• No results found

Information Governance Roadmap

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Information Governance Roadmap"

Copied!
35
0
0

Loading.... (view fulltext now)

Download now ( 35 Page )

Full text

(1)

Information Governance

Roadmap

Mitigating Privacy Risks, Reducing Costs

And Meeting Obligations

(2)

Heather Buchta

Partner

Quarles & Brady

Rebecca Perry

CIPP/US/G

Director of Professional Services

Jordan Lawrence

(3)
(4)

Defensible Deletion Solves the Problems

(5)
(6)

The specification of decision rights and an

accountability framework to ensure appropriate

behavior in the

valuation, creation, storage, use,

archiving and deletion of information.

It includes the processes, roles and policies,

standards and metrics that ensure the effective and

efficient use of information in enabling an

organization to achieve its goals.

Gartner’s Definition:

(7)

Multi-Faceted

Information security

Data science

Electronic discovery

Business management

Compliance

Business intelligence

Analytics

Records management

Finance

Audit

Privacy

Risk Management

(8)
(9)

ABC Company’s Retention Schedule

(10)

Start With a Solid Foundation

RECORD TYPE

DNA

SENSITIVITY

STORAGE

USAGE &

RETENTION

DATA

SUBJECTS

PRIVACY

REGULATORY

MEDIA

10

(11)

Accident/Incident Records

Advertising Records

Benefit Records

Budget Records

Contracts & Agreements

Coupon Records

Credit Approvals

Customer Information

Customer Orders

Employee Medical Files

Gift Card Functions

Payment Records

Sales Receipts

(12)

1010100011

1001010011

0 1 1 0 1 0 0

1 0 0 1 0 1 1

0 1 0 0 1 1 0

1 0 0 1 1 0 1

1 0 0

0 1 0 0 1

Where Is It?

12

(13)

BUSINESS NEEDS

DOL

FSMA

GLB

HIPAA

OSHA

SEC

State Privacy Laws

Cardholder Data

Corporate Sensitive

Government IDs

Intellectual Property

PII

Bio Metric

Patient Health Info.

REQUIREMENTS

SENSITIVITY

(14)
(15)
(16)
(17)
(18)

Actionable Retention Schedule

(19)

Most Information

H

AS

L

ITTLE

R

ETENTION

V

ALUE

Litigation

Holds

Valid Business Records

L

EGITIMATE

R

ETENTION

R

EQUIREMENTS

Reference Value

R

ETENTION

V

ARIES

(20)

Copyright © Jordan Lawrence 2014 | All Rights Reserved

D

ISABILITY

R

ECORDS

| 6

YEARS

Deletion Strategy for Email

I

NBOX

= 180

DAYS

S

ENT

I

TEMS

= 180

DAYS

D

ELETED

I

TEMS

= 2

DAYS

N

ON

-E

SSENTIAL

C

OMMUNICATION

18

MONTH RETENTION

(A

LL

D

EPARTMENTS

)

B

USINESS

N

EED

C

OMMUNICATIONS

6

YEAR RETENTION

| HR

7

YEAR RETENTION

| L

EGAL

D

EPARTMENTAL

E

XCEPTIONS

7

YEAR RETENTION

| T

AX

(21)

6 Years

3 Years

18

Months

Leverage Technology

RECORDS

NON-RECORDS

(22)

Destroyed

Boxes

44%

Remaining

Boxes

56%

44% Of Boxes Eligible for Immediate Destruction

Eliminate Obsolete Paper Records

(23)

ABC Company’s Records Management Training

(24)

Records Retention Policy

Require Regular Policy Attestation

Build Your Audit Trail

(25)

Mitigating

Privacy

Risks

(26)

Privacy Assessment

Privacy Audit

Due Diligence

• I

NTERVIEWS

• I

NVESTIGATION

Identify – Who? What? When? Where? Why?

D

ATA

CONSUMER OR BUSINESS

?

S

OURCE

ONLINE OR OFFLINE

?

G

EOGRAPHY

– US

OR FOREIGN

?

C

ONTEXT

PURCHASES OR SWEEPSTAKES

?

S

TORAGE

ONSITE OR OFFSITE

?

U

SAGE

SHARED OR USED INTERNALLY

?

(27)

Categorize your Data

• Create a data map

• Is your data sensitive?

P

ERSONALLY

I

DENTIFIABLE

?

F

INANCIAL

?

H

EALTH RELATED

?

E

MPLOYEE RELATED

?

(28)

Regulatory Review

PERSONAL

INFORMATION

INFORMATION

HEALTH

INFORMATION

FINANCIAL

INFORMATION

EMPLOYEE

FEDERAL

FTC Act

COPPA

CAN-SPAM

TCPA

FERPA

STATE

Breach

Notification

Point of Sale

Collection

State Consumer

Protection

Security

Obligations

FEDERAL

HIPAA

HITECH

Health Breach

Notification Rule

GINA

STATE

HIPAA-like

FEDERAL

GLB

FCRA

FACTA

STATE

GLB-like

FEDERAL

ERISA

FMLA

Whistleblower

Protection Act

STATE

Contract law

U

NITED

S

TATES

28

(29)

Industry Review

• PCI DSS

V

.3

• N

EVADA

603A.215

• M

INNESOTA

325E.64

C

REDIT

C

ARD

D

ATA

• D

IGITAL

A

DVERTISING

A

LLIANCE

• OBA

AND

R

ETARGETING

O

NLINE

T

RACKING

N

ORTH

A

MERICAN

E

LECTRIC

R

ELIABILITY

C

ORPORATION

(NERC)

N

ATIONAL

I

NSTITUTE OF

S

TANDARDS

&

T

ECHNOLOGY

(NIST)

• M

EDIA

S

ANITATION

(30)

Self-Imposed Obligations

Contractual

• V

ENDORS

• C

USTOMERS

Privacy Policies and Privacy Notices

(31)

Security

• “Appropriate” and “Reasonable”

• Security audit

SYSTEMATIC

,

MEASURABLE TECHNICAL ASSESSMENT OF HOW THE

ORGANIZATION

'

S SECURITY POLICY IS EMPLOYED AT A SPECIFIC SITE

(S

YMANTEC

2003)

• What is involved?

P

ERSONAL INTERVIEWS

V

ULNERABILITY SCANS

(

PEN

-

TESTING

)

E

XAMINATIONS OF OPERATING SYSTEM SETTINGS

(32)

When, Not If

• WISP

• Consider Insurance Options

• Identify Key Team Members

K

EY

E

XECUTIVES

C

OMPLIANCE

– CISO?

L

EGAL

M

ARKETING

/HR

PR

IT/F

ORENSICS

I

NCIDENT

R

ESPONSE

V

ENDOR

?

Incident Response Plan

Tabletop Exercises

(33)

Next Steps…..

1. Internal Privacy Program

2. Data Retention Schedule

3. Regularly Review

(34)
(35)

Partner

Quarles & Brady

602.229.5228

[email protected]

CIPP/US

Director of Professional Services

Jordan Lawrence

Rebecca Perry

636.821.2251

[email protected]

References

Download now ( PDF - 35 Page - 1.50 MB )

Related documents

Maritiem transport, scheepvaart en havens

Internationaal Verdrag betreffende de meting van schepen (TONNAGE) 1969 1982 Internationaal Verdrag inzake de wettelijke aansprakelijkheid voor schade door verontreiniging. door

Is Your Organization Compromise Ready? 2016 Data Security Incident Response Report

Although most security breach notification laws focus on incidents affecting electronic data, a number of state and federal laws impose notification requirements when an

Healthcare Practice. Breach Notification Requirements Under HIPAA/HITECH Act and Oregon Consumer Identity Theft Protection Act. Oregon.

The acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA is presumed to be a breach unless the incident fits into one of the three Exceptions to

Comparison of US State and Federal Security Breach Notification Laws. Current through August 26, 2015

truncation of data such that no more than five (5) digits of the data elements provided in subparagraphs (vii) (A) through (D) of this subsection [§40- 12-501(a)] are

Desire for Rehabilitation Services of Patients with Spinal Cord Injury Admitted in Post-acute Rehabilitation Facilities

All participants completed demographic measures, Korean Mod- ified Barthel Index (K-MBI) and International Classification of Functioning, Disability and Health (ICF)

Fault Diagnosis Based On Causal Computations

One way to avoid solving non-linear systems of equations is to take into account causal information an look for residual generators where the unknown variables are computed using

From action theory to the theory of the firm

The effect or outcome the active agent hopes to achieve may be extrinsic the satisfaction she derives from the reactive agent’s response or intrinsic an internal effect that does

EPPS

kolom s dan cari pada tabel norma untuk variabel tersebut (ach) tanda yang mewakili angkanya, yaitu -, - -, - - -, 0, +, + +, atau + +