Hong Kong Accountability Benchmarking Micro-Study. Nymity Accountability Workshop 10 June 2015, Office of the PCPD, Hong Kong
|
|
- Nora Robbins
- 6 years ago
- Views:
Transcription
1 Hong Kong Accountability Benchmarking Micro-Study Nymity Accountability Workshop 10 June 2015, Office of the PCPD, Hong Kong
2 Interactive Workshop What we will do: Your participation: Provide background on the Study and Nymity Accountability Research that supports Benchmarking Discuss highlights of the Study and analysis of privacy management programs in participating organizations Guide you through learning how to benchmark your own privacy management program Interact share your experiences and perspectives Gain insight on core privacy initiatives for accountable privacy management Ask a lot of questions Help shape the future of Accountability Research and Reports Learn from your experience and knowledge
3 What will you leave with? The latest insights on privacy management programme and accountability benchmarking Practical knowledge to measure and enhance your organization s privacy management performance by learning: How does my privacy management program compare to others? In which privacy activities have most organizations invested? What are the privacy management program priorities for the future? Attendees will Receive 1. A copy of the Hong Kong Accountability Benchmarking Micro- Study Report and Workshop presentation 2. Nymity Benchmarking Worksheet Template 3. Nymity Privacy Management Program Accountability Framework 4. Hong Kong PMP Best Practice Guide
4 BACKGROUND
5 PCPD and Nymity Collaborated to Conduct Micro-Study The PCPD has advocated and promoted the adoption of Privacy Management Programmes (PMP) in organizations as a strategic framework to protect personal data privacy A Best Practice Guide to facilitate organizations to embrace personal data protection and implement good practices (18 February 2014) Key data users in Hong Kong have pledged to implement PMP in their respective organizations
6 Introducing Nymity A Data Privacy Research Company Focus: Dedicated to global data privacy compliance research Established: 2002 Headquarters: Toronto, Canada Research: Inventor of several compliance methodologies & frameworks Funding: Partially funded by government R&D grants. Solutions for the Privacy Office Privacy Management Solutions: Nymity Attestor Nymity Benchmarks Nymity Templates Compliance Research Solutions: PrivaWorks Nymity MofoNotes Nymity LawTables Nymity is a global data privacy compliance research company specializing in accountability, risk, and compliance software solutions for the Privacy Office. Nymity s suite of software solutions helps organizations attain, maintain, and demonstrate data privacy compliance. Nymity s research is funded in part by government research & development grants.
7 Nymity Privacy Management Accountability Framework Nymity views privacy management as a set of ongoing organizational privacy management activities not a checklist Accountability = responsible privacy management activities For years, Nymity has been conducting ongoing research through workshops, implementations of privacy management solutions, creation of templates, and Nymity s traditional research, all of which is: Global Jurisdictional Neutral Sector/Industry Neutral Framework was developed to communicate the status of the privacy program i.e. demonstrate accountability (13 processes, 152 PMAs )
8 Nymity Privacy Management Accountability Framework BACKGROUND Each privacy management process contains a number of Privacy Management Activities (PMAs), each of which is supported by a Scope and Business Case, for example: Maintain job descriptions for individuals responsible for data privacy (e.g. data protection officers) Scope To help the organization meet its privacy mission statement and legal obligations around appointing data protection officers, individuals responsible for privacy have clear roles and job descriptions. Roles that may be defined include: Chief Privacy Officer; Privacy Managers; Data Protection Officers (DPO); Privacy Analysts; Business line Privacy leaders/stewards; and Incident response team members. Outside the scope of this privacy management activity is a sectoral and regional salary and benefit determination. Business Case At many organizations, privacy is a new or still-undeveloped organizational function but all organizations are critically dependant on the work of its people to achieve privacy compliance. If an organization has not clarified its privacy roles and responsibilities, it is much less likely to be successful with other tasks related to privacy compliance, e.g., if the responsibility for privacy training and awareness has not yet been assigned, the probability is high that this job is not being done adequately. Therefore, defining clear roles and responsibilities in a job description is an essential prerequisite for all privacy activities. The benefits of having specific documented role and responsibility statements include: Greater respect and greater resources; Demonstrable senior management support; Clarifying the privacy function and where it fits into the organizational structure; Development of formal communication channels with senior management that can be used to help get important projects underway; Proactive privacy compliance; Reducing costs to adequately handle privacy; and Legal compliance. 8
