Privacy Maturity Model 2009

Document Sample
Privacy Maturity Model 2009 Powered By Docstoc
					PRIVACY MATURITY MODELSM
Instructions: In each row where there is an 'x' in a yellow cell, delete that 'x' and type an 'x' in the cell in t
approximates the status of the business unit or organization you are assessing.
             Privacy Maturity Levels > 0: Nonexistent                1: Initial                 2: Repeatable

                                                               The organization has
                                          There is no                                           The organization has a
                                                               an ad hoc and
                                          evidence of this                                      consistent overall
             Maturity Level Description >                      inconsistent approach
                                          standard or practice                                  approach, but it is
                                                               to this privacy standard
                                          in the organization.                                  mostly undocumented.
                                                               or practice.

                      process consistency none                       ad hoc                     consistent
                   process documentation none                        none                       minimal, high-level
                     business objectives     not met                 not met                    partially met
                  process measurement        none                    none                       none
                      policy enforcement     none                    none                       none
                   process improvement       none                    ad hoc                     ad hoc
                  process benchmarking       none                    none                       none

Corresponding Level of Risk of a Privacy                             High across the
                                                                                              Moderate across the
                                         Very high across            organization, and very
  Breach, Regulatory Noncompliance, or                                                        organization, with some
                                         the organization            high in key parts of the
                   Customer Attrition >                                                       pockets of high risk
                                                                     organization

PRIVACY MATURITY LEVEL
CRITERIA:                                    0: Nonexistent          1: Initial                 2: Repeatable
GAPP Criteria
1.0   Program Management

                                             There is no person in
                                             the organization
                                                                                                The organization has at
                                             known to have in a      The organization has
                                                                                                least one person
                                             job description the     assigned the privacy
                                                                                                devoted exclusively to
                                             responsibility for      responsibility to a
                                                                                                privacy, and enough
                                             documenting,            person, but the time
1.1.2,                                                                                          other staff helping with
         Privacy personnel                   implementing,           commitment of that
1.2.9                                                                                           privacy to reduce each
                                             enforcing,              responsibility probably
                                                                                                year the level of privacy
                                             monitoring, and         exceeds the person's
                                                                                                gaps in the
                                             updating the            availability.
                                                                                                organization.
                                             organization's
                                             privacy policies.

                                                                                  x


                                             There is no office or
                                             function in the         A sole person assigned     The privacy function is
                                             organization            with the privacy           identified in organization
                                             assigned to be the      responsibility serves as   charts, reflecting a
1.1.2    Privacy function                    focal point for         the organization's         sustained commitment
                                             privacy knowledge       "privacy function".        to the function.
                                             and governance.


                                                                                  x
                                                                                             There is a budget
                                                                 There is no budget
                                                                                             allocated specifically to
                                                                 allocated specifically to
                                                                                             the privacy function that
                                          There is no budget privacy purposes, but
                                                                                             is sufficient to cover
1.2.5,                                    allocated specifically privacy dollars to get
         Privacy budget                                                                      basic travel and
1.2.6                                     to privacy purposes. spent on an ad hoc
                                                                                             subscription expenses
                                                                 basis as "add ons" to
                                                                                             and a modest amount
                                                                 other projects.
                                                                                             for special projects.


                                                                             x




                                                                  The organization has at    The organization
                                          The organization has
                                                                  times communicated at      annually communicates
                                          never communicated
                                                                  least some of the          its privacy policies to all
1.1.1,                                    the content of its
         Privacy awareness and training                           content of its privacy     of its personnel that
1.2.10                                    privacy policies to
                                                                  policies to at least       encounter personal
                                          any of its personnel.
                                                                  some of its personnel.     information.




