The Evolution of Data Governance Regulations and What IA Departments Need to Know FEBRUARY 27, 2018

Similar documents
NYDFS Cybersecurity Regulations

EU General Data Protection Regulation (GDPR) Achieving compliance

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

The Integrated Auditor: Becoming the Go-to Resource Your Company Needs APRIL 24, 2018

01.0 Policy Responsibilities and Oversight

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

GDPR: A QUICK OVERVIEW

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

COBIT 5 With COSO 2013

Cybersecurity The Evolving Landscape

Security and Privacy Governance Program Guidelines

Les joies et les peines de la transformation numérique

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Will your application be secure enough when Robots produce code for you?

PROFESSIONAL SERVICES (Solution Brief)

Cybersecurity in Higher Ed

Putting It All Together:

INTELLIGENCE DRIVEN GRC FOR SECURITY

SOC for cybersecurity

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Information Security Risk Strategies. By

BHConsulting. Your trusted cybersecurity partner

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

The Role of the Data Protection Officer

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Certified Information Security Manager (CISM) Course Overview

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Avanade s Approach to Client Data Protection

HITRUST Common Security Framework - Are you prepared?

DeMystifying Data Breaches and Information Security Compliance

Administration and Data Retention. Best Practices for Systems Management

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

CCISO Blueprint v1. EC-Council

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

Position Description IT Auditor

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

Google Cloud & the General Data Protection Regulation (GDPR)

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Information Technology General Control Review

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Cyber Risks in the Boardroom Conference

Altius IT Policy Collection Compliance and Standards Matrix

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

Memphis Chapter. President s Message. This annual event is designed to provide students with a

Cybersecurity Auditing in an Unsecure World

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

PS Mailing Services Ltd Data Protection Policy May 2018

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

University of Pittsburgh Security Assessment Questionnaire (v1.7)

HIPAA Privacy, Security and Breach Notification

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

General Data Protection Regulation (GDPR)

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Effective Cyber Incident Response in Insurance Companies

Best Practices & Lesson Learned from 100+ ITGRC Implementations

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

CYBERSECURITY: E-COMMERCE, GOVERNANCE AND APPLIED CERTIFICATIONS A ROUNDTABLE DISCUSSION 15 DECEMBER 2015

What the GDPR is and how to deal with it. Russell McDermott Sales Engineer +44 (0) x 2208

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Data Protection and GDPR

Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel

Mapping PCI DSS v2.0 With COBIT 4.1 By Pritam Bankar, CISA, CISM, and Sharad Verma

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

Demonstrating Compliance in the Financial Services Industry with Veriato

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

DETAILED POLICY STATEMENT

Accelerate GDPR compliance with the Microsoft Cloud

Implementing the new GDPR: what does it mean for Universities?

ISE North America Leadership Summit and Awards

General Data Protection Regulation (GDPR) The impact of doing business in Asia

HIPAA Compliance is not a Cybersecurity Strategy

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Rethinking Information Security Risk Management CRM002

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

HITRUST CSF: One Framework

Magento GDPR Frequently Asked Questions

Framework for Improving Critical Infrastructure Cybersecurity

Data Management and Security in the GDPR Era

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Healthcare HIPAA and Cybersecurity Update

A Global Look at IT Audit Best Practices

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Peer Collaboration The Next Best Practice for Third Party Risk Management

Transcription:

The Evolution of Data Governance Regulations and What IA Departments Need to Know FEBRUARY 27, 2018 Jamey Loupe Senior Manager, Risk Advisory Services Jessica Allen Director, Technology & Business Transformation Services

CPE and Support CPE Participation Requirements To receive CPE credit for this webcast: You ll need to actively participate throughout the program. Be responsive to at least 75% of the polling questions. Please refer the CPE & Support Handout in the Handouts section for more information about group participation and CPE certificates. Q&A Submit all questions using the Q&A feature on the lower right corner of the screen. Presenter(s) will review and answer questions submitted as time allows. *Please note that questions and answers submitted/provided via the Q&A feature are visible to all participants as well as the presenters. Technical Support If you should have technical issues, please contact LearnLive: Click on the Live Chat icon under the Support tab, OR call: 1-888-228-4088 Audio Audio will be streamed through your computer speakers. If you experience audio issues during today s presentation, please dial into the teleconference: 1-855-233-5756, and use teleconference code: 226 838 6759 # 2