9 Hong Kong Privacy Management Programme Benchmarking Research MEASURING ACCOUNTABILITY
10 Nymity Benchmarking Research: Participating Organizations 16 organizations Pledging organizations and members of the DPOC All have a Privacy Office In various stages of implementing a privacy management programme Data as of 3 September 2014
11 Nymity Privacy Management Benchmarking Research 16 Organizations identified 152 Privacy Management Activities as either: Implemented Planned Desired N/A Implemented and are either: Core: Fundamental to privacy management, mandatory; or Elective: Advanced, beyond the minimum required. In progress OR scheduled to be implemented in the next 12 months. Privacy office could anticipate or wish to implement if no resource constraints. Not desired, required, applicable or justified based on privacy risk and business priorities. Research Results: Privacy Management Activity Status 97 Implemented
12 Topics Overview of Privacy Management Top Implemented Privacy Management Activities Top Desired Privacy Management Activities The Status of Privacy Management in Relation to the PMP Best Practice
13 Overview of Privacy Management: TOP IMPLEMENTED AND DESIRED ACTIVITIES
14 Top Implemented Activities Prioritize Compliance with PDPO Implemented activities are those that are resourced, developed, maintained, and documented Implemented (%) Privacy Management Activity PDPO Section/ DPP or Code 100% Maintain a data privacy policy DPP 5 100% Integrate data privacy into records retention practices DPP 2 100% Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring) DPP 4 100% Provide data privacy notice at all points where personal data is collected DPP 1 35 C, J 100% Maintain procedures to respond to access/correction requests DPP 6 17A 25, 27, 28 and % Maintain policies/procedures for collecting consent preferences DPP 3 100% Maintain data privacy requirements for third parties (e.g., vendors, processors, affiliates) DPP % Maintain procedures to restrict access to personal information (e.g. role-based access, DPP 4 segregation of duties) 100% Maintain policies/procedures for collection and use of sensitive personal data (including DPP 1, 3 biometric data) 100% Integrate data privacy into employee background check practices Code of Practice on HR Management 100% Maintain a data privacy notice for employees (processing of employee personal data) Code of Practice on HR Management 100% Assign accountability at a senior level -
15 Top Implemented Activities cont. Implemented (%) Privacy Management Activity PDPO Section/ DPP or Code 93% Maintain a separate employee data privacy policy Code or Practice on HR Management 93% Maintain policies/procedures for secure destruction of personal data DPP 4 93% Maintain procedures to address complaints - 93% Allocate resources to adequately implement and support the privacy program (e.g. budget, personnel) 93% Maintain procedures to execute contracts or agreements with all processors - DPP 2, % Maintain policies/procedures for maintaining data quality DPP 2 93% Maintain administrative and technical measures to encrypt personal data in transmission and at rest, including removable media DPP 4 93% Document guiding principles for consent DPP 3
16 Highest-Ranking Desired Privacy Management Activities Desired activities are defined as those activities that the privacy office could anticipate or wish to implement if there were no resource constraints.
17 Top Ranked Desired Privacy Management Activities The top desired activities that are identified as applicable to privacy management programmes span 5 key privacy management process areas within the Nymity Accountability Framework: Privacy Management Activity Data Breach Privacy Management Program Conduct periodic testing of breach protocol and document findings and changes made Monitor for New Operational Practices % Desired Metrics for PIAs 60 Procedures to address issues identified during PIAs 53 Privacy by Design framework for all system and product development 40 PIA guidelines and templates 40 60
18 Top Ranked Desired Privacy Management Activities cont. Privacy Management Activity Training and Awareness % Desired Internal data privacy intranet, blog, FAQ etc. 47 Second-level training program 47 One-time, one-off tactical training and communication around relevant topics 40 Deliver a privacy newsletter of incorporate into existing corporate communications 40 Manage Third Party Risk Ongoing due diligence around the data privacy and security posture of 53 vendors/processors based on a risk assessment Review long-term contracts for new or evolving data protection risks 47 Procedures for Inquiries and Complaints Customer frequently asked questions 53 Metrics for data protection complaints 47 Procedures to identify root causes for data protection complaints 40
19 Top Implemented and Planned Activities
20 Benchmarking Exercise
21 Data as of 4 March 2015
22 9. Maintain Procedures for Inquiries and Complaints
23 9. Maintain Procedures for Inquiries and Complaints Ranking of Implemented "Maintain Procedures for Inquiries and Complaints" Privacy Management Activities Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain procedures to respond to access requests 2 Maintain procedures to address complaints 3 Maintain procedures to respond to requests for information 4 Maintain procedures to respond to requests to update or revise personal data 5 Maintain procedures to respond to requests to opt-out 6 Maintain escalation procedures for serious complaints or complex access requests 7 Maintain procedures to investigate root causes of data protection complaints Maintain metrics for data protection complaints (e.g. number, root cause) 9 Maintain customer Frequently Asked Questions
