Essentials for Building a Scalable Privacy Response Strategy. Jay Loder Rouleur Privacy Consulting
|
|
- Jayson Barber
- 6 years ago
- Views:
Transcription
1 Essentials for Building a Scalable Privacy Response Strategy Jay Loder Rouleur Privacy Consulting
2 Introduction Customers want organizations to take responsibility and protect them from the potential consequences of privacy breaches Once a breach happens the impact can weaken customer trust and brand loyalty Customers, Boards of Directors, and oversight agencies want to know what organizations are doing to protect them from the consequences of privacy breaches
3 Breach? Incident? Terms are often used interchangeably A privacy breach is defined in the Generally Accepted Privacy Principles ("GAPP") as having occurred when personal information is collected, retained, accessed, used, or disclosed in ways that are not in accordance with the provisions of the enterprise's policies, applicable privacy laws, or regulations. May be one or a series of events
4 Breach Response Without a Breach Response Strategy, organizations have risks associated with loss of customer trust, liability to injured parties, harm to the organization's reputation, drops in stock value and lost business Breach response is the creation and execution of a strategy an organization has created to address and mitigate the impact of a breach. Elements include: A strategy to investigate the breach, notify affected individuals, meet legal requirements in a prompt and thorough manner identify and addressing system backup/recovery and business continuity A response plan can range from simple to complicated and should be scalable as to accommodate the growth and evolution of the organization
5 Questions Organizations Should Ask About Privacy Breach Management/Strategy Has the organization designated someone the responsibility and clear authority to oversee privacy breach handling? Do you have a Team with broad representation? Do you have an breach response plan is someone available 24/7 hackers (and your staff) may be working after hours and weekends! Has the organization established policies/procedures to meet it s obligations to it s customers/clients? To Regulators? To oversight or governing authorities? Has the organization considered the value added services available from an independent Practioner to test/verify the Policies and Plans? Does the organization monitor and report incidents/breaches? Does the organization know the cost of it s privacy incidents/breaches - and thus able to determine ROI on investment in staff training/awareness/prevention? Have you reached out to Regulators (and law enforcement) where possible or appropriate? And when you have a breach to report, it s better they hear it from you first a brief courtesy call or goes a long way.
6 True or False Small Businesses Aren't in Danger Some cybercriminals prey upon small businesses because their lack of proper security measures make them easier targets. Threats are limited to Outside the Organization Much of the risk behind data breaches are internal - A recent study by the Ponemon Institute found that 81 percent of small businesses suffered data breaches as a result of employees mishandling sensitive information. Why? Vendors/Third Parties Are Not a Threat Vendors and third parties may have access to your customer and employee data. Businesses shouldn't trust their vendors to do the appropriate due diligence for them, having contractual obligations in place to deal with a breach before it happens makes good business sense.
7 Setting Yourself up for Success Identify accountabilities who s accountable for the policy/procedures who s accountable for processes Be familiar with the international, domestic and local regulations that specifically relate to your organization. The failure to notify the appropriate regulator/oversight body can result in further inquiries, embarrassment and sanctions or fines. Perform a gap analysis of current policies and procedures Identify and implement improvements
8 Plan to be Prepared Even quality strategic plans are won t succeed if they are not effectively implemented and tested. The ultimate success or failure of employing a plan often lies in it s execution. Given the unique circumstances of each organization, there is no single implementation model. Each organization must determine its own appropriate plan and execution methodology. In early stages, executing a plan may be unknown territory. Accordingly, be prepared to modify the plan as the implementation unfolds, full implementation of a strategy may require several cycles over multiple years. Success will depend on committed leadership, planning and direct involvement by both operational and senior management Keep it simple, get started, build momentum!
9 Make Friends with Corporate Risk Management Organizations large and small have risks - financial, competitive, etc. Thinking of privacy risks in the same context makes good corporate governance sense Ensuing your organization has an incident management plan is key to managing privacy risks, supporting good corporate management and building customer trust Corporate Risk Management can be an ally!
10 Risks and Breach Management Data is the lifeblood of an organizations, managing data involves risks. Balancing risk and reward to generate returns to shareholders is fundamental to any business. Your approach to risk it s important to understand what is meant by risk capacity, risk tolerance and risk appetite. Think about these concepts as a hierarchy. Risk capacity defines the outer limit of risk that an organization could undertake. Risk tolerance reflects the limit of risk set by the organization that it would not willingly exceed Risk appetite is the level of risk that the organization is willing to accept in pursuit of its longer-term goals Your breach management strategy needs to relate to your risk management strategy and consider the risk hierarchy. Consider how handling privacy incidents relates to your broader risk strategy.
