Secrets to Success! Accountability in Global Organizations Marisa Rogers & Jenifer Garone, Microsoft Ruby Zefo, Intel
AGENDA Accountability at the top Accountability across the business Assessments & Reporting Gaining Buy-In for Resources Remediation & Incident Response
PRIVACY ACCOUNTABILITY FROM THE TOP Tone from the top vs. Privacy Security.
PRIVACY ACCOUNTABILITY ACROSS THE BUSINESS Policies, Tools & Training vs.
PRIVACY ACCOUNTABILITY AT MICROSOFT Microsoft governs its privacy program using the hub & spoke model, with the corporate privacy team and Privacy Managers, Leads, & Champs in the organizations across the company. The hub, Trustworthy Computing, is responsible for: Policies, Standards & Procedures (PSPs) Training Tools Reporting Capacity Comms Sales & Marketing Services TwC Privacy Engineering Groups The spokes are responsible for implementation and compliance with PSPs. IT HR, Finance, Legal
BRINGING A MATRIXED ORGANIZATION TOGETHER Engineering Groups Business Groups Corporate Functions Services Privacy Managers Privacy Leads Sales & Marketing TwC Privacy Engineering Groups Privacy Champs IT HR, Finance, Legal
TwC Privacy BRINGING A MATRIXED ORGANIZATION TOGETHER Engineering Groups Business Groups Corporate Functions Privacy Managers Privacy Leads Privacy Champs Privacy Managers Privacy Leads Privacy Champs Privacy Managers Privacy Leads Privacy Champs Privacy Steering Committee Privacy Councils (e.g. marketing, advertising, enterprise, vendor) Privacy Committees (e.g. training, career development, controls)
Business Privacy Manager PRIVACY ROLES Scenario: Business is working with MSIT SBU to create, design, deliver applications & tools. Requirements Testing Go/No Go Deployment Review Approve Attest Consult Validation Test Plans UAT Attend Vote Review Approve Certify Consult Validation MSIT Privacy Manager Requirements Risk Mitigation Deployment Operate&Maintain Issue Resolution Consultation Validation Consultation Approve Attest Consultation Validation Risk Assessments SLT Reporting Contract Reviews Exceptions Policies&Standards Consultation Validation Escalations TwC Privacy Requirements Risk Mitigation Deployment Operate&Maintain Issue Resolution Consultation Exceptions Policies&Standards Act as Business Privacy manager when gap exists MSIT and Business Privacy jointly approach TwC for guidance Consultation Consultation PERFs Consultation Exceptions Policies&Standards Consultation Validation Escalations MSIT and Business Privacy jointly approach TwC for guidance
PRIVACY TOOLS PAM PAGO review tool IMS Incident & Inquiry management tool Contacts Tool Coverage report by org PrivPub EGRC Archer Streamlined Risk Assessment (SRA)
PRIVACY TOOLS HOW DO I HANDLE AN EXCEPTION REQUEST?
QUIZ - TONE AT THE TOP If you have something that you don t want anyone to know maybe you shouldn t be doing it in the first place. You have zero privacy anyway. Get over it. In reality, we wouldn't share your information in a way you wouldn't want... The trust you place in us as a safe place to share information is the most important part of what makes this work.
ASSESSMENTS/METRICS REPORTING Everyone can do some metrics! Yes, you.
EXAMPLE ASSESSMENT: PRIVACY ACCOUNTABILITY Key: Green = Completed; Yellow = In Process; Red = At Risk
Privacy Policies Accountability Identify and Classify Incident and Breach Response Notice Use Access & Accuracy Training Privacy by Design 3rd party transfer International transfer Retention & Disposal Security Subsidiary EXAMPLE PRIVACY MATURITY ASSESSMENT Current Status Current = ~2 Status Goal State = 2 Goal = 3 State = 3 High 5 - Optimized 4 - Managed 3 Defined x Recommended minimum for processing XYZ data x 2 - Repeatable x x x x x x Low 1 Ad hoc x x
Creating a PAM Assessment EXAMPLE PRIVACY IMPACT ASSESSMENT Policy Approval Manager 16
EXAMPLE PRIVACY PROGRAM METRICS Metrics via Score carding
EXAMPLE PRIVACY PROGRAM METRICS Org Engagement - June 2013 Privacy Review volume - YOY
EXAMPLE PRIVACY PROGRAM METRICS 400 300 Volume YTD 200 100 0 July Aug Sept Oct Nov Dec Jan Feb Mar April May June 217 174 Privacy Program Monitoring Privacy Inquiries/Reviews
OBTAINING RESOURCES What do all these have in common?
REMEDIATION & INCIDENT RESPONSE
MANAGING INCIDENTS
KEY TAKEAWAYS Privacy as a business enabler Measure, measure, measure people do what they re measured on Leveraging like-minded roles Have a privacy elevator pitch!