24 The Status of Privacy Management in Relation to the PMP Best Practice Guide
25 Highlights Targeted organizations have made significant strides in proactively embracing privacy and data protection Organizational commitment Data inventory Data privacy policy and privacy notices Core training activities Additional resources are desired in order to more fully develop key areas of a comprehensive privacy management programme Build out of PIA processes and procedures and PbD More training and awareness activities Managing third-party risk
26 Structure of the PMP Best Practice Guide The PMP Best Practice Guide suggests three management commitments, seven programme controls, and two processes to implement an accountability framework Part A Baseline Fundamentals of a Privacy Management Programme 1. Organisational Commitments a. Buy-in from the Top b. Data Protection Office and/or Officer c. Reporting 2. Programme Controls a. Personal Data inventory b. Policies c. Risk Assessment Tools d. Training and Education Requirements e. Breach Handling f. Data Processor Management g. Communication Part B Ongoing Assessment and Revision a. Develop and oversight and review plan b. Assess and Revise Programme Controls
27 PMP and Nymity Accountability Framework The aggregated results of the Micro-Study will be discussed within each area of the PMP Best Practice Guide and compared to the actual privacy management activities identified in the Nymity Privacy Management Accountability Framework.
28 Part A Baseline Fundamentals of a Privacy Management Programme A.1 Organizational Commitment (Nymity Accountability Framework: Maintain Governance Structure) This first component is an internal governance structure that fosters a privacy respectful culture. PMP Best Practice Guide a) Buy-in from the Top Top management support is key to a successful privacy management programme and essential for a privacy respectful culture. Nymity Accountability Framework b) Data Protection Officer/Data Protection Office Organisations should appoint or designates someone to manage the privacy management programme. c) Reporting Reporting mechanisms should be established, and reflected in the organisation s programme controls.
29 A.1 Organizational Commitment (Nymity Accountability Framework: Maintain Governance Structure) Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Assign accountability for data privacy at a senior level Allocate resources to adequately implement and support the privacy program (e.g. budget, personnel) Assign responsibility for data privacy throughout the organization Require employees to acknowledge and agree to adhere to the data privacy policies Conduct an Enterprise Privacy Risk Assessment Maintain a privacy strategy Maintain job descriptions for individuals responsible for data privacy (e.g. data protection officers) Conduct regular communication between individuals accountable and responsible for data privacy Maintain a privacy program charter/mission statement
30 A.1 Organizational Commitment (Nymity Accountability Framework: Maintain Governance Structure) cont. Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 10 Report, on a scheduled basis, on the status of the privacy program (e.g. board of directors, management board) 11 Consult with stakeholders throughout the organization on data privacy matters Integrate data privacy into a Code of Conduct Maintain a strategy to align activities with legal requirements (e.g. address conflicts, differences in standards, creating rationalized rule sets) Integrate data privacy into ethics guidelines Integrate data privacy into business risk assessments/reporting Report periodically on the status of the privacy program to external stakeholders, as appropriate (e.g. annual reports, thirdparties, clients) Appoint a representative in member states where the organization does not maintain a physical presence
31 A. 2. Programme Controls (Maps to Several Privacy Management Processes within the Nymity Accountability Framework) Programme controls form the second component of a privacy management programme. These help ensure that what is mandated in the governance structure is implemented in the organisation. Data as of 4 March 2015
32 A. 2. Programme Controls (Maps to Several Privacy Management Processes within the Nymity Accountability Framework) cont. Data as of 4 March 2015
33 A. 2 (a) Programme Controls: Personal Data Inventory (Nymity Privacy Management Process: Maintain Personal Data Inventory) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain an inventory of key personal data holdings (what personal data is held and where) 2 Classify personal data holdings by type (e.g. sensitive, confidential, public) 3 Obtain approval for data processing (where prior approval is required) 4 Maintain flow charts for key data flows (e.g. between systems, between processes, between countries)
34 HK Organizations Compared to Global Organizations
35 A. 2 (b) Programme Controls: Policies (Nymity Privacy Management Process: Maintain Data Privacy Policy) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain a data privacy policy Maintain a separate employee data privacy policy Document guiding principles for consent Document legal basis for processing personal data Obtain board approval for data privacy policy