11 Incident Management Initial Assessment, Confirmation, Containment Full assessment including risks Notification affected parties Notification to Regulators, Oversights Mitigation, Prevention, Learnings, Communications
12 Incident Response Planning Know where and what your data is - helps to speed determination whether a compromised system holds personal information Identify a team commensurate with the size of the organization Identify what incidents fall within the response plan all incidents? Only those above a certain threshold ( e.g. a single misdirected letter?) If expertise is not available in house have you identified key external contacts who can assist? Team should operate under a documented process and communication plan Roles defined in particular who is on lead Responsibilities defined Response strategies defined
13 Breach Planning Reality Check We all know personal information has become a criminal commodity but Consider your risk appetite and resources can you respond to every misdirected piece of mail?
14 Those who do not document their history are doomed to repeat it Strategy should be documented, along with revisions Policy/procedures should be documented Incidents must be documented evidence chain cost analysis trending Process (and outcome) for testing the Strategy should be documented
15 What we Got Here is Failure to Communicate A well planned (and-executed) communications plan can: minimize harm to customers/clients minimize (or at least determine) potential legal consequences mitigate harm to a company s reputation Anticipate critical audiences and applicable laws Notification - before notifying it s helpful to understand your customer (e.g. geographic region, demographics) and tailor the message Knowing what to say is just as important as knowing what NOT to say
16 Who Needs to Know External - Customers Internal - Stakeholders Media Law Enforcement External Counsel Oversight regulators, governing bodies
17 Notification Have a Plan More complicated than simply letting the affected customer/client know their information may be lost or compromised. Potential external recipients of notification Customer/client law enforcement (breach result of criminal activity, potential harm to an individual or organization) Regulators, Professional bodies Shareholders, investors Contractual parties including third parties, insurers Technology supplier (breach due to technical failure) Potential internal recipients of notification Media relations, Marketing, HR employee misconduct
18 Notification Be Prepared Forms of notification include written, phone, or in some circumstances substitute Find the sweet spot - delays in notification may result in loss of customer trust and potential legal action but notification sent to hastily may be incorrect, incomplete or even unnecessary Where possible have notification templates in place
19 Summary - Top 5 Incident Plan Shortcomings Info security and privacy teams often develop siloed incident strategies Organizations do not test their incident management strategies and plans Lack of internal stakeholder support Lack of clarity regarding roles and responsibilities Lack of a clear (and nimble) plan on communicating internally, to customers, oversights, the media and social media (twitter, bloggers, etc.)
20 Final Thoughts Effective oversight of privacy risk requires rigour, objectivity, and the recognition that unforeseen events and circumstances can and often do occur Progressive organizations will be mindful that it is seldom a single issue or event that spells disaster but rather several factors occurring simultaneously Leaders of progressive organizations should have the conviction, discipline, and enlightenment to understand the value in planning for the inevitable Above all - get started, there are lot s of tools, templates, support available!
21 Sample Forms, Checklists The Canadian government has a concise checklist for responding to a privacy breach. They stress it is prudent to have a set of protocols on what to do if breach occurs. A similar, though less detailed, checklist is also provided by the US Federal Trade Commission (FTC) checklist.pdf
22 Resources IAPP publications Regulators Nymity.com excellent resources on breach response, breach management Service Providers
23 Questions?
24 Rouleur Privacy Consulting Rouleur Privacy Consulting Ltd. is a Vancouver Canada based organization that provides consulting services - privacy program development and strategy privacy risk assessments privacy maturity models awareness and training privacy incident response Contact - Jay@rouleurconsulting.com
GDPR Compliance Checklist
GDPR Compliance Checklist GDPR Compliance Checklist This GDPR Compliance Checklist sets out the key requirements that the General Data Protection Regulation will introduce into EU Privacy law on 25 May
More informationPolicy Incident Communication Plan. Table of Contents
Table of Contents Incident Communication Plan... 3 Overview... 3 Objective... 3 Policy... 4 Guidelines... 4 Request for Information... 5 Editorial or Letter to Editor Requests... 6 Requests for Interviews...
More informationA Guide to Professional Standards
A Guide to Professional Standards Jones Lang LaSalle Incorporated LaSalle Investment Management Table of Contents Introduction; Purpose of this Guide... 3 Resources... 4 Specific Actions to Promote Professional
More informationWill Your Company Pass a Privacy Audit?
