Secrets to Success! Accountability in Global Organizations. Marisa Rogers & Jenifer Garone, Microsoft Ruby Zefo, Intel

Similar documents
Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

How to Derive Value from Business Continuity Planning

MHBE Compliance Program SECOND QUARTER FY 2019 REPORT. TO MHBE BOARD OF TRUSTEES January 22, 2019

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

SME License Order Working Group Update - Webinar #3 Call in number:

Defensible and Beyond

GDPR: Is it just another regulation or a great opportunity for operational excellence? Athens, February 2018

Microsoft Technical Training Public Class Schedules Year 2019

Organizational Privacy Transformation: A case study from Critical Issues to Award Winning Success

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

How To Build or Buy An Integrated Security Stack

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

IT Updates. Maryland Health Benefit Exchange Board Meeting April 15, Presented by: Isabel FitzGerald Secretary, DoIT

June 2012 First Data PCI RAPID COMPLY SM Solution

Best Practices & Lesson Learned from 100+ ITGRC Implementations

CompTIA CASP (Advanced Security Practitioner)

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

The Future Is SECURITY THAT MAKES A DIFFERENCE. Implementing the 20 Critical Controls

CPD Summary Guide Version:3.1

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

Security Incident Management in Microsoft Dynamics 365

An Introduction to the ISO Security Standards

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

Dan Lobb CRISC Lisa Gable CISM Katie Friebus

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Cloud Security Alliance Quantum-safe Security Working Group

Reading the Tea Leaves of the 2015 RSA Conference Submissions

Embedding Privacy by Design

2018 CALENDAR OF ACTIVITIES

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

The CIS Security Metrics & Benchmarking Service. Clint Kreitner The Center for Internet Security

RSA IT Security Risk Management

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Oregon Fire Service Conference Enterprise Security Office Update. October 26, 2018

COUNTY OF RIVERSIDE ENTERPRISE SOLUTIONS FOR PROPERTY TAXATION

e-sens Nordic & Baltic Area Meeting Stockholm April 23rd 2013

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

SOC Reporting / SSAE 18 Update July, 2017

IT Governance: Shared IT Infrastructure Advisory Committee (SIAC)

Privacy by Design Brendon Lynch, Microsoft Trevor Hughes, IAPP

Certificate in Security Management

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

No More Security Empires The CISO as an Individual Contributor

Auditing Bring Your Own Devices (BYOD) Risks. Shannon Buckley

Practical Guide to Cloud Computing Version 2. Read whitepaper at

IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) Dennis McLaughlin - Cyber AIT 1

UIS Monthly Update May 2015

What's New in CTPAT. Logo and Abbreviation Current Membership Trusted Trader Best Practices Minimum Security Criteria Outreach/Training

FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

113 BSIMM Activities at a Glance

Security Metrics Establishing unambiguous and logically defensible security metrics. Steven Piliero CSO The Center for Internet Security

ISO Professional Services Guide to Implementation and Certification AND

Food service training & certification

Information Security Procedures and Privacy Protection

What It Takes to be a CISO in 2017

ERS IT Portfolio Report

Privacy and Proxy Service Provider Accreditation. ICANN58 Working Meeting 11 March 2017

Nebraska CERT Conference

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

Data Governance Quick Start

Building YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services

Administration and Data Retention. Best Practices for Systems Management

Council, 26 March Information Technology Report. Executive summary and recommendations. Introduction

John Snare Chair Standards Australia Committee IT/12/4

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

Vulnerability Assessments and Penetration Testing

Agile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners

A NEW MODEL FOR AUTHENTICATION

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

GDPR: The Day After. Pierre-Luc REFALO

SDLC Maturity Models

The Resilient Incident Response Platform

PERFORMANCE DASHBOARDS

Adaptive & Unified Approach to Risk Management and Compliance via CCF

Enterprise GRC Implementation

INFORMATION TECHNOLOGY ONE-YEAR PLAN

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Framework for Improving Critical Infrastructure Cybersecurity

Current Cloud Certification Challenges Ahead and Proposed Solutions

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

Information Technology (CCHIT): Report on Activities and Progress

Bringing Cybersecurity to the Boardroom Bret Arsenault

SOLUTION BRIEF Virtual CISO

CYBER RISK MANAGEMENT

GDPR: An Opportunity to Transform Your Security Operations

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Certification Standing Committee (CSC) Charter. Appendix A Certification Standing Committee (CSC) Charter

Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology

ISO/IEC JTC 1 Special Working Group on Accessibility (SWG-A)

Integrating 3rd Party Scoring Services into your Enterprise KRIs

Minimizing the PCI Footprint: Reduce Risk and Simplify Compliance

LEADING WITH GRC. Common Controls Framework. Sundar Venkat, Sr. Director Technology Compliance Salesforce

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Terms of Reference (ToR) for ICAT support to MRV in the Energy Sector in Kenya

Transcription:

Secrets to Success! Accountability in Global Organizations Marisa Rogers & Jenifer Garone, Microsoft Ruby Zefo, Intel

AGENDA Accountability at the top Accountability across the business Assessments & Reporting Gaining Buy-In for Resources Remediation & Incident Response

PRIVACY ACCOUNTABILITY FROM THE TOP Tone from the top vs. Privacy Security.