36 A. 2 (c) Programme Controls: Risk Assessment Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Conduct a security risk assessment which considers data privacy risk Conduct an Enterprise Privacy Risk Assessment Conduct due diligence around the data privacy and security posture of potential vendors/processors 4 Maintain data privacy incident/breach metrics (e.g. nature of breach, risk, root cause) Conduct PIAs for new programs, systems, processes Integrate data privacy into business risk assessments/reporting Conduct audits/assessments of the privacy program outside of the Privacy Office (e.g. Internal Audit) Conduct ad-hoc walk-throughs Conduct self-assessments managed by the Privacy Office Maintain a Privacy by Design framework for all system and product development Maintain a vendor data privacy risk assessment process Review long-term contracts for new or evolving data protection risks Conduct ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment Conduct assessments through use of third-party verification
37 A. 2 (d) Programme Controls: Training and Education (Nymity Privacy Management Process: Maintain Training and Awareness) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain a core training program for all employees Conduct training for newly appointed employees upon assignment to privacy-sensitive positions 3 Integrate data privacy into other training programs, such as HR, security, call centre, retail operations training 4 Provide ongoing education and training for the Privacy Office (e.g. conferences, webinars, guest speakers) 5 Conduct regular refresher training to reflect new developments 6 Measure participation in data privacy training activities (e.g numbers of participants, scoring) 7 Maintain ongoing awareness material (e.g. posters and videos) 8 Conduct one-off, one-time tactical training and communication dealing with specific, highly-relevant issues/topics 9 Maintain a second level training program reflecting job specific content
38 A. 2 (d) Programme Controls: Training and Education (Nymity Privacy Management Process: Maintain Training and Awareness) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 10 Maintain an internal data privacy intranet, privacy blog, or repository of privacy FAQs and information 11 Deliver a privacy newsletter, or incorporate privacy into existing corporate communications 12 Conduct data privacy training needs analysis by position/job responsibilities 13 Provide data privacy information on system logon screens Require completion of data privacy training as part of performance reviews 15 Maintain certification for individuals responsible for data privacy, including continuing professional education 16 Hold an annual data privacy day/week Measure comprehension of data privacy concepts using exams
39 Global Statistics for Employee Training Of the 102 countries that have omnibus privacy or data protection laws in place, only 14 require employee training Education and Training Activities in Organizations: 73% provide ongoing education and training for individuals responsible for privacy in the organization (e.g. conferences, webinars, and guest speakers) 70% maintain a core training program for all employees and 20% plan this for % consider that certification for individuals responsible for data privacy, including continuing professional education is requirement of their privacy program 53% conduct training for newly appointed employees upon assignment to privacy-sensitive positions and 17% plan to offer and maintain such training this year Awareness Activities in Organizations 54% maintain an internal data privacy intranet, privacy blog, or repository of privacy FAQs and an additional 20% are planning this 42% maintain ongoing awareness material (e.g. posters and videos) 37% deliver a privacy newsletter or incorporate privacy into existing corporate communications 29% hold an annual data privacy day/week Data as of 4 March 2015
40 A. 2 (e) Programme Controls: Breach Handling (Nymity Privacy Management Process: Maintain Data Breach Management Program) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) 1 Maintain a documented data privacy incident/breach response protocol 2 Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) protocol N/A (%) Maintain a breach incident log to track nature/type of all breaches Maintain data privacy incident/breach metrics (e.g. nature of breach, risk, root cause) 5 Maintain a record preservation protocol to protect relevant log history 6 Conduct periodic testing of breach protocol and document findings and changes made Engage a breach response remediation provider Engage a forensic investigation team Obtain data privacy breach insurance coverage
41 A. 2 (f) Programme Controls: Data Processor Management (Nymity Privacy Management Process: Manage Third Party Risk) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain data privacy requirements for third parties (e.g., vendors, processors, affiliates) 2 Maintain procedures to execute contracts or agreements with all processors 3 Maintain procedures to address instances of non-compliance with contracts and agreements 4 Conduct due diligence around the data privacy and security posture of potential vendors/processors Maintain a vendor data privacy risk assessment process Review long-term contracts for new or evolving data protection risks 7 Conduct ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment Maintain a policy governing use of cloud providers