Will Your Company Pass a Privacy Audit? by Tammi K. Franke The Issue - Companies that collect personal information are under increasing scrutiny by both consumers and governments in the United States and
More informationRisk Appetite Statement
Risk Appetite Statement May 2018 Risk Appetite Statement Contents 1. Mission, Vision, Values and Beliefs... 3 2. Introduction... 3 3. Overall Risk Appetite... 4 4. Risk Framework... 4 5. Key Risk Appetite
More informationPREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER
PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER 1 What will the GDPR mean for your business/organisation? On the 25 th May 2018,
More informationISACA. The recognized global leader in IT governance, control, security and assurance
ISACA The recognized global leader in IT governance, control, security and assurance High-level session overview 1. CRISC background information 2. Part I The Big Picture CRISC Background information About
More informationSogefi Group Code of Ethics
June 13, 2016 1 Contents 1 INTRODUCTION... 3 2 MISSION AND ETHICAL VISION... 3 3 SCOPE OF APPLICATION... 3 4 REFERENCE PRINCIPLES AND PROVISIONS... 5 4.1 Fair business practices... 5 4.1.1 Compliance with
More informationHow to Stand Up a Privacy Program: Privacy in a Box
How to Stand Up a Privacy Program: Privacy in a Box Part III of III: Maturing a Privacy Program Presented by the IT, Privacy, & ecommerce global committee of ACC Thanks to: Nick Holland, Fieldfisher (ITPEC
More informationBUSINESS COMPLIANCE WITH COMPETITION RULES
28 November 2011 BUSINESS COMPLIANCE WITH COMPETITION RULES KEY MESSAGES 1 2 3 Competition provides the best incentive for efficiency, encourages innovation and guarantees consumers the best choice for
More informationShow notes for today's conversation are available at the podcast web site.
Protecting Information Privacy: How To and Lessons Learned Transcript Part 1: Why Should Privacy Be on A Business Leader s Radar Screen? Julia Allen: Welcome to CERT's Podcast Series: Security for Business
More informationSub-section Content. 1 Preliminaries - Post title: Head of Group Risk - Reports to: CRO - Division: xxx - Department: xxx - Location: xxx
Sub-section Content 1 Preliminaries - Post title: Head of Group Risk - Reports to: CRO - Division: xxx - Department: xxx - Location: xxx 2 Job Purpose - To assist in the maintenance and development of
More informationSample Strategy and Value Oversight Policy
Sample Strategy and Value Oversight Policy This document provides a sample Strategy & Value Oversight policy which includes a high level overview of the key roles and responsibilities of the various participants.
More informationTHIS CASE WAS BROUGHT AGAINST THE LEVEL 2 PROVIDER UNDER PARAGRAPH 4.4 OF THE CODE
Tribunal Sitting Number 140 / Case 2 Case reference: 27976 Level 2 provider: British Telecommunications Public Limited Company Type of Service: 118500 Directory enquiry Level 1 provider: N/A Network operator:
More informationNATURAL DISASTERS AND THE WORKPLACE
NATURAL DISASTERS AND THE WORKPLACE Eight Steps Employers Should Take to Prepare Their Workplace for a Natural Disaster We may think, Natural disasters can t happen here, or That couldn t happen to us,
More informationDisciplinary and Dismissal Procedure
Disciplinary and Dismissal Procedure Date updated: April 2018 Lead person(s): Head of Human Resources Review date: April 2019 Policy Title: Sunfield Disciplinary and Dismissal Procedure Page 1 of 9 Human
More informationTech & Cloud Contract Management. A Small College Perspective
Tech & Cloud Contract Management A Small College Perspective The Problem: Vendors want to take NO responsibility Sales says You don t need the IT folks for this Even though you don t need the IT folks
More informationGuidance Note: Corporate Governance - Board of Directors. January Ce document est aussi disponible en français.
