The Evolution of Data Governance Regulations and What IA Departments Need to Know FEBRUARY 27, 2018 Jamey Loupe Senior Manager, Risk Advisory Services Jessica Allen Director, Technology & Business Transformation Services
CPE and Support CPE Participation Requirements To receive CPE credit for this webcast: You ll need to actively participate throughout the program. Be responsive to at least 75% of the polling questions. Please refer the CPE & Support Handout in the Handouts section for more information about group participation and CPE certificates. Q&A Submit all questions using the Q&A feature on the lower right corner of the screen. Presenter(s) will review and answer questions submitted as time allows. *Please note that questions and answers submitted/provided via the Q&A feature are visible to all participants as well as the presenters. Technical Support If you should have technical issues, please contact LearnLive: Click on the Live Chat icon under the Support tab, OR call: 1-888-228-4088 Audio Audio will be streamed through your computer speakers. If you experience audio issues during today s presentation, please dial into the teleconference: 1-855-233-5756, and use teleconference code: 226 838 6759 # 2
Polling Question 1 (Test) 3
Jamey Loupe, CISA Senior Manager Risk Advisory Services Jamey is a Senior Manager in BDO s Risk Advisory Services practice. He has provided audit and advisory services to mid-size and multi-national companies in multiple industries, and has more than 15 years of progressive experience leading and organizing teams and projects. PROFESSIONAL AFFILIATIONS Institute of Internal Auditors Information Systems Audit and Control Association Marine Corps Association and Foundation EDUCATION M.L.A., Information Management Systems, Harvard University (in progress) B.A, Information Systems Decision Sciences, Louisiana State University Throughout his career, Jamey has led and supported the activities needed to complete the audit process. He has experience presenting results to Senior Management and the Audit Committee. His experience includes: Leading, managing and conducting IT internal audits Managing complex IT SOX compliance projects Recommending and implementing IT process improvements Conducting and leading GRP pre-implementation reviews Conducting IT security assessments Monitoring IT governance Jamey has extensive experience in Information Technology Standards and Governance, IT Risk Assessments, Cloud Security and Governance, Sarbanes Oxley, IT Security assessments, Application pre and post implementation reviews, as well as IT Audit and Compliance. 4
Jessica Allen Director Technology & Business Transformation Services Jessica Allen is a Director with more than 15 years of experience developing and executing enterprise-wide programs, including Security and Compliance, IT strategy, and IT Optimization & Innovation. Ms. Allen combines her technical expertise with significant experience managing large and complex programs and operations to assist organizations in achieving a variety of business objectives, including risk mitigation, enhancing efficiencies and reducing costs. EDUCATION M.I.S., Northern Kentucky University B.S., Information Systems, Northern Kentucky University Having significant experience leading large transformation as well as completing complex assessments, Ms. Allen is well-versed in Security and Compliance Data privacy and Protection Process reengineering Program governance and oversight Technology Architecture IT service management Ms. Allen is a frequent speaker on topics including technology advisory, security awareness and key threats, technology trends, innovation, and IT optimization. She supports key clients in BDO with complex technology and regulatory requirements. 5
Today s Learning Objectives At the conclusion of this course, participants will be able to: Identify data governance regulations by industry and location Describe upcoming regulations and the impact on companies in various geographical areas Discuss the impact of the new regulations and the data governance risks their organization faces 6
Defining Data Governance 7
What is Data Governance Data governance is defining ownership and management of the availability, usability, integrity and security of data used in an enterprise. A good Data Governance program seeks to address these objectives: Clear information ownership Timely, correct information Clear enterprise architecture and efficiency Regulatory Compliance and security 8
Data Governance is Not The below initiatives/processes all require a well developed Data Governance Program to be successful. However, in and of themselves, they are not Data Governance. Data change management Data cleansing Master Data Management (MDM) Data warehousing Database management and administration 9
Data Governance v. Data Management Data Governance is about determining who inputs and makes decisions regarding how data is treated and accessed. Data Management is the process of making and implementing the decisions made in Data Governance. 10
Polling Question 2 11
Data Governance Ownership 12