42 A. 2 (g) Programme Controls: Communication (Nymity Privacy Management Processes: Maintain Notices and Maintain Procedures for Inquiries and Complaints) Maintain Notices Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Provide data privacy notice at all points where personal data is collected Maintain a data privacy notice for employees Maintain a data privacy notice that details the organization s personal data handling policies Provide notice in all forms, contracts and terms Provide notice by means of on-location signage, posters Provide notice in marketing communications (e.g. s, flyers, offers) 7 Maintain scripts for use by employees to explain the data privacy notice 8 Provide data privacy education to individuals (e.g. preventing identity theft) 9 Maintain a privacy Seal or Trustmark to increase customer trust
43 A. 2 (g) Programme Controls: Communication cont. Maintain Procedures for Inquiries and Complaints Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain procedures to respond to access requests Maintain procedures to address complaints Maintain procedures to respond to requests for information 4 Maintain procedures to respond to requests to update or revise personal data 5 Maintain procedures to respond to requests to optout 6 Maintain escalation procedures for serious complaints or complex access requests 7 Maintain procedures to investigate root causes of data protection complaints 8 Maintain metrics for data protection complaints (e.g. number, root cause) Maintain customer Frequently Asked Questions
44 Part B Ongoing Assessment and Revision PMP Best Practice Guide Nymity Accountability Framework 1. Develop an Oversight and Review Plan An oversight and review plan will help the organisation keep its privacy management programme on track and up to date. 1. Assess and Revise Programme Controls The effectiveness of programme controls should be monitored, periodically audited, and where necessary, revised.
45 Develop an Oversight and Review Plan and Assess and Revise Programme Controls (Nymity Accountability Framework: Monitor Data Handling Practices) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) 1 Conduct ad-hoc audits/assessments based on complaints/inquiries/breaches 2 Conduct audits/assessments of the privacy program outside of the Privacy Office (e.g. Internal Audit) N/A (%) Conduct ad-hoc walk-throughs Conduct self-assessments managed by the Privacy Office Benchmark results of audits/assessments (e.g. comparison to previous audit, comparison to other business units) Maintain privacy program metrics Conduct assessments through use of third-party verification
46 Wrap-Up QUESTIONS, COMMENTS AND FUTURE ACCOUNTABILITY RESEARCH
47 What did we learn? What would you like to see in the Future?
48 For More Information For questions about the Study, please contact Teresa Troester-Falk at For more information on Nymity Benchmarks please contact
Hong Kong s Personal Data (Privacy) Ordinance
Asia Privacy Bridge Forum 11 May 2016 Hong Kong s Personal Data (Privacy) Ordinance Fanny Wong Deputy Privacy Commissioner for Personal Data Hong Kong, China The Personal Data Landscape in Asia 2011 2003
More informationISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006
ISO / IEC 27001:2005 A brief introduction Dimitris Petropoulos Managing Director ENCODE Middle East September 2006 Information Information is an asset which, like other important business assets, has value
More informationAn Accountability Approach to Compliance
IAPP Asia Privacy Forum An Accountability Approach to Compliance Presented by: Terry McQuay, CIPP/US, CIPP/E, CIPP/C, CIPP/G, and CIPM Singapore May 5 th 2015 Introducing NYMITY A Data Privacy Research
More informationA Regulator s Perspective on Accountability and How to Incentivise It
Centre for Information Policy Leadership (CIPL) Workshop in collaboration with the Singapore Personal Data Protection Commission Implementing Accountability 26 July 2018 A Regulator s Perspective on Accountability
More informationBuilding Trust in the Cloud Era - Protect, Respect Personal Data
Cloud Expo Asia 18 May 2016 Building Trust in the Cloud Era - Protect, Respect Personal Data Stephen Kai-yi Wong Privacy Commissioner for Personal Data, Hong Kong The Hong Kong Data Protection Law The
More informationGDPR: A QUICK OVERVIEW
GDPR: A QUICK OVERVIEW 2018 Get ready now. 29 June 2017 Presenters Charles Barley Director, Risk Advisory Services Charles Barley, Jr. is responsible for the delivery of governance, risk and compliance
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationMNsure Privacy Program Strategic Plan FY
MNsure Privacy Program Strategic Plan FY 2018-2019 July 2018 Table of Contents Introduction... 3 Privacy Program Mission... 4 Strategic Goals of the Privacy Office... 4 Short-Term Goals... 4 Long-Term
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationEU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS
EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS MEET THE EXPERTS DAVID O LEARY Director, Forsythe Security Solutions THOMAS ECK Director, Forsythe Security Solutions ALEX HANWAY Product
More informationIsaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.