Guidance Note: Corporate Governance - Board of Directors January 2018 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance - Board of Directors (the Guidance
More informationPrivacy Incident Response & Reporting: Pre and Post HITECH
Privacy Incident Response & Reporting: Pre and Post HITECH Erika Riethmiller-Bol, Director, Corporate Privacy-Incident Program, Anthem, Inc. HCCA Managed Care Compliance Conference February 16, 2015 Objectives
More informationReducing fraud, bribery and corruption in your private business: 6 things you can do now
Reducing fraud, bribery and corruption in your private business: 6 things you can do now 1 With an increased focus on global commitments to mitigate fraud, bribery and corruption, there remains an ongoing
More informationBuying IoT Technology: How to Contract Securely. By Nicholas R. Merker, Partner, Ice Miller LLP
Buying IoT Technology: How to Contract Securely By Nicholas R. Merker, Partner, Ice Miller LLP More and more products are shipping with sensors and network connectivity to capitalize on the currency of
More informationThe EU raises the bar on data privacy:
The EU raises the bar on data privacy: AIM for an integrated response Organizations can view the EU s General Data Protection Regulation (GDPR) as either a problem or an opportunity. Grant Thornton sees
More informationJust cause terminations cannot be actioned unless due process is confirmed by the Deputy Minister, BC Public Service Agency.
Policy The objective of this administrative policy is to clarify the employer s roles, responsibilities and procedures with respect to just cause employment termination decisions under section 22(2) of
More informationInformation Commissioner s Office. Consultation: GDPR DPIA guidance
Information Commissioner s Office Consultation: GDPR DPIA guidance Start date: 22 March 2018 End date: 13 April 2018 ICO GDPR guidance: Contents (for web navigation bar) At a glance About this detailed
More informationLiving Our Purpose and Core Values CODE. Code of Business Ethics and Conduct for Vendors
Living Our Purpose and Core Values CODE Code of Business Ethics and Conduct for Vendors December 2016 HCSC Vendor Code of Business Ethics and Conduct Since 1936, Health Care Service Corporation, a Mutual
More informationTransparency in the digital age: companies should talk about their cyber security
Transparency in the digital age: companies should talk about their The cyber security of companies is an increasingly important issue for society. Nations depend on the of both public and private institutions
More informationIT Governance and the Audit Committee Recognizing the Importance of Reliable and Timely Information
IT ADVISORY IT Governance and the Audit Committee Recognizing the Importance of Reliable and Timely Information KPMG INTERNATIONAL IT Governance and the Audit Committee: Recognizing the Importance of
More informationCopyright 2010 Crisis Management International All Rights Reserved. Crises magnify the significance of small weaknesses. Bruce T.
Strategic Crisis Leadership for Continuity Professionals Bruce T. Blythe, CEO www.cmiatl.com 404-841-3400 Crises magnify the significance of small weaknesses. Bruce T. Blythe Objectives Model for Crisis
More informationData Breach Policy and Procedure
Data Breach Policy and Procedure Every care is taken by the college to protect personal data from situations where a data protection breach could compromise security. This policy and procedure applies
More informationTop Considerations for Developing a Research Social Media Plan
Top Considerations for Developing a Research Social Media Plan 02/02/16 description Social media can be a powerful tool to enhance the process of scientific medical trials, yet there is little to no guidance
More informationHow to Secure Your Healthcare Communications in a World of Security and Compliance Threats
How to Secure Your Healthcare Communications in a World of Security and Compliance Threats Time to Secure Your Communications At present, most healthcare organizations allocate only three percent of their
More informationThe Bribery Act What is bribery? What action should you take? The key offences
Bribery Act 2010 The Bribery Act 2010 (the Act) applies across the UK and all businesses need to be aware of its requirements. The Act includes a corporate offence of failure of commercial organisations
More informationCHRISTIAN AID GLOBAL COMPETENCY MODEL
CHRISTIAN AID GLOBAL COMPETENCY MODEL Christian Aid s global competency model describes the main skills and abilities that everyone needs to demonstrate in order to perform effectively in their role at
More informationof conduct for all parties engaged in construction procurement October 2003 development through partnership
code of conduct for all parties engaged in construction procurement October 2003 development through partnership Code of Conduct for all Parties engaged in Construction Procurement - in terms of the Construction
More informationReady for GDPR? Five steps to turn compliance into your advantage
Ready for GDPR? Five steps to turn compliance into your advantage 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG
More informationCOMPLIANCE MANAGEMENT FRAMEWORK. Conceptual Design Document
COMPLIANCE MANAGEMENT FRAMEWORK Conceptual Design Document 18 February 2013 1. INTRODUCTION & SUMMARY The purpose of the Compliance Management Framework is to ensure the University meets all of its external
More informationThe IoD Academy Director Competency Framework
The IoD Academy Director Competency Framework Setting the standard Directorship is a skilled, demanding and challenging profession. The Institute of Directors, with its many years of experience educating
More informationCreating a safety culture:
Today, it s commonplace for companies to check the motor vehicle records (MVRs) of their drivers once a year. That s considered due diligence. White paper Creating a safety culture: Moving from policies
More informationSix Steps to Improving Corporate Performance with a Communication Plan
TALK POINTS COMMUNICATION Six Steps to Improving Corporate Performance with a Communication Plan How to develop a clear identity and communicate with your internal and external customers A Higher Level
More informationGDPR Compliance Benchmarking: Measuring Accountability
GDPR Compliance Benchmarking: Measuring Accountability Copyright 2017 by Nymity Inc. All rights reserved. All text, images, logos, trademarks and information contained in this document are the intellectual
More informationYou Might Have a HIPAA Breach. Now What?