Who Owns Data Governance? One of the tenets of Data Governance is that enterprise data doesn t belong to individuals. It is an asset that belongs to the enterprise. There are two approaches to effective ownership of Data Governance. Approach #1: Assigning Data Ownership/Stewardship Approach #2: Federated Responsibilities Source: The Data Governance Institute 13
Key Stakeholders in Data Governance? Stakeholders are those individuals that could have an effect on or are affected by the data within your organization. Usually this group is a mix of individuals from across the organization. This will be different in every organization. Some of the usual suspects are: IT Teams CIO CISO IT Security Database Administrators Applications Administrators Business Teams Legal Data Governance Officer 14
Internal Audit s Role in Data Governance Evaluate the Data Governance Program Maturity. Evaluate against documented data governance Policies and Procedures. Data Content Management Data Records Management Data Quality Data Identification and Classification Data Access Does Internal Audit have the necessary skillsets. Evaluate the appropriateness of data owners/stewards Does the IT group have an asset inventory 15
Internal Audit s Role in Compliance with Privacy Regulations Understand what data privacy regulations apply to your organization. Evaluate if documented Policies and Procedures address the identified privacy regulation. Evaluate if the organization has identified the key data that is subject to regulatory requirements. Audit processes to determine how they impact privacy of data subjects Evaluate whether systems and processes have been developed with appropriate privacy considerations. Report on systems that contain significant amounts of personal data and provide a plan for remediation and management of these systems. 16
IT s Role in Data Governance and Related Privacy Regulations Chair on Steering Committee/Data Governance Board Maintain the logical and physical security of the applications and keep them up-to-date. Responsible for developing the backup and data recovery plan with the input of the business. Meeting Service Level Agreements as agreed with the Data Owners/Stewards. Ensuring that applications and databases are appropriately installed and administered. 17
COBIT 5 to Audit Data Governance COBIT 5 establishes seven enablers to drive better information and data governance and management. Each of the enablers has goals and metrics that aim to drive better control and improvement of: Management of IT-related business risk Transparency of IT costs, benefits and risk Security of information, processing infrastructure and applications IT compliance with internal policies Risk thresholds definition and communication Managing critical IT-related enterprise risk effectively and efficiently Ensuring that IT-related risk does not exceed the enterprise risk appetite Source ISACA, COBIT 5 18
Other Considerations: Cybersecurity Assessments UNDERSTAND YOUR ENTIRE DATA PROTECTION LANDSCAPE Vulnerability assessments and penetration testing (VAPT) Incident response readiness testing HITRUST assessment IT security risk assessment ISO 2700x readiness assessment PCI DSS readiness assessment 19
Polling Question 3 20
Key Components of Data Governance 21
6 Key Pillars of Data Governance Information A well defined Data Governance framework addresses this information within an organization. 22
Benefits of a Well-Defined Data Governance Framework Regulatory compliance Improved data quality Consistent definitions of business terms Decision-making based on information (confidence in the data) Collaboration among business units Appropriate use of information Sharing information internally (data integration and reuse) Simplified (and known) data management business processes 23
Polling Question 4 24
Regulatory Requirements 25
US Data Privacy Regulations Our government has taken the approach to address specific data privacy concerns by type of data. As a result, there are more than 200 laws in the U.S. that involve data privacy and data security. These are just a few Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Payment Card Industry Data Security Standard(PCI-DSS) Fair Credit Reporting Act(FCRA) Fair and Accurate Credit Transactions Act of 2003 (FACTA) 26
United States State Specific Data Regulations California Online Privacy Protection Act (OPPA) of 2003 California Data Breach Notification - Civil Code s. 1798.29(a) California Civil Code section 1798.81.5 - Security of Personal Information Other California Data Privacy Laws 25+ laws covering specific types of data (i.e. Insurance Information and Privacy Protection Act) Massachusetts Standards for The Protection of Personal Information of Residents of the Commonwealth" (or 201 CMR 17.00) New York Department of Financial Services Cybersecurity Regulation (NY DFS) 27
General Data Protection Regulation (GDPR) Requirements 28
Polling Question 5 29
What is GDPR? Replaces the 1995 EU Data Directive The General Data Protection Regulation (GDPR) affects organizations in the European Union (EU) or those that offer goods and services to individuals in the EU, or that collect and analyze data related to EU residents, regardless of their location. Enhances personal privacy rights Increased requirements to protect data Mandatory breach reporting Significant penalties for non-compliance 30