                                                                             x


                                                             The organization has
                                                             multiple, inconsistent
                                                             privacy policies, and/or
                                                             it has privacy policies
                                                             that do not address all
                                                                                             The organization's
1.1.0;                                    The organization   8 GAPP privacy
                                                                                             privacy policies address
1.2.2;                                    does not have a    principles -- Notice,
                                                                                             all 8 privacy principles
1.2.7,   Policy documentation             documented privacy Choice, Collection
                                                                                             and are displayed on
1.2.11;                                   policy.            Limits, Use and
                                                                                             their relevant websites.
4-10.1.0                                                     Retention Limits,
                                                             Access and Correction,
                                                             Third-Party Disclosure,
                                                             Security, and
                                                             Accountability.


                                                                             x


                                                                 In its contracts with
                                                                 clients and partners, the   Internal personnel or
                                                                 organization agrees to      advisers review
                                          The organization's     contractual clauses for     contracts for
                                          contracts with clients confidentiality of          consistency with the
         Contracts with clients and
1.2.5                                     and partners do not information, but there is      organization's privacy
         partners                         address privacy.       no internal process to      policies and procedures
                                                                 ensure the organization     and address any
                                                                 is contractually            inconsistencies.
                                                                 compliant.


                                                                             X
                                                                                         The organization's
                                      The organization's      The organization's
                                                                                         policies require that any
                                      project plans and       project managers and
                                                                                         acquisition of
                                      process for acquiring   IT managers
                                                                                         information-related
        Infrastructure and systems    information-related     occasionally address
1.2.6                                                                                    products or services, as
        management                    products and            privacy in their project
                                                                                         well as its system-
                                      services do not         plans and system-
                                                                                         development life cycle,
                                      address privacy.        development life cycles.
                                                                                         address privacy.




                                                                         X




                                                                                         The organization's
                                      The organization's      The organization's
                                                                                         policies require that any
                                      project plans and       project managers and
                                                                                         acquisition of
                                      process for acquiring   IT managers
                                                                                         information-related
                                      information-related     occasionally address
1.2.4   Risk assessment                                                                  products or services, as
                                      products and            privacy in their project
                                                                                         well as its system-
                                      services do not         plans and system-
                                                                                         development life cycle,
                                      address privacy.        development life cycles.
                                                                                         address privacy.




                                                                         X




                                                              At least some parts of
                                      The organization                                   The organization has
                                                              the organization have
                                      does not have a way                                effectively resolved
                                                              the knowledge and
                                      to respond to                                      privacy incidents in the
                                                              skills to respond to at
                                      suspected                                          past, but at most has
1.2.7   Privacy incident management                           least some types of
                                      exposures or                                       only a high-level policy
                                                              suspected exposures or
                                      mishandling of                                     or procedure
                                                              mishandling of personal
                                      personal data.                                     documented.
                                                              data.




                                                                         X
2.0     Notice
                                                                                      The organization has
                                                                                      adopted a standard
                                                                                      privacy notice, which
                                                                                      includes a description of
                                 The organization         The organization            the entities and
                                 does not publicly        inconsistently provides     activities covered by the
2.2.2   Notice content           provide notices of its   notices of its privacy      privacy policies and
                                 privacy practices.       practices.                  procedures and whether
                                                                                      personal information is
                                                                                      collected from sources
                                                                                      other than the
                                                                                      individual.

                                                                     X




                                                        The organization's
                                 The organization
                                                        privacy notices have    The entity's privacy
                                 does not publicly
                                                        inconsistent approaches notices are conspicuous
2.2.3   Notice language          provide notices of its
                                                        to the clarity of       and use clear language.
                                 privacy practices.
                                                        language used.




                                                                     X



                                                                                The organization
                                                                                consistenty includes a
                                                                                link to its privacy policy
                                 The organization       When the organization's on all websites where
                                 does not publicly      data subjects receive   personal information is
2.2.1   Timing of notice         provide notices of its privacy notices is      collected, but does not
                                 privacy practices.     inconsistent.           have a detailed
                                                                                standard for the timing
                                                                                of other more granular
                                                                                privacy notices.



