FEBRUARY 27, 2018 The Evolution of Data Governance Regulations and What IA Departments Need to Know Jamey Loupe | Senior Manager, Risk Advisory Services Jessica Allen | Director, Technology & Business Transformation Services
FEBRUARY 27, 2018
The Evolution of Data Governance Regulations and What IA Departments Need to Know
Jamey Loupe | Senior Manager, Risk Advisory ServicesJessica Allen | Director, Technology & Business Transformation Services
2
CPE and Support
CPE Participation Requirements | To receive CPE credit for this webcast: You’ll need to actively participate throughout the program. Be responsive to at least 75% of the polling questions. Please refer the CPE & Support Handout in the Handouts section for more information
about group participation and CPE certificates.
Q&A | Submit all questions using the Q&A feature on the lower right corner of the screen. Presenter(s) will review and answer questions submitted as time allows. *Please note that questions and answers submitted/provided via the Q&A feature are visible to all participants as well as the presenters.
Technical Support | If you should have technical issues, please contact LearnLive:Click on the Live Chat icon under the Support tab, OR call: 1-888-228-4088
Audio | Audio will be streamed through your computer speakers. If you experience audio issues during today’s presentation, please dial into the teleconference: 1-855-233-5756, and use teleconference code: 226 838 6759 #
3
Polling Question 1 (Test)
4
Jamey Loupe, CISASenior Manager | Risk Advisory Services
Jamey is a Senior Manager in BDO’s Risk Advisory Services practice. He has provided audit and advisory services to mid-size and multi-national companies in multiple industries, and has more than 15 years of progressive experience leading and organizing teams and projects.
Throughout his career, Jamey has led and supported the activities needed to complete the audit process. He has experience presenting results to Senior Management and the Audit Committee. His experience includes:
Leading, managing and conducting IT internal audits
Managing complex IT SOX compliance projects
Recommending and implementing IT process improvements
Conducting and leading GRP pre-implementation reviews
Conducting IT security assessments
Monitoring IT governance
Jamey has extensive experience in Information Technology Standards and Governance, IT Risk Assessments, Cloud Security and Governance, Sarbanes Oxley, IT Security assessments, Application pre and post implementation reviews, as well as IT Audit and Compliance.
PROFESSIONAL AFFILIATIONSInstitute of Internal AuditorsInformation Systems Audit and Control Association Marine Corps Association and Foundation
EDUCATION M.L.A., Information Management Systems, Harvard University (in progress)B.A, Information Systems Decision Sciences, Louisiana State University
5
Jessica AllenDirector| Technology & Business Transformation Services
Jessica Allen is a Director with more than 15 years of experience developing and executing enterprise-wide programs, including Security and Compliance, IT strategy, and IT Optimization & Innovation. Ms. Allen combines her technical expertise with significant experience managing large and complex programs and operations to assist organizations in achieving a variety of business objectives, including risk mitigation, enhancing efficiencies and reducing costs.
Having significant experience leading large transformation as well as completing complex assessments, Ms. Allen is well-versed in
Security and Compliance
Data privacy and Protection
Process reengineering
Program governance and oversight
Technology Architecture
IT service management
Ms. Allen is a frequent speaker on topics including technology advisory, security awareness and key threats, technology trends, innovation, and IT optimization. She supports key clients in BDO with complex technology and regulatory requirements.
EDUCATION M.I.S., Northern Kentucky UniversityB.S., Information Systems, Northern Kentucky University
6
Today’s Learning Objectives
At the conclusion of this course, participants will be able to:
Identify data governance regulations by industry and location
Describe upcoming regulations and the impact on companies in various geographical areas
Discuss the impact of the new regulations and the data governance risks their organization faces
7
Defining Data Governance
8
What is Data Governance
Data governance is defining ownership and management of the availability, usability, integrity and security of data used in an enterprise.
A good Data Governance program seeks to address these objectives: Clear information ownership Timely, correct information Clear enterprise architecture and efficiency Regulatory Compliance and security
9
Data Governance is Not
The below initiatives/processes all require a well developed Data Governance Program to be successful.
However, in and of themselves, they are not Data Governance.
Data change management Data cleansing Master Data Management (MDM) Data warehousing Database management and administration
10
Data Governance v. Data Management
Data Governance is about determining who inputs and makes decisions regarding how data is treated and accessed.
Data Management is the process of making and implementing the decisions made in Data Governance.
11
Polling Question 2
12
Data Governance Ownership
13
Who Owns Data Governance?
One of the tenets of Data Governance is that enterprise data doesn’t “belong” to individuals. It is an asset that belongs to the enterprise. There are two approaches to effective ownership of Data Governance.
