1
DATA GOVERNANCE AND PRIVACY PROGRAM MANAGEMENT WITH RSA® ARCHER® SUITE
2
WHO IS AFFECTED?
Anyone processing personal data!
Personal information refers to any information whether recorded in a material
form or not, from which the identity of an individual is apparent or can be
reasonably and directly ascertained by the entity holding the information, or
when put together with other information would directly and certainly identify
an individual.Data Protection Act 2012
3
WHAT IS EXPECTED OF US?
4
THE RISK CHALLENGE
5
6
7
R I S K &
C O M P L I A N C EI T S E C U R I T Y
& P R I VA C Y
? ??
C E O /
B O A R D
M A L I C E M A N D AT E SM O D E R N I Z AT I O N
1st Line of Defense
8
BREACH READINESS
55% 40% 30%
Lack capability to
gather data across
their estate and
provide centralized
alerting
Do not have an
active vulnerability
management
program in place
Do not have a
formal incident
response plan in
place
RSA Threat Detection Effectiveness Survey
9
…LEAD TO RISK IN THE BUSINESS
Unresolved issues
Inaccurate insights &
misinformation
High costs & inefficiency
Holes & gaps
Disconnected data & lack of
context
Poor business decisions
10
WHAT’S NEEDED TO CLOSE THE GAP?
11
WHERE DO YOU START?
• Understand what personal data you process
• Where is it and how is it used
• User should always be first
• Privacy at every level
• Mitigation plan
• Risk Management review
• Incident detection and response planning
12
WHO IS RESPONSIBLE FOR PRIVACY?
DATA RISK
MANAGEMENT
DATA
PRIVACY
• Privacy combines elements of Security, Compliance, and broader Data Risk Management considerations.
• Each respective area, function, and process has a role in ensuring that sensitive corporate information is appropriately protected.
recommended
13
INSPIREEVERYONE
TO OWNRISK
14
FOUR KEYS TO DATA PRIVACY PROGRAM
Breach
Response
Data
Governance
Compliance
Management
Risk
Assessment
Primary objective:
Detect and respond to the threat
before a breach occurs but if a
breach does occur, you need to
know the details and exact
impact.
Primary objective:
Know where data is in the
enterprise and who has access
and implement controls in data
processing activities.
Primary objective:
Establish a risk assessment process to
ensure controls are appropriately
designed and implemented.
Primary objective:
Establish a compliance program to
ensure controls are effective and
operational.
15
THE PROVEN PATH TO TAKE COMMAND OF RISK
16
A GRC STRATEGY TO MANAGE DATA PRIVACY
GRC SOLUTION
Manage
regulatory and
corporate
obligations
Co
mp
lian
ce
Manage
vendor and
outsourced
parties
Th
ird P
arty
Ma
na
ge
me
nt
Protect
business
assets
IT S
ec
urity
Manage
breaches /
disruptions
Bu
sin
es
s
Res
ilien
cy
Operational Risk Management
Third
Line of
Defense
Au
dit
Risk Management
Enterprise Risk Management
CISO
LOB
ExecutivesCXO
Board
CAE
Business Operations
3 Lines of Defence Model
17
A GRC STRATEGY TO MANAGE DATA PRIVACY
Compliance
Policy Management
Controls Assurance
Audit
Audit Program
Third Party Governance
Risk Based vendor
Management
3rd Party Compliance monitoring
Risk Management
Catalog of Sensitive
Information Assets and
related devices
Business Hierachy
Risk Assessments and Reporting
Issues Management
Handling of Findings and Exceptions
Remediation planning
Escalation Workflow
Breach Management
Data Breach process
Handling of Data Subject
Rights processes
18
A GRC STRATEGY TO MANAGE DATA PRIVACY
19
DATA PROTECTION LAWS OF THE WORLD
Personal data refers to data, whether true or not, about an individual who can be identified
from that data; or from that data and other information to which the organisation has or is likely
to have access.
Singapore Personal Data Protection Act 2012 (PDPA)
DLA Piper: global law firm
James FongRegional Business Director | RSA Archer
Integrated Risk Management
M (65) 8533 1395
Leader in the Gartner Magic Quadrant for:
- Integrated Risk Management
- Operational Risk Management
- IT Risk Management
- IT Vendor Risk Management
- Business Continuity Management & Planning
Archer®
21
QUESTIONS?