                                                                     X
3.0     Choice




                                 The organization
                                                          Some parts of the
                                 does not have a                                      The organization has a
                                                          organization maintain at
                                 documented policy                                    policy that reflects a
                                                          least an opt-out policy
3.1.1-2,                         regarding the                                        consistent, integrated
         Privacy choice policy                            for direct marketing, but
3.2.1-4                          choices offered to                                   approach toward
                                                          there is no consistent
                                 individuals about                                    privacy choices.
                                                          enterprise-wide policy.
                                 their information.




                                                                      x
                                                           Some departments
                                    The organization       ensure privacy choices
                                                                                       The organization
                                    does not offer         are respected on a
                                                                                       maintains a common
                                    individuals choices    manual or ad hoc basis,
                                                                                       process approach
        Privacy choice operations   for managing the use   but there is no
                                                                                       toward managing
                                    of their personal      consistent enterprise
                                                                                       privacy choices.
                                    information.           approach to privacy
                                                           choice management.


                                                                       x
4.0     Data Collection



                                                         Some departments in
                                                         the organization classify
                                    The organization has                               The organization has
                                                         at least some types of
                                    no approach toward                                 adopted a policy that
                                                         personal data, but the
1.2.3   Data classification         classifying its                                    classifies all of its
                                                         organization has no
                                    personal data.                                     personal data.
                                                         consistent overall
                                                         approach.



                                                                      X



                                                            Some departments in        The organization has
                                                            the organization have at   adopted a policy stating
                                    The organization has
                                                            least some limits on       it will only collect
                                    no approach toward
                                                            what personal data they    personal data for
4.2.1   Limits on data collection   limiting the collection
                                                            collect, but the overall   purposes identified in its
                                    of personal data.
                                                            enterprise approach is     privacy policies and
                                                            inconsistent.              notices.



                                                                      X




                                                           Some departments in         The organization has
                                                           the organization verify     adopted a policy stating
                                    The organization has
                                                           at least some of their      it will only accept
                                    no approach toward
                                                           third-party sources of      personal information
                                    verifying the third-
4.2.3-4 Third-party data sources                           personal data, but the      from third-party sources
                                    party sources of its
                                                           overall enterprise          if those sources comply
                                    data.
                                                           approach is                 with appropriate privacy
                                                           inconsistent.               standards.




                                                                      X
5.0     Data Use and Retention
                                                                                               The organization has
                                                                 Some departments in           adopted a policy to limit
                                                                 the organization have at      the use of personal data
                                            The organization has
                                                                 least some limits on          to relevant purposes
                                            no approach toward
                                                                 their uses of personal        identified in privacy
5.2.1     Limited uses                      limiting the uses of
                                                                 data, but the overall         policies and notices,
                                            personal data.
                                                                 enterprise approach is        unless a law or
                                                                 inconsistent.                 regulation specifically
                                                                                               requires otherwise.

                                                                               X


                                                                                               The organization has
                                                                   Some departments in
                                                                                               adopted a policy of
                                                                   the organization have at
                                                                                               retaining personal data
                                            The organization has least some limits on
                                                                                               no longer than
                                            no policy toward       their retention of
                                                                                               necessary to fulfill the
5.2.2     Limited retention                 limiting the retention personal data, but the
                                                                                               purposes stated in
                                            of personal data.      overall enterprise
                                                                                               privacy policies, unless
                                                                   approach is
                                                                                               a law or regulation
                                                                   inconsistent.
                                                                                               requires otherwise.


                                                                               X

                                                                                               The organization
                                                                   The organization
                                                                                               informs users how to
                                                                   disposes sensitive
                                                                                               delete electronic
                                                                   documents through a
                                            The organization has                               personal information
                                                                   secure-shredding
                                            no approach toward                                 under their control, and
          Disposal, destruction, and        limiting the retention
                                                                   process, but has no
                                                                                               the organization at least
5.2.3                                                              consistent way of
          redaction of data                 of personal data.                                  annually deletes data
                                                                   destroying personal
                                                                                               from e-mail servers and
                                                                   information in electronic
                                                                                               core information
                                                                   format.
                                                                                               systems.