Isaca EXAM - CISM Certified Information Security Manager Buy Full Product http://www.examskey.com/cism.html Examskey Isaca CISM exam demo product is here for you to test the quality of the product. This
More informationAon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary
Aon Client Data Privacy Summary Table of Contents Our Commitment to Data Privacy 3 Our Data Privacy Principles 4 Aon Client Data Privacy Summary 2 Our Commitment to Data Privacy Data Privacy Backdrop As
More informationA company built on security
Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More information<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager. https://www.2passeasy.
Exam Questions CISM Certified Information Security Manager https://www.2passeasy.com/dumps/cism/ 1.Senior management commitment and support for information security can BEST be obtained through presentations
More informationIT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18
Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are
More informationHPE DATA PRIVACY AND SECURITY
ARUBA, a Hewlett Packard Enterprise company, product services ( Services ) This Data Privacy and Security Agreement ("DPSA") Schedule governs the privacy and security of Personal Data by HPE in connection
More informationExam4Tests. Latest exam questions & answers help you to pass IT exam test easily
Exam4Tests http://www.exam4tests.com Latest exam questions & answers help you to pass IT exam test easily Exam : CISM Title : Certified Information Security Manager Vendor : ISACA Version : DEMO 1 / 10
More informationUSER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.
These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy. I. OBJECTIVE ebay s goal is to apply uniform, adequate and global data protection
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationAuditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC
Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationCode of Ethics Certification 2018 CHECKLIST
Code of Ethics Certification 2018 CHECKLIST Medical technology companies (both AdvaMed members and non-members) may participate in this certification program. The certification affirms that the company
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationJeff Wilbur VP Marketing Iconix
2016 Data Protection & Breach Readiness Guide February 3, 2016 Craig Spiezle Executive Director & President Online Trust Alliance Jeff Wilbur VP Marketing Iconix 1 Who is OTA? Mission to enhance online
More informationCreation and Evolution of the Colombian DPA
Creation and Evolution of the Colombian DPA Copyright 2015 by Nymity Inc. All rights reserved. This document is provided as is without any express or implied warranty. This document does not constitute
More informationCanada Life Cyber Security Statement 2018
Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationPosition Description IT Auditor
Position Title IT Auditor Position Number Portfolio Performance and IT Audit Location Victoria Supervisor s Title IT Audit Director Travel Required Yes FOR OAG HR USE ONLY: Approved Classification or Leadership
More informationEmbedding Privacy by Design
Embedding Privacy by Design Metric Stream Customer Conference May 12, 2015 TRUSTe Data Privacy Management Solutions 1 Today s Agenda Privacy in the Context of GRC Data Privacy Management and Top Privacy
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationApplication for Certification
Application for Certification Requirements to Become a Certified Information Security Manager To become a Certified Information Security Manager (CISM), an applicant must: 1. Score a passing grade on the
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationREVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009
APPENDIX 1 REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto
More informationIt applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).
Our Privacy Policy 1 Purpose Mission Australia is required by law to comply with the Privacy Act 1988 (Cth) (the Act), including the Australian Privacy Principles (APPs). We take our privacy obligations
More informationInformation Security Incident Response Plan
Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations,
More informationSTAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:
STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security
More informationPRODUCT SAFETY PROFESSIONAL CERTIFICATION PROGRAM DETAILS. Overview
Overview PRODUCT SAFETY PROFESSIONAL CERTIFICATION PROGRAM DETAILS The Product Safety Professional Certification Program at the Richard A. Chaifetz School of Business focuses on the theoretical as well
More informationPrivacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016
Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016 Pēteris Zilgalvis, J.D., Head of Unit for Health and Well-Being, DG CONNECT Table of Contents 1. Context
More informationWorkday s Robust Privacy Program
Workday s Robust Privacy Program Workday s Robust Privacy Program Introduction Workday is a leading provider of enterprise cloud applications for human resources and finance. Founded in 2005 by Dave Duffield
More informationEU General Data Protection Regulation (GDPR) Achieving compliance
EU General Data Protection Regulation (GDPR) Achieving compliance GDPR enhancing data protection and privacy The new EU General Data Protection Regulation (GDPR) will apply across all EU member states,
More information2 The IBM Data Governance Unified Process
2 The IBM Data Governance Unified Process The benefits of a commitment to a comprehensive enterprise Data Governance initiative are many and varied, and so are the challenges to achieving strong Data Governance.