Approach #1: Assigning Data Ownership/Stewardship
Approach #2: Federated Responsibilities
Source: The Data Governance Institute
14
Key Stakeholders in Data Governance?
Stakeholders are those individuals that could have an effect on or are affected by the data within your organization. Usually this group is a mix of individuals from across the organization.
This will be different in every organization. Some of the usual suspects are:
IT Teams• CIO• CISO• IT Security• Database
Administrators• Applications
Administrators Business Teams Legal
• Data Governance Officer
15
Internal Audit’s Role in Data Governance
Evaluate the Data Governance Program Maturity. Evaluate against documented data governance Policies and
Procedures.• Data Content Management• Data Records Management• Data Quality• Data Identification and Classification• Data Access
Does Internal Audit have the necessary skillsets. Evaluate the appropriateness of data owners/stewards Does the IT group have an asset inventory
16
Internal Audit’s Role in Compliance with Privacy Regulations Understand what data privacy regulations apply to your
organization. Evaluate if documented Policies and Procedures address the
identified privacy regulation. Evaluate if the organization has identified the key data that is
subject to regulatory requirements. Audit processes to determine how they impact privacy of data
subjects Evaluate whether systems and processes have been developed
with appropriate privacy considerations. Report on systems that contain significant amounts of personal
data and provide a plan for remediation and management of these systems.
17
IT’s Role in Data Governance and Related Privacy Regulations
Chair on Steering Committee/Data Governance Board Maintain the logical and physical security of the
applications and keep them up-to-date. Responsible for developing the backup and data recovery
plan with the input of the business. Meeting Service Level Agreements as agreed with the Data
Owners/Stewards. Ensuring that applications and databases are appropriately
installed and administered.
18
COBIT 5 to Audit Data GovernanceCOBIT 5 establishes seven enablers to drive better information and data governance and management. Each of the enablers has goals and metrics that aim to drive better control and improvement of:
Management of IT-related business risk Transparency of IT costs, benefits and risk Security of information, processing infrastructure and applications IT compliance with internal policies Risk thresholds definition and communication Managing critical IT-related enterprise risk effectively and
efficiently Ensuring that IT-related risk does not exceed the enterprise risk
appetiteSource ISACA, COBIT 5
19
Other Considerations: Cybersecurity Assessments UNDERSTAND YOUR ENTIRE DATA PROTECTION LANDSCAPE
Vulnerability assessments and penetration testing (VAPT)
Incident response readiness testing
HITRUST assessment
IT security risk assessment
ISO 2700x readiness assessment
PCI DSS readiness assessment
20
Polling Question 3
21
Key Components of Data Governance
22
6 Key Pillars of Data Governance InformationA well defined Data Governance framework addresses this information within an organization.
23
Benefits of a Well-Defined Data Governance Framework
Regulatory compliance Improved data quality Consistent definitions of business terms Decision-making based on information (confidence in the
data) Collaboration among business units Appropriate use of information Sharing information internally (data integration and reuse) Simplified (and known) data management business processes
24
Polling Question 4
25
Regulatory Requirements
26
US Data Privacy Regulations
Our government has taken the approach to address specific data privacy concerns by type of data. As a result, there are more than 200 laws in the U.S. that involve data privacy and data security. These are just a few…
Health Insurance Portability and Accountability Act (HIPAA)
Health Information Technology for Economic and Clinical Health (HITECH)
Payment Card Industry Data Security Standard(PCI-DSS)
Fair Credit Reporting Act(FCRA)
Fair and Accurate Credit Transactions Act of 2003 (FACTA)
27
United States – State Specific Data Regulations
California Online Privacy Protection Act (OPPA) of 2003
California Data Breach Notification - Civil Code s. 1798.29(a)
California Civil Code section 1798.81.5 - Security of Personal Information
Other California Data Privacy Laws – 25+ laws covering specific types of data (i.e. Insurance Information and Privacy Protection Act)
Massachusetts Standards for The Protection of Personal Information of Residents of the Commonwealth" (or 201 CMR 17.00)
New York Department of Financial Services Cybersecurity Regulation (NY DFS)
28
General Data Protection Regulation (GDPR) Requirements
29
Polling Question 5
30
What is GDPR?
Replaces the 1995 EU Data Directive
The General Data Protection Regulation (GDPR) affects organizations in the European Union (EU) or those that offer goods and services to individuals in the EU, or that collect and analyze data related to EU residents, regardless of their location.
Enhances personal privacy rights
Increased requirements to protect data
Mandatory breach reporting
Significant penalties for non-compliance
31
Does GDPR Apply to You?