                                                                               X
6.0       Data Access



                                                                                               The organization has a
                                                                                               policy requiring data
                                          The organization has     Some departments or
                                                                                               subjects to be able to
                                          no approach toward       websites provide data
                                                                                               review their personal
                                          providing data           subjects a way to
          Data subject access to personal                                                      data in an
6.2.1-3                                   subjects a way to        review at least the key
          data                                                                                 understandable format,
                                          review their personal    elements of their
                                                                                               secure and timely
                                          data.                    personal data.
                                                                                               manner, and
                                                                                               reasonable cost.




                                                                               X
                                        The organization has
                                                                 Some departments or           The organization has a
                                        no approach toward
                                                                 websites provide data         policy requiring data
                                        providing data
                                                                 subjects a way to             subjects to be able to
6.2.5   Correcting personal data        subjects a way to
                                                                 correct at least their        correct their personal
                                        correct their personal
                                                                 contact information.          data.
                                        data.




                                                                             X




                                        The organization has
                                                                 The organization has an       The organization has a
                                        no approach toward
                                                                 inconsistent way of           policy for legitimately
                                        legitimately denying
6.2.4,                                                           legitimately denying          denying data subjects
        Denial of access                data subjects access
6.2.6-7                                                          data subjects access to       access to their personal
                                        to their personal
                                                                 their personal data.          data.
                                        data.




                                                                             x
7.0     Disclosure to Third Parties

                                                                                               The organization has
                                                                                               adopted a policy of
                                                                                               limiting the disclosure of
                                                                                               personal information to
                                                                 At least some parts of
                                                                                               third parties for only
                                        The organization has     the organization take an
                                                                                               those purposes
                                        no approach toward       ad hoc approach toward
                                                                                               described in the
                                        limiting the             limiting the disclosure of
7.1.1-2, Limiting disclosure to third                                                          relevant privacy policies
                                        disclosure of            personal information to
7.2.1-4 parties                                                                                and notes or for which
                                        personal information     third parties, but there is
                                                                                               individuals have
                                        to third parties.        no consistent enterprise
                                                                                               provided consent,
                                                                 approach.
                                                                                               unless a law or
                                                                                               regulation specifically
                                                                                               allows or requires
                                                                                               otherwise.

                                                                             X
                                      The organization has    At least some parts of
                                                                                           The organization has
                                      no approach toward      the organization
                                                                                           adopted a policy that
                                      ensuring contracts      routinely include
                                                                                           requires an attorney to
                                      with third parties      confidentiality clauses
                                                                                           ensure that contracts
7.1.2   Contracts with suppliers      contain the             in contracts with third
                                                                                           with third parties
                                      appropriate clauses     parties, but there is no
                                                                                           appropriately address
                                      on privacy and          consistent approach
                                                                                           privacy and security.
                                      security.               across the enterprise.




                                                                          X




                                                              Some departments in          The organization has
                                      The organization has
                                                              the organization verify      adopted a policy stating
                                      no approach toward
                                                              the privacy and security     it will ensure its third
                                      verifying that third
                                                              policy compliance of at      parties take appropriate
                                      parties to whom it
                                                              least some of their third-   data privacy and
7.2.1-2,                              discloses personal
         Supplier policy compliance                           party sources of             security measures that
7.2.4                                 data have an
                                                              personal data, but the       offer at least an
                                      equivalent level of
                                                              overall enterprise           equivalent level of
                                      privacy and security
                                                              approach is                  protection as its own
                                      protection.
                                                              inconsistent.                policies.




                                                                          X
8.0     Data Security for Privacy



                                                                                           The organization has at
                                      There is no person in   The organization has
                                                                                           least one person
                                      the organization        assigned the data-
                                                                                           devoted exclusively to
                                      known to have in his    security responsibility to
                                                                                           data security, and
                                      job description the     a person, but that the
                                                                                           enough other staff
        Data-security personnel       responsibility for      time commitments of
                                                                                           helping with security to
                                      ensuring the            that responsibility
                                                                                           reduce each year the
                                      confidentiality of      exceed the availability
                                                                                           level of security gaps in
                                      personal information.   of that person.
                                                                                           the organization.