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard
Certification Exam Outline Effective Date: April 2013 About CISSP-ISSMP The Information Systems Security Management Professional (ISSMP) is a CISSP who specializes in establishing, presenting, and governing
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationAvanade s Approach to Client Data Protection
White Paper Avanade s Approach to Client Data Protection White Paper The Threat Landscape Businesses today face many risks and emerging threats to their IT systems and data. To achieve sustainable success
More informationData Protection and GDPR
Data Protection and GDPR At DPDgroup UK Ltd (DPD & DPD Local) we take data protection seriously and have updated all our relevant policies and documents to ensure we meet the requirements of GDPR. We have
More informationCybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016
Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda Key Risks Incorporating Internal Audit Resources Questions 2 San Francisco
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationPassguide CISM 631q. Number: CISM Passing Score: 800 Time Limit: 120 min File Version: Isaca CISM
Passguide CISM 631q Number: CISM Passing Score: 800 Time Limit: 120 min File Version: 12.5 http://www.gratisexam.com/ Isaca CISM Certified Information Security Manager Finally, I got right questions for
More informationCyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. In today s escalating cyber risk environment, you need to make sure you re focused on the right priorities by
More informationNYDFS Cybersecurity Regulations
SPEAKERS NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com March 9, 2017 The Privacy Team at Hunton & Williams Over 30 privacy
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationInformation Security Incident Response Plan
Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations,
More informationThis Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).
PRIVACY POLICY Data Protection Policy 1. Introduction This Data Protection Policy (this Policy ) sets out how Brital Foods Limited ( we, us, our ) handle the Personal Data we Process in the course of our
More informationChina Code of Ethics Certification 2018 CHECKLIST
China Code of Ethics Certification 2018 CHECKLIST Medical technology companies in China (both AdvaMed members and non-members) may participate in this certification program. T he certification affirms
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 22000 Lead Implementer www.pecb.com The objective of the Certified ISO 22000 Lead Implementer examination is to ensure that the candidate
More informationUniversity of Texas Arlington Data Governance Program Charter
University of Texas Arlington Data Governance Program Charter Document Version: 1.0 Version/Published Date: 11/2016 Table of Contents 1 INTRODUCTION... 3 1.1 PURPOSE OF THIS DOCUMENT... 3 1.2 SCOPE...
More informationSTRATEGIC PLAN
STRATEGIC PLAN 2013-2018 In an era of growing demand for IT services, it is imperative that strong guiding principles are followed that will allow for the fulfillment of the Division of Information Technology
More informationMotorola Mobility Binding Corporate Rules (BCRs)
Motorola Mobility Binding Corporate Rules (BCRs) Introduction These Binding Privacy Rules ( Rules ) explain how the Motorola Mobility group ( Motorola Mobility ) respects the privacy rights of its customers,
More informationManaging Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow
Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationPROCEDURE COMPREHENSIVE HEALTH SERVICES, INC
PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC APPROVAL AUTHORITY: President, CHSi GARY G. PALMER /s/ OPR: Director, Information Security NUMBER: ISSUED: VERSION: APRIL 2015 2 THOMAS P. DELAINE JR. /s/ 1.0
More informationCredit Card Data Compromise: Incident Response Plan
Credit Card Data Compromise: Incident Response Plan Purpose It is the objective of the university to maintain secure financial transactions. In order to comply with state law and contractual obligations,
More informationDATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System
DATA PRIVACY & PROTECTION POLICY POLICY This Data Privacy & Protection Policy applies to ELMO Software Limited s Cloud HR & Payroll applications and platform (collectively, the Services ), elmosoftware.com.au
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationSecurity Architecture
Security Architecture RDX s top priority is to safeguard our customers sensitive information. Introduction RDX understands that our customers have turned over the keys to their sensitive data stores to
More informationManager, Infrastructure Services. Position Number Community Division/Region Yellowknife Technology Service Centre
IDENTIFICATION Department Position Title Infrastructure Manager, Infrastructure Services Position Number Community Division/Region 32-11488 Yellowknife Technology Service Centre PURPOSE OF THE POSITION
More informationAn Overview of ISO/IEC family of Information Security Management System Standards
What is ISO/IEC 27001? The ISO/IEC 27001 standard, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), is known as Information
More informationGeneral Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant
General Data Protection Regulation: Knowing your data Title Prepared by: Paul Barks, Managing Consultant Table of Contents 1. Introduction... 3 2. The challenge... 4 3. Data mapping... 7 4. Conclusion...