Polling Question 1 (Test) 3

Jamey Loupe, CISA Senior Manager Risk Advisory Services Jamey is a Senior Manager in BDO s Risk Advisory Services practice. He has provided audit and advisory services to mid-size and multi-national companies in multiple industries, and has more than 15 years of progressive experience leading and organizing teams and projects. PROFESSIONAL AFFILIATIONS Institute of Internal Auditors Information Systems Audit and Control Association Marine Corps Association and Foundation EDUCATION M.L.A., Information Management Systems, Harvard University (in progress) B.A, Information Systems Decision Sciences, Louisiana State University Throughout his career, Jamey has led and supported the activities needed to complete the audit process. He has experience presenting results to Senior Management and the Audit Committee. His experience includes: Leading, managing and conducting IT internal audits Managing complex IT SOX compliance projects Recommending and implementing IT process improvements Conducting and leading GRP pre-implementation reviews Conducting IT security assessments Monitoring IT governance Jamey has extensive experience in Information Technology Standards and Governance, IT Risk Assessments, Cloud Security and Governance, Sarbanes Oxley, IT Security assessments, Application pre and post implementation reviews, as well as IT Audit and Compliance. 4

Jessica Allen Director Technology & Business Transformation Services Jessica Allen is a Director with more than 15 years of experience developing and executing enterprise-wide programs, including Security and Compliance, IT strategy, and IT Optimization & Innovation. Ms. Allen combines her technical expertise with significant experience managing large and complex programs and operations to assist organizations in achieving a variety of business objectives, including risk mitigation, enhancing efficiencies and reducing costs. EDUCATION M.I.S., Northern Kentucky University B.S., Information Systems, Northern Kentucky University Having significant experience leading large transformation as well as completing complex assessments, Ms. Allen is well-versed in Security and Compliance Data privacy and Protection Process reengineering Program governance and oversight Technology Architecture IT service management Ms. Allen is a frequent speaker on topics including technology advisory, security awareness and key threats, technology trends, innovation, and IT optimization. She supports key clients in BDO with complex technology and regulatory requirements. 5

Today s Learning Objectives At the conclusion of this course, participants will be able to: Identify data governance regulations by industry and location Describe upcoming regulations and the impact on companies in various geographical areas Discuss the impact of the new regulations and the data governance risks their organization faces 6

Defining Data Governance 7

What is Data Governance Data governance is defining ownership and management of the availability, usability, integrity and security of data used in an enterprise. A good Data Governance program seeks to address these objectives: Clear information ownership Timely, correct information Clear enterprise architecture and efficiency Regulatory Compliance and security 8

Data Governance is Not The below initiatives/processes all require a well developed Data Governance Program to be successful. However, in and of themselves, they are not Data Governance. Data change management Data cleansing Master Data Management (MDM) Data warehousing Database management and administration 9

Data Governance v. Data Management Data Governance is about determining who inputs and makes decisions regarding how data is treated and accessed. Data Management is the process of making and implementing the decisions made in Data Governance. 10

Polling Question 2 11

Data Governance Ownership 12

Who Owns Data Governance? One of the tenets of Data Governance is that enterprise data doesn t belong to individuals. It is an asset that belongs to the enterprise. There are two approaches to effective ownership of Data Governance. Approach #1: Assigning Data Ownership/Stewardship Approach #2: Federated Responsibilities Source: The Data Governance Institute 13

Key Stakeholders in Data Governance? Stakeholders are those individuals that could have an effect on or are affected by the data within your organization. Usually this group is a mix of individuals from across the organization. This will be different in every organization. Some of the usual suspects are: IT Teams CIO CISO IT Security Database Administrators Applications Administrators Business Teams Legal Data Governance Officer 14