                                                                          X
                                 There is no office or
                                                                                     The data-security
                                 function in the         A sole person assigned
                                                                                     function is identified in
                                 organization            with the data-security
                                                                                     official organization
                                 assigned to be the      responsibility serves as
8.2.1   Data-security function                                                       charts, reflecting a
                                 focal point for data-   the organization's "data-
                                                                                     sustained commitment
                                 security knowledge      security function".
                                                                                     to the function.
                                 and governance.




                                                                    X



                                                         The organization has at
                                 The organization has                                The organization
                                                         times communicated at
                                 never                                               annually communicates
                                                         least some of the
                                 communicated the                                    its data-security policies
                                                         content of its data-
8.2.1   Employee awareness       content of its data-                                to all of its personnel
                                                         security policies to at
                                 security policies to                                that encounter personal
                                                         least some of its
                                 any of its personnel.                               information.
                                                         personnel.



                                                                    x


                                                         At least some parts of
                                                         the organization take an
                                                                                     The organization has
                                 The organization        ad hoc approach toward
                                                                                     adopted a policy aimed
                                 does not have a         implementing security
                                                                                     at protecting the
8.2.1   Policy documentation     documented data-        policies, but the
                                                                                     confidentiality of
                                 security policy.        organization has no
                                                                                     information.
                                                         enterprise policies on
                                                         data security.


                                                                    X




                                                         The organization's          The organization's
                                                         project managers and        policies require that any
                                 The organization's
                                                         IT managers                 acquisition of
                                 business and IT
                                                         occasionally address        information-related
                                 projects do not
8.2.1   Projects                                         data security in their      products or services, as
                                 address data
                                                         project plans and           well as its system-
                                 security.
                                                         system-development          development life cycle,
                                                         life cycles.                address data security.




                                                                    x
                                                        The organization has
                                                        implemented some           The organization has
                                                        basic logical-access       formally adopted an
                                   The organization has
                                                        controls, such as          enterprise approach to
                                   not implemented any
                                                        network firewalls,         implement logical-
                                   ways to control
8.2.2,                                                  malware protections,       access controls that will
        Logical access controls    computer-based
8.2.5-7                                                 and system passwords,      meet the requirements
                                   access to its
                                                        but it has no enterprise   of an external standard
                                   personal data.
                                                        approach to maintaining    such as ISO 27001 or
                                                        industry-standard          PCI DSS.
                                                        controls.


                                                                     x


                                                        The organization has
                                                        implemented basic          The organization has
                                                        physical-access            formally adopted an
                                   The organization has
                                                        controls, such as          enterprise approach to
                                   not implemented any
                                                        secure building            implement physical-
                                   ways to control
8.2.3   Physical access controls                        entrances and              access controls that will
                                   physical access to
                                                        employee ID badges, in     meet the requirements
                                   its personal data.
                                                        some of its locations,     of an external industry
                                                        but it has no consistent   standard.
                                                        enterprise approach.


                                                                     x
                                                                                   The organization has
                                                                                   formally adopted an
                                   The organization has
                                                                                   enterprise approach to
                                   not implemented any The organization has
                                                                                   protect personal
                                   ways to protect       implemented basic
                                                                                   information against
                                   personal information environmental
                                                                                   unlawful destruction,
                                   against unlawful      safeguards, such as
                                                                                   accidental loss, natural
8.2.4   Environmental safeguards   destruction,          weekly backups of
                                                                                   disasters, and
                                   accidental loss,      critical data, but it has
                                                                                   environmental hazards
                                   natural disasters, or no consistent enterprise
                                                                                   that will meet the
                                   environmental         approach.
                                                                                   requirements of an
                                   hazards.
                                                                                   external industry
                                                                                   standard.