Does GDPR Apply to You? Personal Data is defined broadly Any information relating to an identified or identifiable natural person (e.g. IP address) Applies to all Types of Organizations Applies to organizations wherever they are located that: Offer goods and services (including free services) to people in the EU; or That monitor the behavior of people in the EU (e.g. website analytics) Applies to both Controllers and Processors 31
Key High-Level GDPR Facts Effective Date May 25, 2018 Interpretation Guided by the European Data Protection Board ( EDPB ) Article 29 Working Party opinions under the Data Protection Directive, case law and Article 40 Codes of Conduct Fines and Penalties 20 million or 4% of annual global, whichever is higher Guidance Experienced guidance is important for companies navigating this unfamiliar and unsettled terrain. 32
What Does This Mean for My Data? Protecting customer privacy with GDPR 33
Polling Question 6 34
Key Changes to Address with GDPR The most common requirements for all companies subject to the GDPR include: Personal privacy Rights of the data subject include right of access, rectification and erasure. Transparency & Accountability Companies must provide clear notice of data collection, purposes of processing and retention/deletion practices. Controls, Policies & Procedures Appropriate safeguarding must be implemented, along with the ability to notify authorities of data breaches. Training & Awareness Companies must provide clear notice of data collection, purposes of processing and retention/deletion practices. 35
Primary Considerations 1 2 Relevance and Responsibilities Readiness Identify all areas where personal data may be stored Determine if personal data belongs to any EU data subjects Review your policies against all relevant Authority Documents not just GDPR and identify synergies and gaps Conduct data mapping exercise Identify your responsibility as a data controller or processor Review third party contracts and ensure relevant GDPR language is included Identify all third parties who have access to personal data you store Review privacy notices to ensure transparency, fairness and accessibility Provide GDPR training to staff Test your incident response capabilities to ensure compliance with 72-hour breach notification requirement 36
Primary Considerations 3 Remediate 4 Prep for Audit Develop a detailed remediation roadmap to prioritize and ensure timely compliance Update policies & procedures or create new ones to address gaps Develop and maintain a data register to record all processing activities Designate and register a DPO to serve as liaison to the relevant supervisory authorities Implement privacy by design and privacy by default principles and security controls in all systems and processes Review and update cross-border data transfer processes to conform with company-specific conditions Document all ongoing policies, procedures and control for GDPR compliance requirements Ask vendors to provide evidence of compliance with GDPR and ongoing due diligence 37
Working Toward Compliance IDENTIFY. ANALYZE. GOVERN. Define Risk Criteria Evaluate Vendors & Rank Risks Develop a Compliance Roadmap Develop Data Register & Data Flow Diagrams Review Policies & Contracts for Gaps Remediate, Govern & Manage 38
Data Mapping BUSINESS PROCESS MAPPING, DATA REGISTERS, AND DATA FLOW DIAGRAMS Identify existing data and application inventories Patient Lab Tech Understand Privacy by Design activities Nurse Patient Care Application Gather policies & procedures Pharmacist Develop project plan and charter Doctor Develop data register Process Overview with Data Risks Client Team Client contacts vendor Client provides conflict check information Project setup forms are completed Team is engaged Onsite information gathering Client provides financial statements, supporting documents Services are performed Findings are finalized Report is delivered to client and copy is archived Data Platforms Data entry client info G Drive Client Portal Office365 Email File Exchange BDO Laptop APT Vault Data Retention Information is retained for oneyear Project close Files sent to SharePoint Data that is deleted after 30-45 days 39
Polling Question 7 40
Policies and Procedures ALIGN WITH GDPR 41
GDPR Resources For more information on GDPR please visit: www.bdo.com/gdpr Other Webinars: GDPR is coming: Don t be left in the dark GDPR through different lenses 42
Questions Jamey Loupe jloupe@bdo.com 713-960-1706 Jessica Allen Jessica.allen@bdo.com 513-592-2375 43
Coming Events March 12-14, 2018 IIA-GAM Conference Las Vegas (The Aria) Booth 116 April 24, 2018 2018 Internal Audit Webinar Series Course 2 The Integrated Auditor: Becoming the Go-To Resource Your Company Needs 3 PM ET / 2 PM CST 44
Conclusion Thank you for participating! Certificate Availability If you participated the entire time and responded to at least 75% of the polling questions, you may click the Participation tab to access the print certificate button. Exit Please exit the interface by clicking the red X in the upper-righthand corner of your screen. 45