Internal Audit s Role in Data Governance Evaluate the Data Governance Program Maturity. Evaluate against documented data governance Policies and Procedures. Data Content Management Data Records Management Data Quality Data Identification and Classification Data Access Does Internal Audit have the necessary skillsets. Evaluate the appropriateness of data owners/stewards Does the IT group have an asset inventory 15

Internal Audit s Role in Compliance with Privacy Regulations Understand what data privacy regulations apply to your organization. Evaluate if documented Policies and Procedures address the identified privacy regulation. Evaluate if the organization has identified the key data that is subject to regulatory requirements. Audit processes to determine how they impact privacy of data subjects Evaluate whether systems and processes have been developed with appropriate privacy considerations. Report on systems that contain significant amounts of personal data and provide a plan for remediation and management of these systems. 16

IT s Role in Data Governance and Related Privacy Regulations Chair on Steering Committee/Data Governance Board Maintain the logical and physical security of the applications and keep them up-to-date. Responsible for developing the backup and data recovery plan with the input of the business. Meeting Service Level Agreements as agreed with the Data Owners/Stewards. Ensuring that applications and databases are appropriately installed and administered. 17

COBIT 5 to Audit Data Governance COBIT 5 establishes seven enablers to drive better information and data governance and management. Each of the enablers has goals and metrics that aim to drive better control and improvement of: Management of IT-related business risk Transparency of IT costs, benefits and risk Security of information, processing infrastructure and applications IT compliance with internal policies Risk thresholds definition and communication Managing critical IT-related enterprise risk effectively and efficiently Ensuring that IT-related risk does not exceed the enterprise risk appetite Source ISACA, COBIT 5 18

Other Considerations: Cybersecurity Assessments UNDERSTAND YOUR ENTIRE DATA PROTECTION LANDSCAPE Vulnerability assessments and penetration testing (VAPT) Incident response readiness testing HITRUST assessment IT security risk assessment ISO 2700x readiness assessment PCI DSS readiness assessment 19

Polling Question 3 20

Key Components of Data Governance 21

6 Key Pillars of Data Governance Information A well defined Data Governance framework addresses this information within an organization. 22

Benefits of a Well-Defined Data Governance Framework Regulatory compliance Improved data quality Consistent definitions of business terms Decision-making based on information (confidence in the data) Collaboration among business units Appropriate use of information Sharing information internally (data integration and reuse) Simplified (and known) data management business processes 23

Polling Question 4 24

Regulatory Requirements 25

US Data Privacy Regulations Our government has taken the approach to address specific data privacy concerns by type of data. As a result, there are more than 200 laws in the U.S. that involve data privacy and data security. These are just a few Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Payment Card Industry Data Security Standard(PCI-DSS) Fair Credit Reporting Act(FCRA) Fair and Accurate Credit Transactions Act of 2003 (FACTA) 26

United States State Specific Data Regulations California Online Privacy Protection Act (OPPA) of 2003 California Data Breach Notification - Civil Code s. 1798.29(a) California Civil Code section 1798.81.5 - Security of Personal Information Other California Data Privacy Laws 25+ laws covering specific types of data (i.e. Insurance Information and Privacy Protection Act) Massachusetts Standards for The Protection of Personal Information of Residents of the Commonwealth" (or 201 CMR 17.00) New York Department of Financial Services Cybersecurity Regulation (NY DFS) 27

General Data Protection Regulation (GDPR) Requirements 28

Polling Question 5 29

What is GDPR? Replaces the 1995 EU Data Directive The General Data Protection Regulation (GDPR) affects organizations in the European Union (EU) or those that offer goods and services to individuals in the EU, or that collect and analyze data related to EU residents, regardless of their location. Enhances personal privacy rights Increased requirements to protect data Mandatory breach reporting Significant penalties for non-compliance 30

Does GDPR Apply to You? Personal Data is defined broadly Any information relating to an identified or identifiable natural person (e.g. IP address) Applies to all Types of Organizations Applies to organizations wherever they are located that: Offer goods and services (including free services) to people in the EU; or That monitor the behavior of people in the EU (e.g. website analytics) Applies to both Controllers and Processors 31