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationNY DFS Cybersecurity Regulations August 8, 2017
NY DFS Cybersecurity Regulations August 8, 2017 23 NYCRR Part 500 Asking Questions Anti-Trust Policy As a CPCU approved education program related to The Institutes Chartered Property Casualty Underwriter
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )
ISACA Pasitikėjimas informacinėmis sistemomis ir jų nauda Certification Details for Certified in the Governance of Enterprise IT (CGEIT ) Dainius Jakimavičius, CGEIT ISACA Lietuva tyrimų ir metodikos koordinatorius
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationEXAM PREPARATION GUIDE
EXAM PREPARATION GUIDE PECB Certified Data Protection Officer The objective of the PECB Certified Data Protection Officer examination is to ensure that the candidate has acquired the knowledge and skills
More informationBoerner Consulting, LLC Reinhart Boerner Van Deuren s.c.
Catherine M. Boerner, Boerner Consulting LLC Heather Fields, 1 Discuss any aggregate results of the desk audits Explore the Sample(s) Requested and Inquire of Management requests for the full on-site audits
More information2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at
2016 Data Protection & Breach Readiness Webinar Will Start Shortly please download the guide at https://otalliance.org/breach 1 2016 Data Protection & Breach Readiness Guide February 3, 2016 Craig Spiezle
More informationGeneral Data Protection Regulation (GDPR)
BCD Travel s Response to the EU General Data Protection Regulation (GDPR) November 2017 Page 1 Response to the EU GDPR Copyright 2017 by BCD Travel N.V. All rights reserved. November 2017 Copyright 2017
More informationDepartment of Management Services REQUEST FOR INFORMATION
RESPONSE TO Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 250 South President
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationFunction Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More informationBPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.
BPS Suite and the OCEG Capability Model Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS Contents Introduction... 2 GRC activities... 2 BPS and the Capability Model for GRC...
More informationWHO SHOULD ATTEND? ITIL Foundation is suitable for anyone working in IT services requiring more information about the ITIL best practice framework.
Learning Objectives and Course Descriptions: FOUNDATION IN IT SERVICE MANAGEMENT This official ITIL Foundation certification course provides you with a general overview of the IT Service Management Lifecycle
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationPrivacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information
Privacy Statement Introduction Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information about how IT Support (UK) Ltd handle personal information.
More informationFiscal 2015 Activities Review and Plan for Fiscal 2016
Fiscal 2015 Activities Review and 1. The Ricoh Group s Information Security Activities In response to changes emerging in the social environment, the Ricoh Group is promoting its PDCA management system
More information2017 RIMS CYBER SURVEY
2017 RIMS CYBER SURVEY This report marks the third year that RIMS has surveyed its membership about cyber risks and transfer practices. This is, of course, a topic that only continues to captivate the
More informationLakeshore Technical College Official Policy
Policy Title Original Adoption Date Policy Number Information Security 05/12/2015 IT-720 Responsible College Division/Department Responsible College Manager Title Information Technology Services Director
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationFerrous Metal Transfer Privacy Policy
Updated: March 13, 2018 Ferrous Metal Transfer Privacy Policy Ferrous Metal Transfer s Commitment to Privacy Ferrous Metal Transfer Co. ( FMT, we, our, and us ) respects your concerns about privacy, and
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationFISMAand the Risk Management Framework
FISMAand the Risk Management Framework The New Practice of Federal Cyber Security Stephen D. Gantz Daniel R. Phi I pott Darren Windham, Technical Editor ^jm* ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON
More informationPlan a Pragmatic Approach to the new EU Data Privacy Regulation
AmChamDenmark event: EU Compliant & Cyber Resistant Plan a Pragmatic Approach to the new EU Data Privacy Regulation Janus Friis Bindslev, Partner Cyber Risk Services, Deloitte 4 February 2016 Agenda General
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationBig data privacy in Australia
Five-article series Big data privacy in Australia Three actions you can take towards compliance Article 5 Big data and privacy Three actions you can take towards compliance There are three actions that
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More information