Secrets to Success! Accountability in Global OrganizationsSecrets to Success! Accountability in Global Organizations Marisa Rogers & Jenifer Garone, Microsoft Ruby Zefo, Intel . AGENDA

Secrets to Success! Accountability in Global

Organizations

Marisa Rogers & Jenifer Garone, Microsoft

Ruby Zefo, Intel

AGENDA

• Accountability at the top

• Accountability across the business

• Assessments & Reporting

• Gaining Buy-In for Resources

• Remediation & Incident Response

PRIVACY ACCOUNTABILITY FROM THE TOP

• Tone from the top

• Privacy ≠ Security.

vs.

PRIVACY ACCOUNTABILITY ACROSS THE BUSINESS

• Policies, Tools & Training

vs.

Services

Engineering Groups

HR, Finance,

Legal IT

Sales &

Marketing

The “hub,” Trustworthy Computing, is responsible for:

•Policies, Standards & Procedures (PSPs) •Training •Tools •Reporting •Capacity •Comms

The “spokes” are responsible for implementation and compliance with PSPs.

PRIVACY ACCOUNTABILITY AT MICROSOFT

TwC Privacy

Microsoft governs its privacy program using the “hub & spoke” model, with the corporate privacy team and Privacy Managers, Leads, & Champs in the organizations across the company.

BRINGING A MATRIXED ORGANIZATION TOGETHER

Engineering Groups

Business Groups

Corporate Functions

Privacy Managers

Privacy Leads

Privacy Champs

Services

Engineering Groups

HR, Finance,

Legal IT

Sales &

Marketing

TwC Privacy

BRINGING A MATRIXED ORGANIZATION TOGETHER

Engineering Groups

Business Groups

Corporate Functions

Privacy Managers

Privacy Leads

Privacy Champs

TwC Privacy

Privacy Managers

Privacy Leads

Privacy Champs

Privacy Managers

Privacy Leads

Privacy Champs

Privacy Steering Committee

Privacy Councils (e.g. marketing, advertising, enterprise, vendor)

Privacy Committees (e.g. training, career development, controls)

PRIVACY ROLES

Requirements

•Review

•Approve

•Attest

•Consult

•Validation

Testing

•Test Plans

•UAT

Go/No Go

•Attend

•Vote

Deployment

•Review

•Approve

•Certify

•Consult

•Validation

Business Privacy Manager

Requirements

•Consultation

•Validation

Risk Mitigation

•Consultation

Deployment

•Approve

•Attest

Operate&Maintain

•Consultation

•Validation

•Risk Assessments

•SLT Reporting

•Contract Reviews

•Exceptions

•Policies&Standards

Issue Resolution

•Consultation

•Validation

•Escalations

MSIT Privacy Manager

Requirements

•Consultation

•Exceptions

•Policies&Standards

•Act as Business Privacy manager when gap exists

•MSIT and Business Privacy jointly approach TwC for guidance

Risk Mitigation

•Consultation

Deployment

•Consultation

•PERFs

Operate&Maintain

•Consultation

•Exceptions

•Policies&Standards

Issue Resolution

•Consultation

•Validation

•Escalations

•MSIT and Business Privacy jointly approach TwC for guidance

TwC Privacy

Scenario: Business is working with

MSIT SBU to create, design, deliver

applications & tools.

PRIVACY TOOLS

PAM – PAGO review tool

IMS – Incident & Inquiry management tool

Contacts Tool – Coverage report by org

PrivPub

EGRC – Archer

Streamlined Risk Assessment (SRA)

HOW DO I HANDLE AN EXCEPTION

REQUEST?

PRIVACY TOOLS

QUIZ - TONE AT THE TOP

“If you have something that you don’t want anyone to know

maybe you shouldn’t be

doing it in the first place.”

“You have zero privacy anyway.

Get over it.”

“In reality, we wouldn't share your information in a way you wouldn't want ... The trust you place in

us as a safe place to share information is the most important part of what makes this work.”

ASSESSMENTS/METRICS REPORTING

Everyone can do some metrics! Yes, you.

EXAMPLE ASSESSMENT: PRIVACY ACCOUNTABILITY

Key: Green = Completed; Yellow = In Process; Red = At Risk

EXAMPLE PRIVACY MATURITY ASSESSMENT

Pri

va

cy

Po

lic

ies

A

cc

ou

nta

bilit

y

Ide

nti

fy a

nd

Cla

ss

ify

Inc

ide

nt

an

d

Bre

ac

h

Res

po

nse

No

tic

e

Use

Ac

ce

ss

&

Ac

cu

rac

y

Tra

inin

g

Pri

va

cy b

y

Des

ign

3rd

pa

rty

tran

sfe

r

Inte

rnati

on

al

tra

ns

fer

Rete

nti

on

&

Dis

po

sa

l

Se

cu

rity

x x

x x x x x x

x x

4 - Managed

3 – Defined

2 - Repeatable

5 - Optimized

1 –Ad hoc

High

Low

Current Status = 2 Goal State = 3

Recommended minimum for processing XYZ data

Current Status = ~2 Goal State = 3

x

x

Subsidiary

16

Creating a PAM Assessment

Policy Approval Manager

EXAMPLE PRIVACY IMPACT ASSESSMENT

EXAMPLE PRIVACY PROGRAM METRICS

Metrics via Score carding

EXAMPLE PRIVACY PROGRAM METRICS

Privacy Review volume - YOY

Org Engagement - June 2013

EXAMPLE PRIVACY PROGRAM METRICS

217 174

0

100

200

300

400

July Aug Sept Oct Nov Dec Jan Feb Mar April May June

Privacy Program Monitoring Privacy Inquiries/Reviews

Volume YTD

OBTAINING RESOURCES

What do all these have in common?

REMEDIATION & INCIDENT RESPONSE

MANAGING INCIDENTS

Privacy as a business enabler

Measure, measure, measure – people do what they’re measured on

Leveraging like-minded roles

Have a privacy elevator pitch!

KEY TAKEAWAYS