internal audit’s role the changing world of privacy · electronic sensitive data transmissions...
TRANSCRIPT
Internal Audit’s Role The Changing World of PRIVACY
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
1
Agenda
Privacy Background
Privacy Risk
Privacy Landscape
Trends in 2012 and Beyond
Internal Audits Role
Q/A
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
2
“Privacy involves the handling and
protection of personal identifiable
information (PII) that individuals
provide in the course of everyday
transactions. This involves the
exchange or use of data
electronically or by any other
means, including telephone, fax,
written correspondence, and even
direct word of mouth”
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
3
Background
Protecting information has become a major priority
for all companies. Organizations now store larger
quantities of sensitive data, both customer and non-
customer related, in multiple systems.
Organizations share increasingly growing volume of
information with third-parties through expanded
value chains, both domestically and globally (see
previous discussion on Outsourcing to Service
Providers).
Each of the data repositories can be accessed in
multiple ways, leading to greater opportunities for
privacy breaches. Reports of data breaches have
increased dramatically over the years. The Identity
Theft Resource Center’s 2008 breach report
reached 656 reported breaches at the end of 2008,
reflecting an increase of 47 percent over the
previous year’s total of 446.
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
4
What privacy is
Information about individuals (PII or PHI)
Physical characteristics (biometrics)
Medical records
Biographical data, including employment
All financial transactions and evaluations
Monitoring behavior in real time
Enterprisewide information
All media: electronic, paper, video, voice
All stakeholders: employees, customers, vendors
Throughout the chain of custody: locations, affiliates, business partners, third parties
Access to and control over PII
Individual’s own rights and preferences, and the record of those preferences
Opt in – to sharing or transfer across borders
Opt out – to sharing or transfer across borders
Don’t opt at all
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
5
What privacy is not
“You can have security without
privacy, but you cannot have
privacy without security.”
Security – enables private information to stay
private, but does not take into account proper
transfer or disclosure
Intellectual property – entails the ownership and use
of content (but think about information governance)
While all information is confidential, some is also
private (and protected by privacy laws)
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
6
Organization’s privacy relevant universe
Must protect:
Customer data
Personnel data
Job applicants
PII from third parties
Using the following tools:
Privacy and security policies
Access controls and encryption
Physical security, including protecting paper records
Proper destruction or disposal of data
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
7
Privacy risks
Data breaches can cause significant damage to
organizations:
Data breaches are costly. Security firms estimate
that a recent credit card data breach will cost the
organization $1.7B.
They can also results in legal consequences. For
example, organizations subject to regulations can
face fines and penalties for data breaches.
Public disclosure of data breaches can also result in
reputational risk for organizations, especially in
regard to inappropriate disclosure of customers’
information.
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
8
Privacy risks
Financial
Reputational
Brand/Image
Contractual
Legal
Regulatory
Employer of Choice
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
9
Current landscape
More data, less understanding
Regulatory and market expectations and pressure
The cost of data breaches are increasing
Increasing compliance costs
Siloed approaches to governance
Changes in business structure
Globalization
Emerging IT trends (Cloud Computing, Social Media,
RFIP, Virtualization)
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
10
Regulatory issues – what’s hot!
FTC Authority and Agenda/ Enforcement
Obama’s Privacy Bill of Rights
Social Media
Mobile & Geolocation
Cloud Computing
Offshore Outsourcing
Behavioral Advertising
Electronic and Personal Health Records
International Data Transfers
Harmonization/Conflict of Laws
Cybersecurity
New Technologies
Big Data
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
11
Top 5 privacy issues for 2012
Gartner’s forecast
– Data Breaches Continue to Be a Top Concern
– Location-Based Services Exploit Personal
Information in Unprecedented Ways
– Cloud Computing Challenges Traditional Legal
and Technical Privacy Protection
– The Value of Privacy Determines Necessary
Protection, but It Is Difficult to Quantify
– Regulatory Changes Are Imminent and Ongoing
From Gartner report "Top Five Issues and Research Agenda, 2011 to 2012:
The Privacy Officer."