PRIVACY ACCOUNTABILITY ACROSS THE BUSINESS Policies, Tools & Training vs.

PRIVACY ACCOUNTABILITY AT MICROSOFT Microsoft governs its privacy program using the hub & spoke model, with the corporate privacy team and Privacy Managers, Leads, & Champs in the organizations across the company. The hub, Trustworthy Computing, is responsible for: Policies, Standards & Procedures (PSPs) Training Tools Reporting Capacity Comms Sales & Marketing Services TwC Privacy Engineering Groups The spokes are responsible for implementation and compliance with PSPs. IT HR, Finance, Legal

BRINGING A MATRIXED ORGANIZATION TOGETHER Engineering Groups Business Groups Corporate Functions Services Privacy Managers Privacy Leads Sales & Marketing TwC Privacy Engineering Groups Privacy Champs IT HR, Finance, Legal

TwC Privacy BRINGING A MATRIXED ORGANIZATION TOGETHER Engineering Groups Business Groups Corporate Functions Privacy Managers Privacy Leads Privacy Champs Privacy Managers Privacy Leads Privacy Champs Privacy Managers Privacy Leads Privacy Champs Privacy Steering Committee Privacy Councils (e.g. marketing, advertising, enterprise, vendor) Privacy Committees (e.g. training, career development, controls)

Business Privacy Manager PRIVACY ROLES Scenario: Business is working with MSIT SBU to create, design, deliver applications & tools. Requirements Testing Go/No Go Deployment Review Approve Attest Consult Validation Test Plans UAT Attend Vote Review Approve Certify Consult Validation MSIT Privacy Manager Requirements Risk Mitigation Deployment Operate&Maintain Issue Resolution Consultation Validation Consultation Approve Attest Consultation Validation Risk Assessments SLT Reporting Contract Reviews Exceptions Policies&Standards Consultation Validation Escalations TwC Privacy Requirements Risk Mitigation Deployment Operate&Maintain Issue Resolution Consultation Exceptions Policies&Standards Act as Business Privacy manager when gap exists MSIT and Business Privacy jointly approach TwC for guidance Consultation Consultation PERFs Consultation Exceptions Policies&Standards Consultation Validation Escalations MSIT and Business Privacy jointly approach TwC for guidance

PRIVACY TOOLS PAM PAGO review tool IMS Incident & Inquiry management tool Contacts Tool Coverage report by org PrivPub EGRC Archer Streamlined Risk Assessment (SRA)

PRIVACY TOOLS HOW DO I HANDLE AN EXCEPTION REQUEST?

QUIZ - TONE AT THE TOP If you have something that you don t want anyone to know maybe you shouldn t be doing it in the first place. You have zero privacy anyway. Get over it. In reality, we wouldn't share your information in a way you wouldn't want... The trust you place in us as a safe place to share information is the most important part of what makes this work.

ASSESSMENTS/METRICS REPORTING Everyone can do some metrics! Yes, you.

EXAMPLE ASSESSMENT: PRIVACY ACCOUNTABILITY Key: Green = Completed; Yellow = In Process; Red = At Risk

Privacy Policies Accountability Identify and Classify Incident and Breach Response Notice Use Access & Accuracy Training Privacy by Design 3rd party transfer International transfer Retention & Disposal Security Subsidiary EXAMPLE PRIVACY MATURITY ASSESSMENT Current Status Current = ~2 Status Goal State = 2 Goal = 3 State = 3 High 5 - Optimized 4 - Managed 3 Defined x Recommended minimum for processing XYZ data x 2 - Repeatable x x x x x x Low 1 Ad hoc x x

Creating a PAM Assessment EXAMPLE PRIVACY IMPACT ASSESSMENT Policy Approval Manager 16

EXAMPLE PRIVACY PROGRAM METRICS Metrics via Score carding

EXAMPLE PRIVACY PROGRAM METRICS Org Engagement - June 2013 Privacy Review volume - YOY

EXAMPLE PRIVACY PROGRAM METRICS 400 300 Volume YTD 200 100 0 July Aug Sept Oct Nov Dec Jan Feb Mar April May June 217 174 Privacy Program Monitoring Privacy Inquiries/Reviews

OBTAINING RESOURCES What do all these have in common?

REMEDIATION & INCIDENT RESPONSE

MANAGING INCIDENTS

KEY TAKEAWAYS Privacy as a business enabler Measure, measure, measure people do what they re measured on Leveraging like-minded roles Have a privacy elevator pitch!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback