arma nyc annual conference€¦ · international opportunity “a time or set of circumstances that...
TRANSCRIPT
ARMA NYC Annual Conference
March 6, 2018
INFORMATION MANAGEMENT PROFESSIONALS
METRO CHAPTER
Privacy and Security: An
Opportunity for IG Presented by
Lauren Barnes, Director of Information Governance,
S&P Global
Susan Chapdelaine, Managing Director, Morae Global
INTERNATIONAL
Opportunity
“A time or set of circumstances that makes it possible to do something.” (Oxford English Dictionary)
Data protection and information security today present unique opportunities to advance information governance objectives.
METRO CHAPTER 2
INTERNATIONAL
Frequency and severity of data breaches
Equifax 143 million consumers affected
Yahoo – 0ver 1 billion accounts breached
Uber – 57 users and 600,000 drivers affected
Sony Pictures Data Breach
o Release of confidential data, including personal information on employees and families.
o Also released information on an unreleased film “the Interview” - estimated financial impact 15 million
METRO CHAPTER 3
INTERNATIONAL
Potential Fines and penalties
Privacy Shield – fines of up to $40K per violation or $40K per day for
continuing violations
GDPR changes the game – potential fines of up to 4% annual global
turnover
New York Cyber Security Regulation - $2,500 per day for continuing
violations, $15K per day for “reckless or unsound practice or pattern of
misconduct, or $75,000 per day in the event of a willful violation
New requirements and potential penalties raise the bar for
Information Governance, making it a strategic imperative in
business today.
METRO CHAPTER 4
INTERNATIONAL
What are the Issues?
METRO CHAPTER 5
Requirement Implication Actions Required
Limitations of personal data retention
• Companies may only retain personal data as long as there is a business need for the information
• Expectation of compliance with retention requirements • Ability to apply retention/disposition within all corporate
repositories / systems containing personal data • Call for action to implement before deadlines for
compliance
Consent and Right to Erasure • Individuals must give explicit consent to data processing
• Individuals have a right to request deletion of their personal data
• Documentation of consent is required • Organizations must have a process in place to respond to
request for erasure and the ability to delete if required
Record of processing activities • Identification of role of processor • Establish and maintain a record of all
processing activities
• Identification of processing activities • Establish process and system for documenting processing
activities
Data breach notification • Notification to data subjects after the occurrence of data breach
• Process for breach detection and notification • Record of notification
Potential loss of IP and reputational damage through data breach
• Security protocols and safeguards • Enhanced security on networks/systems • Assessment of security classifications and
protection to prevent loss • Policies and tools for Data Loss Prevention
6656
INTERNATIONAL
METRO CHAPTER 6
Create Classify Use Retain Dispose
The IG program strategy is to embed information lifecycle management by design into the tools, systems, and processes that support the business, making it an integral part of the way information is managed. This minimizes disruption to the business and reduces or eliminates additional actions required of employees outside of their normal business activities.
Priority Initiatives Business Process Alignment Technology/Governance Models
• Backup Strategy • Data Privacy/GDPR • Data Loss Prevention • Security Assessments • Risk Assessments
• Information Assessments • Technology evaluations • Transition Planning • Defensible Disposition • Metrics/KPIs
• Software Development Lifecycle
• Record enable tool identification
• Compliance tools
Recordkeeping by design
6
INTERNATIONAL
How do we get this done?
METRO CHAPTER 7
INTERNATIONAL
Collaboration, Coordination and Integration
METRO CHAPTER 8
• information management initiatives designed to mitigate risks, reduce costs, and obtain maximum value from our information.
• Collaboration with legal, compliance and privacy to address privacy and regulatory compliance
• Alignment of IT stakeholders to address integration of RM requirements into systems and support for business and corporate implementation
Collaboration, coordination, and integration is necessary to embed Information Governance into the tools, systems, and processes that support the business. Legal, Compliance and IT disciplines provide valued input and direction to the vision for workable and sustainable IG models.
Information Governance
Information Technology
Architecture & Data
Management
Information Security
Business Continuity
Records and Information
Management
Discovery Privacy
Co
mp
lian
ce M
on
ito
rin
g/A
ssu
ran
ce
INTERNATIONAL
Framework
METRO CHAPTER 9
COMPLIANCE • Compliance Metrics
• Monitoring/Escalation
• Audit Process
ACCOUNTABILITY • Roles/Responsibilities
• Business Ownership
• Implementation Plan Tracking
POLICY • RM Policy • IG Standards • Retention Schedules
PROCESS • Identify Information Value
• Assess IG Compliance
• Remediation Roadmap
EDUCATION • Communications • Training & Guidance
• Self-Service IG Site
TECHNOLOGY • Acceptable Record Repository
• Recordkeeping/Tech Integration
• IT User-facing Support
Information Governance Execution Support
Information Governance Structure
Information Lifecycle Management
CAPTURE IDENTIFY CLASSIFY UTILIZE RETAIN DISPOSE*
TECHNOLOGY INTEGRATION
· Electronic Signatures· Encryption· Document Imaging· Back-up and Archiving· Active Environments With Records· Approved Record Repository
TECHNOLOGY STANDARDS
PROCESS ALIGNMENT
· Management Communication· Business Lead Appointment· Education & Training· Business Review and Assessment· IG Mitigation Plan· Annual Compliance Certification
· Retention Schedule· Preservation Holds· Security Classification· Data Privacy· Communications Retention· Unstructured Information Retention· Structured Information Retention· Compliance Monitoring and Audit· IG Compliance Process
BUSINESS-OWNED PROCESSES
IG STANDARDS & PROCESSES
INDUSTRY BEST PRACTICESINFORMATION GOVERNANCE
(IG) STANDARDSINFORMATION TECHNOLOGY STRATEGY
RECORDS MANAGEMENT POLICYBUSINESS REQUIREMENTS LEGAL AND COMPLIANCE REQUIREMENTS
INTERNATIONAL
Policy, Retention Schedule, Standards
METRO CHAPTER 10 10
INTERNATIONAL
IG Standards
METRO CHAPTER 11
RETENTION PROTECTION INTEGRITY AVAILABILITY DISPOSITION
COMMUNICATIONS
STRUCTURED DATA
UNSTRUCTURED DATA
DATA PRIVACY
SYSTEM BACKUP & ARCHIVING
SECURITY CLASSIFICATION
IMAGING AND ELECTRONIC SIGNATURES
DATA MIGRATION
APPROVED RECORD REPOSITORY
INFORMATION SHARING & COLLABORATION
DISCOVERY andINVESTIGATIONS
META DATA STANDARD
LEGACY DATA REMEDIATION
PRESERVATION HOLDS
DEFENSIBLE DISPOSITION PROTOCOLS
INTERNATIONAL
Accountability
METRO CHAPTER 12
IG STANDARDS & RETENTION SCHEDULE
RM POLICY
COMPLIANCE PROGRESSION PLANS
IG MONITORY & COMPLIANCE PROGRAM
IG PROGRAM STRUCTUREINDUSTRY BEST
PRACTICES
GENERALLY ACCEPTED RECORDKEEPING
PRINCIPLES
INDUSTRY STANDARDSLEGAL & REGULATORY
RESEARCH
GOVERNANCE
IMPLEMENTATION
SUSTAINMENTINTERNAL REPORTING,
REVIEW AND AUDIT AUDIT GUIDELINES
LEAD: IG, Legal, ComplianceSUPPORT: IT, CISO
LEAD: Business, ITSUPPORT: IG, Legal, Compliance
LEAD: BusinessSUPPORT: IT, IG, CISO, Legal, Compliance
ENTERPRISE & BUSINESS UNIT COMPLIANCE
PROGRESSION PLANS
INTERNATIONAL
METRO CHAPTER 13
Information Governance (IG)
Program
IG Training and Support
Policy, Standards & Records Retention Schedule
Business Initiatives
Business DivisionsAssess information to
determine gaps with IG Standards and RRS
Technology Initiatives
Global TechnologyAssess system capabilities to
meet IG Standards
Support plan development and technology implementation
Guide goal setting and monitor milestone
achievement
Develop and Execute Business Transition Plans
Information Governance
Business Ownership
IT Support
Collaboration
Coordination
Interdependence
Alignment
IG Strategy and Implementation Plan
INTERNATIONAL
Engaging IT – System Assessment
METRO CHAPTER 14
Identify Gaps
Lacks recordkeeping features or uses ineffective and error prone manual recordkeeping processes
Capable of meeting recordkeeping standards, but may not be configured or have scalable governance models in place
May not meet recordkeeping standards without configuration, add-ons, customization, or other enhancements
May not meet recordkeeping standards without configuration, add-ons, customization, or other enhancements
Examples
• File shares • Desktops • Email (unmanaged)
• Box.com • O365/SharePoint • Other CMS
• Salesforce (Sales) • OneTrust (Data Privacy) • Collibra (Security)
• Oracle ERP • SAP • Workday (HR/Finance +)
Identify Solutions
Retire non-compliant recordkeeping systems and processes
Migrate records to records-enabled solutions (e.g. Box.com, O365)
Confirm recordkeeping configuration or customization plans with IT
Identify governance models, file plans, and taxonomies as necessary
Confirm recordkeeping configuration or customization plans with IT
Replace and migrate to records-enabled systems
Confirm recordkeeping configuration or customization plans with IT
Replace and migrate records to records-enabled systems
Unstructured Systems
Collaboration Tools
(Enterprise)
Structured Business Systems
(Departmental/Niche)
Structured Business Systems
(Enterprise)
Options to resolve recordkeeping gaps may vary for on premise, cloud, and hybrid solutions.
INTERNATIONAL
Engaging the Business
METRO CHAPTER 15
Identify Analyze Develop
Transition Plan Engage Execute
• Develop communications & support materials
• Confirm availability of required resources
• Inform team members
• Determine record keeping capabilities of applications based upon IT Assessment
• Identify gaps in existing systems and practices
• Determine solutions • Identify required
process changes and milestones
• Establish timing, resources and budget
• Execute change • Implement process
changes • Deploy tools
• Provide guidance and support team members
Monitor / Measure
Assess Implement
Timeframes are based upon dependencies including: • Scope of change required • Available resources
• Technology • SMEs • Budget
Business / Technology / Information Governance Partnership
• Report progress & measure results • Evaluate effectiveness • Implement improvements
• Identify information in business process
• Assess information value
• Map to Retention Schedule
INTERNATIONAL
Bringing it together
METRO CHAPTER 16
Business develops and executes
Transition Plan to IG Compliance
(est. approx. 2 years)
Monitoring & Reporting
Division IG Plan
Monitoring & Reporting
Has Business
Transition Plan?
Compliance with RM Policy and IG Standards
subject to Audit
Business assesses Information to determine gaps with new Standards
IG provides Tools, Support & Training
Compliance monitors Transition Plan progress
IT provides technology capability
for IG Compliance
Policy, Standards, RRS, Change Management
Business Ownership and Compliance Assessment
LEGEND
, IT Support to Business
Audit Process
When Transition Plan is complete, it is evaluated
for IG Compliance
IG provides metrics to measure compliance
As part of Transition Plan, technology is aligned with IG processes
Brings
applications,
repositories
and
information
storage
locations
into
compliance
Policy and Standards
T
R
A
N
S
I
T
I
O
N
P
L
A
N
INTERNATIONAL
Defensibility of IG Program
METRO CHAPTER 17
Policy, program and implementation approach meet regulatory
obligations
Documented policy, standards and process for coming into
compliance
Monitoring and audit process designed to measure and
document progress in meeting implementation milestones
INTERNATIONAL
Questions / Comments
Lauren Barnes, S&P Global ([email protected])
Susan Chapdelaine, Morae Global ([email protected])
www.MoraeGlobal.com
METRO CHAPTER 18