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
12
What internal auditors need to know
Enterprise data transfer management capabilities decentralized
Inventory of sensitive enterprise data flows doesn’t exist and is immature
Lines of business and IT aren’t coordinated on what types of sensitive data are being transmitted and where the data is being transferred
Large volumes of paper with sensitive data elements are being created during routine business processes
Electronic sensitive data transmissions occur in multiple ways (FTP, NDM)
Enterprise control frameworks aren’t mature enough to account, monitor, and report on sensitive enterprise data flows
Removable media (CD/DVD, USB Drives, Tapes) are pervasive throughout the environment and technology controls are playing catch up
Reactive approach to protecting data, by responding after a breach occurs
Breach notification plans aren’t fully mature to anticipate notification requirements based upon sensitive data elements present
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
13
Phase 1 –
Generation Ownership Classification Governance
Phase 5 – Storage Access Control Structured v. Unstructured Integrity/Availability/Confide
ntiality Encryption
Phase 2 – Use Internal v. External Third Party Appropriateness Discovery/Subpoena
Phase 3 – Transfer Public v. Private
Networks Encryption
Requirements Access Control
Phase 6 – Archival Legal and Compliance Offsite Considerations Media Concerns Retention
Phase 7 –
Destruction Secure Complete
Compliance Audit &
Regulatory Legal Measurement Business
Objectives
Phase 4 – Transformation Derivation Aggregation Lineage Integrity
Phase 1 and 2:
Employee/Trusted
third- party creation
and usage should
drive business value.
Phase 3:
Infrastructure
capabilities should
enable controlled
transfer and
movement of data.
Phase 4:
Additional processing and/or
manipulation to achieve increased
business value for reporting or
specific business requirements.
Phase 5 and 6:
Organizational
capabilities to
manage and
maintain
information in a
cost-effective
manner for timely
access or retrieval
to achieve
business
objectives.
Organizational responsibility
to ensure adherence to legal
and regulatory requirements
through each phase of the
life cycle.
Phase 7:
Controlled
destruction of
information and
storage media.
13
The information life cycle
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
14
Privacy risk considerations
Threats to brand and business that can be caused by privacy mismanagement. As a result, organizations are recognizing the need to ask tougher questions about privacy and data-handling practices of business partners.
Privacy risks in outsourcing and cloud countries – many popular outsourcing countries do not have national privacy laws. Vendors there may not maintain privacy, security, and data-handling practices consistent with the organizations that hire them.
Due diligence is essential to help ensure that vendor’s privacy practices are in synch with the organization practices and expectations. Monitoring and auditing are critical.
Regulators – Established formal guidelines on their expectations in multiple areas, such as the event of a move to the cloud.
Customers – See the entity that collected their data accountable for any future issue.
Media – Focus on the “big names”.
Offshore data transfer activities may occur without the organization for which the data is processed ever knowing it actually occurs.
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
15
Next steps to consider
Conduct a robust Assessment with an Annual or Bi-Annual reassessment for compliance
Determine Lines of Business affected by Personal Information
Consider internal employee information in evaluation
Map/Flow PII movement within your organization, as well as flows to/from third parties
Perform Data discovery to find all of your PII
Establish effective technical safeguards over PII (encryption, access management, restriction for required use only)
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
16
Next steps to consider (continued)
Increase your Monitoring program, establish an effective ERM program as well as GRC services
Leverage GRC to do exception reporting on incidence, security protection and access monitoring
Don’t forget your third party vendors in assessment
Establish an incident response team
Train affected employees annually
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
17
Impact on auditors
Cloud usage is driven by business units/end users—do you know if personal information is in the cloud?
Personal Information may be transferred to emerging service providers without established control environment
Lack of evidence on who has access to personal information and audit trail availability
Degree of change in the environment may impact the ability to gain comfort over privacy control for the period under review
Global footprint of the cloud—where do perform your audit, and what are the relevant privacy rules that should be taken into account?
Dependence on third parties—do you have the right to audit them to cover the data life cycle?
No clear standard for gaining assurance on the management and protection of personal information (SOC 1not a solution in many cases)
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
18
Internal audit’s role
Perform a Data Privacy Risk Assessment to
– Determine what personally identifiable information
(PII) the organization retains, where the data is
stored, how long it is retained, and if it is shared
with third-parties.
– Compare and contrast the organization’s current
IT Data Privacy Standards with applicable laws
and regulations to identify potential gaps.
Evaluate the organization’s Data Loss Prevention Strategies.
Conduct application-specific privacy reviews (based on a privacy/data risk assessment) to determine if the organization is in compliance with applicable laws and regulations.
Consult with management during IT projects (e.g., system implementations) to determine if privacy risks are appropriately mitigated prior to go-live.
Questions???
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
42473SVO
20
Doron Rotman
National Service Leader, Privacy
KPMG LLP
+1 408-367-7607
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S.
member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative, a Swiss entity. All rights reserved.
The KPMG name, logo and "cutting through complexity" are
registered trademarks or trademarks of KPMG International
Cooperative ("KPMG International").