You Might Have a HIPAA Breach. Now What? Ann M. Curran O Connor & Thomas, PC Phuong D. Nguyen Compliance Manager HealthTexas Provider Network Introductions Phuong D. Nguyen Compliance Manager, HealthTexas
More informationYou Might Have a HIPAA Breach. Now What?
You Might Have a HIPAA Breach. Now What? Ann M. Curran O Connor & Thomas, PC Phuong D. Nguyen Compliance Manager HealthTexas Provider Network Introductions Phuong D. Nguyen Compliance Manager, HealthTexas
More informationCreating a Risk Intelligent Enterprise: Risk governance
Creating a Risk Intelligent Enterprise: Risk governance Risk governance: Overseeing risk and risk management Robust risk governance drives a consistent and coordinated approach to risk across the organization
More informationEU General Data Protection Regulation in the digital age: Are you ready?
EU General Data Protection Regulation in the digital age: Are you ready? What do you need to know about the new EU General Data Protection Regulation? Data protection has entered a period of unprecedented
More informationTEACHERS RETIREMENT BOARD. AUDITS AND RISK MANAGEMENT COMMITTEE Item Number: 9 SUBJECT: Scope and Structure of the Enterprise Compliance Program
TEACHERS RETIREMENT BOARD AUDITS AND RISK MANAGEMENT COMMITTEE Item Number: 9 SUBJECT: Scope and Structure of the Enterprise Compliance Program CONSENT: ATTACHMENT(S): 3 ACTION: DATE OF MEETING: / 30 mins
More informationEstia Health Limited ACN ( Company ) Approved by the Board on 17 November 2014
Board Charter Estia Health Limited ACN 160 986 201 ( Company ) Approved by the Board on 17 November 2014 Board Charter Contents 1 Purpose of this charter 1 2 Role and responsibilities of the Board 1 2.1
More informationIntegrating Compliance with Business Strategy:
WHITE PAPER Integrating Compliance with Business Strategy: The Skillsoft Compliance Maturity Model EXECUTIVE SUMMARY Compliance training is a necessity to reduce the liability and legal risks businesses
More informationBusiness Plan for Investors Template. To be used with Guide to Writing a Business Plan for Investors. -
Business Plan for Investors Template To be used with Guide to Writing a Business Plan for Investors. - Front Page Business Name: ABN / ACN: Business Logo here or other suitable image Address: Contact Details:
More informationMy name is Sam Mulholland and I am the Managing Director of Standby Consulting.
Cyber Security Forum Presentation C.B (Sam) Mulholland Good Afternoon My name is Sam Mulholland and I am the Managing Director of Standby Consulting. Just a little bit about myself. I have worked in IT
More informationSPECIAL COMMITTEE TO REVIEW THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT
CHECK AGAINST DELIVERY SPEECH TO THE SPECIAL COMMITTEE TO REVIEW THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT NOVEMBER 18, 2015 ELIZABETH DENHAM INFORMATION AND PRIVACY COMMISSIONER FOR BC
More informationTWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION
TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION Awareness Data Stream Map Communication Rights of the subject Legal basis Consent Data Breaches Privacy by design and PIA
More informationContract and Procurement Fraud. Detection and Prevention
Contract and Procurement Fraud Detection and Prevention Introduction Procurement schemes have certain characteristics that make them particularly difficult to detect and prevent. Organizations can protect
More informationGUIDELINE FOR WRITING A BUSINESS PLAN
GUIDELINE FOR WRITING A BUSINESS PLAN Copyright CERIM This project is implemented through the CENTRAL EUROPE Programme co-financed by the ERDF. DIRECTORY WRITING A BUSINESS PLAN 3 1. Why you need to write
More informationBERMUDA MONETARY AUTHORITY
BERMUDA MONETARY AUTHORITY CONSULTATION PAPER CORPORATE GOVERNANCE POLICY TRUST (REGULATION OF TRUST BUSINESS) ACT 2001 INVESTMENT BUSINESS ACT 2003 INVESTMENT FUNDS ACT 2006 DECEMBER 2012 Table of Contents
More informationBUSINESS CONTINUITY FOR SMES. A guide to help North West businesses guard against disaster.
