy Maturity Model
GAPP Generally Accepted Privacy Principles Established Privacy Standard Providing a Global Benchmark Generally Accepted Privacy Principles AICPA – CICA Generally Accepted Privacy Principles Privacy Definition • Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure and retention of personal information.
Management Notice Choice and Consent Collection Use and Retention Access Disclosure Security Quality Monitoring and enforcement The 10 Principles AICPA-CICA Generally Accepted Privacy Principles
Generally Accepted Privacy Principles Additional Considerations Need for Customization Privacy Principle Privacy Criteria Illustrative Controls and Procedures 1 - Policies & Communications
Generally Accepted Privacy Principles Illustrative Controls and Procedures Additional Considerations Need for Customization Privacy Criteria 2 - Procedures & Controls
Generally Accepted Privacy Principles Illustrative Controls & Procedures may Provide Extensive Guidance
Generally Accepted Privacy Principles Additional Considerations Explore & Explain Concepts & Rationale
CMM Capability Maturity Model Recognized Model For Assessing The Maturity (Status) of Projects & Processes Capability Maturity Model The Capability Maturity Model (CMM) is a service mark owned by Carnegie Mellon University (CMU). The model is based on data collected from organizations that contracted with the U.S. Department of Defense, who funded the research, and they became the foundation from which CMU created the Software Engineering Institute. The Capability Maturity Model was piloted in 1988 and has been in use for almost 20 years. It has been adopted by many organizations as a means of assessing compliance and performance.
Capability Maturity Model Levels of the Capability Maturity Model Not including Level 0; doing nothing, there are five levels defined along the continuum of the CMM. It is anticipated that the predictability, effectiveness, and control of an organization's privacy processes will improve as the organization moves up these five levels. Level 1 - Initial It is characteristic of processes at this level that they are typically undocumented and in a state of change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This provides a chaotic or unstable environment for the processes. Level 2 - Repeatable It is characteristic of processes at this level that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.
Capability Maturity Model Level 3 - Defined It is characteristic of processes at this level that there are sets of defined and documented standard processes established and subject to some degree of improvement over time. These standard processes are in place (i.e., they are the AS-IS processes) and used to establish consistency of process performance across the organization. Level 4 - Managed It is characteristic of processes at this level that, using process metrics, management can effectively control the business process. In particular, management can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications. Process Capability is established from this level. Level 5 - Optimized It is a characteristic of processes at this level that the focus is on continually improving process performance through both incremental and innovative technological changes/improvements.
Capability Maturity Model At maturity level 5, products, and the prcesses designed to operate and maintain them, are concerned with addressing changes and improvements Graphically The Privacy Maturity Model would look like this: It is not essential to be a maturity level 5 to have an appropriate privacy program
Capability Maturity Model (CMM) CMM is a service mark owned by Carnegie Mellon University (CMU). CMM is based on data collected from organizations that contracted with the U.S. Department of Defense CMM resulted in creation of the Software Engineering Institute (SEI) by CMU CMM has 6 levels of maturity; 0=Nothing, 1=Ad Hoc, 2=Repeatable, 3=Defined, 4=Managed and 5=Optimized An entity does not have to be at level 5 to achieve an acceptable level of performance
GAPP CMM Generally Accepted Privacy Principles Capability Maturity Model Recognized Model For Assessing The Maturity (Status) of Projects & Processes Established Privacy Standard Providing a Global Benchmark Privacy Maturity Model Privacy Maturity Model Let’s Look At The Privacy Maturity Model
Privacy Maturity Model Privacy Maturity Model Combines the concepts of the Capability Maturity Model with the standards that comprise Generally Accepted Privacy Principles Provides an effective tool to assess an organization’s privacy initiatives Allows comparisons amongst business units, geographical organizations or enterprise wide Allows time series analysis of progress Provides an effective “snap-shot” of an entity’s privacy initiatives
Privacy Maturity Model The Privacy Maturity Model consists of a series of matrices that provide information of the expected evidence, documents or performance at each of the maturity levels 1 to 5 The matrices are aligned with, and contain information on, the privacy principles and criteria The privacy maturity requirements are addressed at the criteria level
Privacy Maturity Model Privacy Maturity Levels Privacy Principle Privacy Criteria Expected Privacy Attributes for Each Maturity Level
Findings PMM Attributes An entity may determine that their Privacy Policies cover notice, choice and consent, collection, use, retention and disposal They may also cover security However, they may determine that they do not address quality (accurate, timely, relevant, etc) Nor do their Privacy Policies address monitoring and enforcement Privacy Maturity Model This scenario would probably warrant a rating of slightly less that 3.0
Privacy Maturity Model User Guide Privacy Maturity User Guide
GAPP PMM CPP PMM Generally Accepted Privacy Principles Data Reporting Form Corporate Privacy Policies Data Analysis Form Using the PMM Data Analysis form, assess and document information for each of the 73 criteria Internal External Management Reports Independent Reports Remediation Plans Privacy Maturity User Guide
Privacy Maturity Data Collection Form Privacy Maturity Level Preliminary Assessment Attribute Link (Optional) Privacy Principle Findings and Observations Privacy Criteria
Using The Privacy Maturity Model Corporate Privacy Policies GAPP Develop Interview Guides Review Enterprise GAPP Add Additional Requirements CPP Conduct Interviews c Form A Complete Comments Column Enterprise Specific GAPP Documented Current State Privacy Maturity Model Form B Complete Assessment Column Form B Complete Recommendation Column
5 4 3 2 1 0 Maturity Reporting By Principle Entity’s Expected Maturity Level Maturity Level Choice & Consent Notice Access Quality Collection Security for Privacy Management Disclosure to 3rd Parties Monitoring & Enforcement Use, Retention & Disposal
5 4 3 2 1 0 Notice Maturity Reporting By Criteria Entity’s Actual Maturity Level Entity’s Expected Maturity Level Maturity Level Privacy Policies Provision of Notice Entities & Activities Criteria Assessment Communication to Individuals Clear & Conspicuous
2010 2009 5 4 3 2 1 0 Maturity Reporting By PrincipleBy Time Period Entity’s Expected Maturity Level Maturity Level Choice & Consent Notice Access Quality Collection Security for Privacy Management Disclosure to 3rd Parties Monitoring & Enforcement Use, Retention & Disposal
Privacy Maturity Model An effective means of assessing an entity’s privacy program using: GAPP - A recognized privacy standard based on international requirements PMM – Based on CMM – a recognized project/program assessment technique Auseful tool for management, auditors and advisors and privacy professionals PMM is a tool that will be integrated with the AICPA-CICA Privacy Assessment Tool to provide greater flexibility and ease of use PMM is a tool that is, and will continue to be, supported and maintained by the AICPA – CICA professional organizations with over half a million members Provides insightful information in a easy to understand format Provides information for a meaningful path to privacy compliance and sustainability PMM is based of GAPP and appropriate for use by US and Canadian as well as multinational entities with international privacy requirements
Thank You Enjoy the Bar If you are interested in using the Privacy Maturity Model we would welcome your comments Robert Parker firstname.lastname@example.org (250) 658-0250 Pacific Time Zone Nicholas Cheung email@example.com (416) 204-3251 Eastern Time Zone Nancy Cohen firstname.lastname@example.org (201) 938-3298 Eastern Time Zone v