“Personal Data” is defined broadly
Any information relating to an identified or identifiable natural person (e.g. IP address)
Applies to all Types of Organizations
Applies to organizations wherever they are located that: Offer goods and services (including free services) to
people in the EU; or That monitor the behavior of people in the EU (e.g.
website analytics)
Applies to both “Controllers” and “Processors”
32
Key High-Level GDPR Facts
Fines and Penalties€20 million or 4% of annual global, whichever is higher
InterpretationGuided by the European Data Protection Board (“EDPB”) Article 29 Working Party opinions under the Data Protection Directive, case law and Article 40 Codes of Conduct
Effective DateMay 25, 2018
GuidanceExperienced guidance is important for companies navigating this unfamiliar and unsettled terrain.
33
What Does This Mean for My Data?
Protecting customer privacy with GDPR
34
Polling Question 6
35
Key Changes to Address with GDPR
The most common requirements for all companies subject to the GDPR include:
Controls, Policies & ProceduresAppropriate safeguarding must be implemented, along with the ability to notify authorities of data breaches.
Transparency & AccountabilityCompanies must provide clear notice of data collection, purposes of processing and retention/deletion practices.
Personal privacyRights of the data subject include right of access, rectification and erasure.
Training & AwarenessCompanies must provide clear notice of data collection, purposes of processing and retention/deletion practices.
36
Primary Considerations
Relevance and Responsibilities Readiness
Identify all areas where personal data may be stored
Determine if personal data belongs to any EU “data subjects”
Identify your responsibility as a data “controller” or “processor”
Identify all third parties who have access to personal data you store
Review your policies against all relevant Authority Documents – not just GDPR –and identify synergies and gaps
Conduct data mapping exercise
Review third party contracts and ensure relevant GDPR language is included
Review privacy notices to ensure transparency, fairness and accessibility
Provide GDPR training to staff
Test your incident response capabilities to ensure compliance with 72-hour breach notification requirement
1 2
37
Primary Considerations
Remediate
Develop a detailed remediation roadmap to prioritize and ensure timely compliance
Update policies & procedures or create new ones to address gaps
Implement privacy by design and privacy by default principles and security controls in all systems and processes
Review and update cross-border data transfer processes to conform with company-specific conditions
Prep for Audit
Develop and maintain a data register to record all processing activities
Designate and register a DPO to serve as liaison to the relevant supervisory authorities
Document all ongoing policies, procedures and control for GDPR compliance requirements
Ask vendors to provide evidence of compliance with GDPR and ongoing due diligence
43
38
Working Toward Compliance IDENTIFY. ANALYZE. GOVERN.
Define Risk
Criteria
Develop Data Register
& Data Flow Diagrams
Evaluate Vendors
& Rank Risks
Review Policies
& Contracts for Gaps
Develop a Compliance Roadmap
Remediate, Govern
& Manage
39
Data MappingBUSINESS PROCESS MAPPING, DATA REGISTERS, AND DATA FLOW DIAGRAMS
Identify existing data and application inventories
Understand Privacy by Design activities
Gather policies & procedures
Develop project plan and charter
Develop data register
Patient Care Application
Patient
Nurse
Doctor
Lab Tech
Pharmacist
Process Overview with Data Risks
Clie
ntTe
amDa
ta P
latfo
rms
Data
Ret
entio
n
Client contacts vendor
Report is delivered to client and copy is
archived
Findings are finalized
Data entry – client info
Project setup forms are completed
Onsite information
gathering
Client provides
conflict check information
Information is retained
for one-year
Client provides financial statements,
supporting documents
Office365Email BDO Laptop
Services are performed
Client Portal
File Exchange APT Vault
Files sent to SharePoint
G Drive
Team is engaged
Data that is deleted after 30-45 days
Project close
40
Polling Question 7
41
Policies and ProceduresALIGN WITH GDPR
42
GDPR Resources
For more information on GDPR please visit:www.bdo.com/gdpr
Other Webinars:GDPR is coming: Don’t be left in the dark
GDPR through different lenses
44
Coming Events
March 12-14, 2018IIA-GAM ConferenceLas Vegas (The Aria)Booth 116
April 24, 20182018 Internal Audit Webinar Series – Course 2The Integrated Auditor: Becoming the Go-To Resource
Your Company Needs3 PM ET / 2 PM CST
45
ConclusionThank you for participating!
Certificate Availability | If you participated the entire time and responded to at least 75% of the polling questions, you may click the Participation tab to access the print certificate button.
Exit | Please exit the interface by clicking the red “X” in the upper-right-hand corner of your screen.