BUSINESS CONTINUITY FOR SMES A guide to help North West businesses guard against disaster. Contents Business continuity facts What is business continuity planning? Creating a business continuity plan:
More informationHealth and Safety Checklist By ihasco
Health and Safety Checklist By ihasco Health and Safety does not have to be complicated. For most businesses all that s required is to conduct a series of straightforward, simple tasks. Due to the variables
More informationRole of Board of Directors in Risk Management. CPA Erick Audi Thursday, 15 th November 2018
Role of Board of Directors in Risk Management Presentation by: CPA Erick Audi Thursday, 15 th November 2018 Uphold public interest Presentation Agenda Introduction & Definitions Legal Provisions/Guidelines
More informationIntroduction to BCP and DR Planning
Introduction to BCP and DR Planning Based on the book RESPONSE! Planning & Training for Emergency Recovery November 24, 2015 Tim Elemes Huber Advisors P.O. Box 175 Hugo, MN 55038 information@huberadvisors.com
More information716 West Ave Austin, TX USA
FRAUD-RELATED INTERNAL CONTROLS GLOBAL Headquarters the gregor building 716 West Ave Austin, TX 78701-2727 USA Figure 2.1 COSO defines an internal control as a process, effected by an entity s board of
More informationBERMUDA MONETARY AUTHORITY
BERMUDA MONETARY AUTHORITY CORPORATE GOVERNANCE POLICY FOR TRUST (REGULATION OF TRUST BUSINESS) ACT 2001 INVESTMENT BUSINESS ACT 2003 INVESTMENT FUNDS ACT 2006 JANUARY 2014 TABLE OF CONTENTS I. INTRODUCTION...
More information7 Ways Technology Is Helping. Property Managers Gain Control Over Chaos
7 Ways Technology Is Helping Property Managers Gain Control Over Chaos 1 Control Over Chaos Thanks to technology, it s never been easier to control the chaos of our personal lives. We have access to the
More informationCEO Challenge CREATING OPPORTUNITY OUT OF ADVERSITY Building Innovative, People-Driven Organizations
CEO Challenge 2015 CREATING OPPORTUNITY OUT OF ADVERSITY Building Innovative, People-Driven Organizations 1 Background on CEO Challenge Annual survey in its 15 th year; fielded from September 2014 to October
More informationShow notes for today's conversation are available at the podcast website.
Information Compliance: A Growing Challenge for Business Leaders Transcript Part 1: Information Compliance Overload Julia Allen: Welcome to CERT's podcast series: Security for Business Leaders. The CERT
More informationManaging the Business Associate Relationship: From Onboarding to Breaches. March 27, 2016
Managing the Business Associate Relationship: From Onboarding to Breaches March 27, 2016 HCCA s 21 st Annual Compliance Institute National Harbor, MD Today s Agenda Onboarding: Health care providers and
More informationGuidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.
Guidance Note: Corporate Governance - Audit Committee January 2018 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance Audit Committee (the Guidance Note
More informationTECHNICAL RELEASE TECH 05/14BL. Data Protection Handling information provided by clients
TECHNICAL RELEASE TECH 05/14BL Data Protection Handling information provided by clients ABOUT ICAEW ICAEW is a world leading professional membership organisation that promotes, develops and supports over
More informationREGULATORY HOT TOPIC Third Party IT Vendor Management
REGULATORY HOT TOPIC Third Party IT Vendor Management 1 Todays Outsourced Technology Services Core Processing Internet Banking Mobile Banking Managed Security Services Managed Data Center Services And
More informationKing IV application report In pursuit of growth
King IV application report 2018 In pursuit of growth 02 PRINCIPLE 1: The governing body should lead ethically and effectively. Board members individually and collectively demonstrate integrity, competence,
More informationData Protection (internal) Audit prior to May (In preparation for that date)
Data Protection (internal) Audit prior to May 2018. (In preparation for that date) For employers without a dedicated data protection or compliance function, a Data Protection Audit can seem like an overwhelming
More informationBoard Charter. Page. Contents
1 Board Charter Contents Page 1. Introduction 2 2. Role and Objectives 2 3. Board Composition 2 4. Duties and Responsibilities 3 5. The Chairman 5 6. The Managing Director 6 7. Individual Directors 6 8.
More informationINTEGRATED RISK BUSINESS CONTINUITY CYBER-SECURITY THE RESILIENCE FACTORS THAT DRIVE YOUR REPUTATION
CYBER-SECURITY BUSINESS CONTINUITY INTEGRATED RISK THE RESILIENCE FACTORS THAT DRIVE YOUR REPUTATION INTRODUCTION We all work hard to build and protect our reputation, and in today s world of 24/7 news
More informationMore than 2000 organizations use our ERM solution
5 STEPS TOWARDS AN ACTIONABLE RISK APPETITE Contents New Defining Pressures Risk Appetite and Risk Tolerance Benefits The 5 Best of Practices Risk Assessments Benefits of an Actionable Risk Appetite More
More informationEffectively Communicating Enterprise-Wide Business Continuity to Senior Management and Stakeholders. October 7, 2014
Effectively Communicating Enterprise-Wide Business Continuity to Senior Management and Stakeholders October 7, 2014 Agenda Background Program Elements What Makes it Enterprise-wide Recommended Strategies
More informationJohn Liuzzi, CBCP, CBRITP National Director, Business Continuity Southern Glazer s Wine and Spirits
John Liuzzi, CBCP, CBRITP National Director, Business Continuity Southern Glazer s Wine and Spirits johnliuzzi@sgws.com Introduction So how do you gain alignment and executive support? With the ever-increasing
More informationAudit quality. a director s guide. November This handbook offers guidance for. entities about how to improve audit quality
Audit quality a director s guide November 2018 This handbook offers guidance for directors and shareholders of New Zealand FMC reporting entities about how to improve audit quality Financial Markets Authority
More informationRisk Management Guidelines of the CGIAR System
Agenda Item 11 For Decision Management Guidelines of the CGIAR System Purpose These guidelines are proposed as a companion document to the Management Framework of the CGIAR System to support the attainment
More informationSample Corporate Risk Management Policy
Sample Corporate Risk Management Policy This document provides a sample Risk Management policy which includes an overview of the key roles and responsibilities of the various stakeholders. Risk Oversight
More informationBusiness Continuity Planning for Major Disruptions Checklist 255
Business Continuity Planning for Major Disruptions Checklist 255 Introduction Major disruptions to organisations come in many forms. Extreme weather conditions, technical failure, people related factors
More informationGDPR The role of the Internal Audit Function
www.pwc.com/mt GDPR The role of the Internal Audit Function What should the Internal Auditor do? 24 MAY 2017 it s not your problem yet 2 How does GDPR feature in your 2017 audit plan? much of 2017 will
More informationAn Employer s Guide to Conducting Harassment Investigations
Conducting If you are a manager or supervisor, a complaint of harassment brought to you by an employee can be a daunting challenge and a potential headache. You can hope that one never lands on your desk,
More informationThe Bribery Act 2010 (the Act) applies across the UK and all businesses need to be aware of its requirements which came into effect on 1 July 2011.
Bribery Act 2010 The Bribery Act 2010 (the Act) applies across the UK and all businesses need to be aware of its requirements which came into effect on 1 July 2011. The Act introduced a corporate offence
More informationSTRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017
STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES September 2017 Your presenters Nancy Aubrey Partner Boston, MA Nancy.aubrey@rsmus.com Rick Shriner Principal McLean, VA Rick.shriner@rsmus.com 2 Agenda
More informationAligning and Integrating ERM and Business Process. Federal ERM Summit September 9, :00-12:00
Aligning and Integrating ERM and Business Process Federal ERM Summit September 9, 2013 11:00-12:00 1 Agenda Defining Risk and ERM The ERM Value Proposition An Integrated ERM Framework Aligning ERM with
More informationStrengthening Your Enterprise Risk Management Process
Strengthening Your Enterprise Risk Management Process Belinda Mumma, Senior Consultant, Enterprise Risk Management Services bmumma@sollievo.com (866) 605-5664 x3400 Discussion Topics Definition of Enterprise
More informationVetting the Inner Circle: Who Can You Trust?
Vetting the Inner Circle: Who Can You Trust? Due Diligence Background Investigations for Sports and Entertainment Industry Unions and Professional Organizations A PRIMER FOR MANAGEMENT Show Me the Money
More informationThis document articulates ethical and behavioral guidance for all NGA Human Resources companies, employees, and business partners (such as suppliers,
This document articulates ethical and behavioral guidance for all NGA Human Resources companies, employees, and business partners (such as suppliers, agents, vendors and sub-contractors). To help guide
More informationGRM OVERSEAS LIMITED RISK MANAGEMENT POLICY
GRM OVERSEAS LIMITED RISK MANAGEMENT POLICY As approved by the Board of Directors at their meeting held on 11.11.2014. 1 P a g e Contents 1. Risk Management...3 2. Policy...3 3. Risk Management Philosophy...3
More informationPRIVACY POLICY. VERSION 1.3 Keystone Property Finance 42 Kings Hill Avenue, Kings Hill, West Malling, Kent M19 4AJ
PRIVACY POLICY VERSION 1.3 Keystone Property Finance 42 Kings Hill Avenue, Kings Hill, West Malling, Kent M19 4AJ Contents INTRODUCTION... 2 WHY WE PROVIDE YOU WITH OUR PRIVACY NOTICE... 2 OUR PRIVACY
More informationPharmaceutical Society of South Africa 2017 Conference. 5 October 2017
5 October 2017 1 ETHICS AND DISPELLING THE MYTHS AROUND INDUSTRY WHAT IS ETHICS? Any issue that concerns moral right or wrong Any issue that affects another person 2 BUSINESS ETHICS? The study of business
More informationGovernance Committee Terms of Reference
Governance Committee Terms of Reference 1. Purpose The Governance Committee is responsible for: (i) (ii) (iii) (iv) (v) (vi) (vii) driving consistency in respect of governance and regulatory conduct matters
More informationINSERT TITLE AND BRANDING Dr A Gill s signature and front cover to be placed on policy when received from Communications. (Policy fully ratified)
Disciplinary Policy INSERT TITLE AND BRANDING Dr A Gill s signature and front cover to be placed on policy when received from Communications. (Policy fully ratified) Consultation Staff Forum August 2014
More informationGovernance in a multidimensional environment
Subsidiary Governance October 2016 On the board s agenda Governance in a multidimensional environment As organizations expand their operations, many do so by creating or acquiring legal entities to operate
More informationSUCCESSFUL CRISIS MANAGEMENT FOR YOUR ORGANIZATION. by Regina Phelps, Founder, EMSS Solutions
SUCCESSFUL CRISIS MANAGEMENT FOR YOUR ORGANIZATION by Regina Phelps, Founder, EMSS Solutions Introduction How does your organization manage an incident affecting the whole company? Who is in charge? What
More informationEnterprise Risk Management Report 2018
Enterprise Risk Management Report 2018 Introduction Setting and embedding an organisation s risk appetite is a critical function of the board. Some level of risk is inherent within all organisational activities:
More informationDealmakers Planning for a Successful Integration: The M&A Roadmap for Success
Dealmakers Planning for a Successful Integration: The M&A Roadmap for Success Last month In MidMarket Talk, Dealmakers Planning for a Successful Integration: Performing Cultural Due Diligence (CDD) focused
More informationA guide to the FMA s view of conduct
February 2017 A guide to the FMA s view of conduct This guidance note is for: directors and executives of licensed financial services providers. It gives guidance on what we will focus on when examining
More informationNext steps for CCO compliance. Helping financial services institutions respond to the UK s new corporate criminal offence
Next steps for CCO compliance Helping financial services institutions respond to the UK s new corporate criminal offence Contents Introduction 1 The hard work is just beginning Extraterritorial scope expands
More informationModule 8 - Management Module 8 Objectives. Philanthropy is an integral part of the org s strategic plan your participation in the strat plan
Module 8 - Management Module 8 Objectives Philanthropy is an integral part of the org s strategic plan your participation in the strat plan Design and implement short- and long-term FR plans and budgets
More informationGuidelines on the management body of market operators and data reporting services providers
Guidelines on the management body of market operators and data reporting services providers 28 September 2017 ESMA70-154-271 Table of Contents 1 Scope... 3 2 Definitions... 4 3 Purpose... 5 4 Compliance
More informationGDPR: Are You Ready? Mapping the Road to GDPR Compliance. March 2018
GDPR: Are You Ready? Mapping the Road to GDPR Compliance March 2018 Agenda GDPR Overview Should you appoint a DPO? Accountability checklist/documentation required When is consent appropriate and how do
More information