Key High-Level GDPR Facts Effective Date May 25, 2018 Interpretation Guided by the European Data Protection Board ( EDPB ) Article 29 Working Party opinions under the Data Protection Directive, case law and Article 40 Codes of Conduct Fines and Penalties 20 million or 4% of annual global, whichever is higher Guidance Experienced guidance is important for companies navigating this unfamiliar and unsettled terrain. 32

What Does This Mean for My Data? Protecting customer privacy with GDPR 33

Polling Question 6 34

Key Changes to Address with GDPR The most common requirements for all companies subject to the GDPR include: Personal privacy Rights of the data subject include right of access, rectification and erasure. Transparency & Accountability Companies must provide clear notice of data collection, purposes of processing and retention/deletion practices. Controls, Policies & Procedures Appropriate safeguarding must be implemented, along with the ability to notify authorities of data breaches. Training & Awareness Companies must provide clear notice of data collection, purposes of processing and retention/deletion practices. 35

Primary Considerations 1 2 Relevance and Responsibilities Readiness Identify all areas where personal data may be stored Determine if personal data belongs to any EU data subjects Review your policies against all relevant Authority Documents not just GDPR and identify synergies and gaps Conduct data mapping exercise Identify your responsibility as a data controller or processor Review third party contracts and ensure relevant GDPR language is included Identify all third parties who have access to personal data you store Review privacy notices to ensure transparency, fairness and accessibility Provide GDPR training to staff Test your incident response capabilities to ensure compliance with 72-hour breach notification requirement 36

Primary Considerations 3 Remediate 4 Prep for Audit Develop a detailed remediation roadmap to prioritize and ensure timely compliance Update policies & procedures or create new ones to address gaps Develop and maintain a data register to record all processing activities Designate and register a DPO to serve as liaison to the relevant supervisory authorities Implement privacy by design and privacy by default principles and security controls in all systems and processes Review and update cross-border data transfer processes to conform with company-specific conditions Document all ongoing policies, procedures and control for GDPR compliance requirements Ask vendors to provide evidence of compliance with GDPR and ongoing due diligence 37

Working Toward Compliance IDENTIFY. ANALYZE. GOVERN. Define Risk Criteria Evaluate Vendors & Rank Risks Develop a Compliance Roadmap Develop Data Register & Data Flow Diagrams Review Policies & Contracts for Gaps Remediate, Govern & Manage 38

Data Mapping BUSINESS PROCESS MAPPING, DATA REGISTERS, AND DATA FLOW DIAGRAMS Identify existing data and application inventories Patient Lab Tech Understand Privacy by Design activities Nurse Patient Care Application Gather policies & procedures Pharmacist Develop project plan and charter Doctor Develop data register Process Overview with Data Risks Client Team Client contacts vendor Client provides conflict check information Project setup forms are completed Team is engaged Onsite information gathering Client provides financial statements, supporting documents Services are performed Findings are finalized Report is delivered to client and copy is archived Data Platforms Data entry client info G Drive Client Portal Office365 Email File Exchange BDO Laptop APT Vault Data Retention Information is retained for oneyear Project close Files sent to SharePoint Data that is deleted after 30-45 days 39

Polling Question 7 40

Policies and Procedures ALIGN WITH GDPR 41

GDPR Resources For more information on GDPR please visit: www.bdo.com/gdpr Other Webinars: GDPR is coming: Don t be left in the dark GDPR through different lenses 42

Questions Jamey Loupe jloupe@bdo.com 713-960-1706 Jessica Allen Jessica.allen@bdo.com 513-592-2375 43

Coming Events March 12-14, 2018 IIA-GAM Conference Las Vegas (The Aria) Booth 116 April 24, 2018 2018 Internal Audit Webinar Series Course 2 The Integrated Auditor: Becoming the Go-To Resource Your Company Needs 3 PM ET / 2 PM CST 44

Conclusion Thank you for participating! Certificate Availability If you participated the entire time and responded to at least 75% of the polling questions, you may click the Participation tab to access the print certificate button. Exit Please exit the interface by clicking the red X in the upper-righthand corner of your screen. 45

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback