Privacy Governance and Compliance Framework Accountability



Similar documents
Information Security Program CHARTER

White Paper on Financial Institution Vendor Management

Risk Management of Outsourced Technology Services. November 28, 2000

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

3 rd -party Security Risk Assessment

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

Subject: Safety and Soundness Standards for Information

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Information Technology

3 rd Party Vendor Risk Management

Attachment A. Identification of Risks/Cybersecurity Governance

Outsourcing Technology Services A Management Decision

CITY UNIVERSITY OF HONG KONG

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

FINAL May Guideline on Security Systems for Safeguarding Customer Information

The PNC Financial Services Group, Inc. Business Continuity Program

Big Data, Big Risk, Big Rewards. Hussein Syed

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Cloud Computing: Legal Risks and Best Practices

Data Governance Policy. Staff Only Students Only Staff and Students. Vice-Chancellor

CREDIT CARD PROCESSING & SECURITY POLICY

Credit Union Liability with Third-Party Processors

Domain 1 The Process of Auditing Information Systems

Vendor Management Best Practices

Statement of Guidance: Outsourcing All Regulated Entities

Board of Directors and Management Oversight

The PNC Financial Services Group, Inc. Business Continuity Program

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Operations. Group Standard. Business Operations process forms the core of all our business activities

CFPB Readiness Series: Compliant Vendor Management Overview

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Information security controls. Briefing for clients on Experian information security controls

OCIE CYBERSECURITY INITIATIVE

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014

Miami University. Payment Card Data Security Policy

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Services Providers. Ivan Soto

Table of Contents. Table of Contents Chapter 1 Introduction Sample. Chapter 2 Monitoring and Quality Control... 8

Vendor Risk Management in the New Regulatory Environment. kpmg.com

ISE Northeast Executive Forum and Awards

Audit, Risk Management and Compliance Committee Charter

14 December 2006 GUIDELINES ON OUTSOURCING

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

Data Processing Agreement for Oracle Cloud Services

Third Party Security Requirements Policy

Legislative Language

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

WHITE PAPER Third-Party Risk Management Lifecycle Guide

OUTSOURCING DUE DILIGENCE FORM

Software Contract and Compliance Review

Addressing Risk in Partner / Contractor Selection and Onboarding. Michael Davidson VP Quality Systems and Compliance March 2014

Third Party Risk Management 12 April 2012

Copyright 2014 Nymity Inc. All Rights Reserved.

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Specialist Cloud Services. Acumin Cloud Security Resourcing

John Essner, CISO Office of Information Technology State of New Jersey

Guideline for Roles & Responsibilities in Information Asset Management

NSW Government Digital Information Security Policy

Information Security Program

Rowan University Data Governance Policy

PRIVACY MANAGEMENT ACTIVITIES

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

Hot Topics in IT. CUAV Conference May 2012

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Forensic Services. Third Party Risks. March 2013

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

Compliance and Ethics at the Federal Reserve Bank of New York

QUALITY MANAGEMENT SYSTEM MANUAL

Pharma CloudAdoption. and Qualification Trends

Health Care Provider Guide

IT Governance Regulatory. P.K.Patel AGM, MoF

CREDIT CARD SECURITY POLICY PCI DSS 2.0

Service Children s Education

(a) the kind of data and the harm that could result if any of those things should occur;

Banking Supervision Policy Statement No.18. Agent Banking Guideline

Vendor Management Compliance Top 10 Things Regulators Expect

Accepting Payment Cards and ecommerce Payments

Enterprise PrivaProtector 9.0

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

I. U.S. Government Privacy Laws

Transcription:

Privacy Governance and Framework Accountability Agenda Global Data Protection and Privacy (DPP) Organization Structure Privacy The 3 Lines of Defense (LOD) Model: Overview Privacy The 3 Lines of Defense Model: Detailed Responsibilities Privacy LOB Responsibilities (1st Line of Defense) Across Information Life Cycle 2

Global Data Protection and Privacy (DPP) Organization Structure COMPLIANCE Global Chief Privacy Officer LEGAL Global Privacy Counsel Governance, Advisory, Reporting Operations & Projects Global Incident Management Reporting & Escalation EMEA APAC Latin America Canada EMEA Privacy Counsel APAC Privacy Counsel LATAM Privacy Counsel Canada Privacy Counsel CCB Asset Management Commercial CIB Auto/ Student Commerce B. Banking Card Sol. Consumer Mortgage Digital CWM GSC US Privacy Counsel AUDIT Internal Audit Team Regional & LOB DPP are responsible for Product & Corporate DPP Coverage 3

Privacy - The 3 Lines of Defense (LOD) Model: Overview JPMC s Privacy Program establishes the firm-wide standards for maintaining the secure, confidential, fair and lawful treatment of information relating to our customers, clients, and employees. The Privacy Program covers all JPMC lines of business, corporate groups, and legal entities, and information collected, processed, stored, transmitted, and/or transported. (Privacy also includes data protection responsibilities handled by Privacy.) 1 st LINE OF DEFENSE Execution & Control Properly handle and safeguard information through the lifecycle of the relationship (clients, consumers, and employees), from prospecting through termination of the relationship Establish procedures that align to laws, regulations and Firm DPP Policies & Standards Own the control and risk environment; implement the control framework, including execution of process reviews, risk acceptances where necessary, and validation of issue closure Conduct Risk Control Self Assessments and quality review of control effectiveness Promote transparency and escalate to oversight forums such as Business Control Committees, Technology Councils etc. Manage applications and infrastructure, and protect the environment against security threats Administer training programs 2 nd LINE OF DEFENSE Oversight, Program Management & Policies Maintain Privacy program and/or Lead that includes the seven core practices for an effective compliance program. Develop governance, policies, oversight and accountability model to identify and track issues/trends and remediation activities Provide advice and interpretation regarding laws, regulations, and standards Provide SME expertise to provide effective tools and advice to support the control framework, including with regard to Privacy Controls and Standards Report and escalate to oversight forums such as Risk & Control Committee, Control Committee, IT Risk Committee, Forum Hold LOB accountable for execution; verify RCSA framework is in place and working effectively Identify and evaluate risks and effectiveness of action plans; perform periodic risk assessments; develop appropriate compliance coverage (monitoring, testing, and training for privacy risks based on inherent risk ratings) Develop training and monitor for completion 3 rd LINE OF DEFENSE Independent Assurance Independently evaluate and opine on the adequacy and effectiveness of the control environment Report to the Audit Committee of the Board and senior management on a periodic basis significant control issues and the overall adequacy of the control environment Perform Audit-focused root cause analysis and identify and determine severity of issues 4

Privacy The 3 Lines of Defense Model: Detailed Responsibilities 1 st Line Primary Ownership and Accountability Technology Council Business Control 2 nd Line Functionally Independent Checks and Balances Legal IT Security and Risk Leadership Risk Committee 3 rd Line Independent Assurance Internal Audit Governance LOBs: Establish procedures to align to policies, laws, and regulations; execute programs; manage ops infrastructure and risk environment Control Officers: Implement framework that includes process reviews, self assessments, quality checks, and escalation of risks/issues CIOs/Tech controls: Manage system infrastructure and controls per data classifications Prospecting, Sales & Marketing LOBs: Protect data collected; honor optouts and Cross Marketing restrictions; Approve and implement privacy notices/disclosure On boarding and Off boarding LOBs: Assist in account opening, honor privacy preferences; adhere to Cross Marketing restrictions; obtain client consents; and assist with vendor disengagement BAU/Relationship Management LOBs : Protect data; manage/escalate incidents, ensure correct contracts terms Change Management LOBs: Participate in key processes to ensure appropriate processes consider Privacy by design Maintain a Privacy Program Lead for oversight and accountability Develop appropriate framework via Policy, Standards, Notices and training Address and escalate significant matters Integrate effectively into Firm processes Participate in relevant committees Create visibility into issues and trends via appropriate reports, metrics, and analysis Provide strategic legal services across the organization in support of business areas and Corporate Center Provide legal analysis for new products services, activities, engagements Advise and counsel on other legal questions on privacy, confidentiality, information security and banking secrecy Interpret laws, rules and regulations; flag regulatory changes Establish appropriate administrative, technical and physical safeguards to control JPMC information through its life cycle Adopt a model for Technology Risk Governance that considers Tech in design Manage IT Policy & Standards Implement Data Protection programs, application security, cyber security, and insider threat modeling Conduct investigations, including forensic investigations of breaches, suspected fraud, employee wrongdoing & identify control gaps Develop Operational Risk Management Framework and build coverage model within Risk Provide infrastructure, direction and guidance on Governance and Risk assessments Participate and assist in preparing for regulatory reviews and responding to requests for information Independently evaluate and opine on the adequacy and effectiveness of the control environment Report to the Audit Committee of the Board and senior management on a periodic basis significant control issues and the overall adequacy of the control environment Perform Auditfocused root cause analysis and identify and determine severity of issues 5

Privacy LOB Responsibilities (1 st Line of Defense) Across Information Life Cycle Privacy risks are based on the nature of the information processed from collection through destruction by the JPMC, its business partners and service providers. Each LOB is responsible for adhering to the Policies & Procedures to ensure: 1) the proper handling and safeguarding of information 2) the appropriate stewardship & ownership of data and 3) proper alignment to the control framework. Life Cycle Responsibilities Considerations Prospecting, Sales & Marketing On Boarding Relationship Management Market to approved prospects Protect data gathered during prospecting activities Create and/or collect only appropriate data required to offer the product/service Protect data gathered during onboarding process Identify information owners and categorize data elements Accurately & securely set up accounts; provide privacy notices/disclosures Manage contracts/slas, eg for appropriate clauses and execution Conduct appropriate due diligence on new hires, consultants and contractors Handle information properly from data collection to destruction Secure data properly, eg controlling access to need-to-know; document risk acceptances Comply with consumer opt-outs, sharing restrictions, and contract requirements Provide annual and regulatory notices, obtain and manage consents, handle complaints Manage and verify effective infrastructure/controls for customer authentication, technology security, and physical access Perform monitoring and surveillance in accordance with Policies & Procedures Manage potential breaches; remediate risks Manage suppliers adequately and for adherence to MSA/contract and/or SLA Appropriately assign record retention codes & adhere to legal holds requirements Administer and track training Client consent management Data use and protection requirements Rules for internal sharing/cross-marketing Data retention and destruction All of the above in addition to: Proper account setup Proper transmissions of data Booking location rules All of the above in addition to: Privacy Preferences Internal/Affiliate sharing restrictions Adherence to contract provisions Regulatory notice & registration Information processing restrictions Technological, Administrative & Physical Safeguards Monitoring/Surveillance Restrictions Red Flags Program Record Retention/Legal Hold requirement Training/Messaging Off Boarding Close accounts in accordance with policies and procedures Return and/or destroy data properly; adhere to JPMCs record retention requirements Oversee employee exits, timely terminate access and obtain JPMC assets Account Closure/Status Changes Dormancy Record Retention Access Control Change Management Engage in Outsourcing, Off-shoring/On-shoring, & Technology Change projects Ensure Cross Border Data Transfers are reviewed and approved, or escalated as needed Assess regulatory changes to understand impact; adapt systems/processes to address reqs. 1 Appropriately retire databases, systems, applications New Business Initiative Outsourcing Off-shoring Technology Changes 6

Q & A

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information