                                                                     x
9.0     Data Quality

                                                        Some departments in
                                                        the organization have at
                                   The organization has
                                                        least an ad hoc            The organization has
                                   no approach toward
                                                        approach toward            adopted a policy
                                   ensuring the
        Data accuracy and                               ensuring the accuracy      requiring the accuracy
9.2.1                              accuracy and
        completeness                                    and completeness of        and completeness of
                                   completeness of its
                                                        personal data, but there   personal data.
                                   personal data.
                                                        is no consistent
                                                        enterprise approach.


                                                                     X
                                                           Some departments in
                                                           the organization have at
                                     The organization has                               The organization has
                                                           least an ad hoc
                                     no approach toward                                 adopted a policy
                                                           approach toward
                                     ensuring that the                                  requiring that the
                                                           ensuring the personal
                                     personal data it                                   personal data it collects
                                                           data it collects are
9.2.2   Data relevance               collects are relevant                              are relevant to the
                                                           relevant to the stated
                                     to the stated                                      stated purposes for
                                                           purposes for which they
                                     purposes for which                                 which they are
                                                           are collected, but there
                                     they are collected.                                collected.
                                                           is no consistent
                                                           enterprise approach.

                                                                        x
10.0    Monitoring and Enforcement




                                                             At least some parts of
                                     The organization has
                                                             the organization resolve   The organization has
                                     no approach toward
                                                             privacy-related            adopted a common
                                     resolving privacy-
                                                             complaints in an ad hoc    policy or process for
10.2.1-2 Dispute resolution          related complaints of
                                                             manner, but there is no    resolving privacy-related
                                     its employees or
                                                             consistent approach        complaints.
                                     customers.
                                                             across the enterprise.




                                                                        X

                                                             Some departments in
                                                             the organization have at   The organization has
                                     The organization has
                                                             least an ad hoc            assigned to a person or
                                     no approach toward
                                                             approach toward            group the responsibility
                                     monitoring its
                                                             monitoring their ongoing   of monitoring its
                                     ongoing compliance
                                                             compliance with            ongoing compliance
10.2.3-5 Compliance                  with changes in
                                                             changes in business        with changes in
                                     business operations
                                                             operations and external    business operations
                                     and external privacy
                                                             privacy standards, but     and external privacy
                                     standards.
                                                             there is no consistent     standards.
                                                             enterprise approach.

                                                                        x



                                                    Enterprise Privacy Maturity ScoreSM:
                                     NOTWITHSTANDING ANYTHING TO THE CONTRARY, THE PRIVACY MATURITY MODEL IS NOT L
                                     CONSULTANTS IS NOT ADVISING OR COUNSELING YOU ON THE LAW. YOU AGREE THAT YOUR
                                     AT YOUR OWN RISK.
t 'x' and type an 'x' in the cell in that same row that best
sessing.
            3: Defined                 4: Managed                  5: Optimized

            The organization has a     The organization
                                                                   The organization has
            documented, detailed       regularly measures its
                                                                   refined its compliance
            approach, but no           compliance and makes
                                                                   to the level of best
            routine measurement or     regular process
                                                                   practice.
            enforcement of it.         improvements.

            consistent                 consistent                  consistent
            detailed                   detailed                    detailed
            mostly met                 fully met                   value added
            ad hoc                     routine                     systemic
            ad hoc                     routine                     systemic
            ad hoc                     routine                     systemic                                            20     100
            ad hoc                     ad hoc                      routine                               22   100%     1       5

            Moderate across the        Low across the              Remote across the
            organization.              organization.               organization.



                                                                                               Assessed
            3: Defined                 4: Controlled               5: Systemic                          Weight %     pts     poss
                                                                                               Level

                                                                                                 1.0      3    14%    0.14    0.68
            The organization has
                                       The organization has        The organization
            clearly defined job
                                       clearly defined job         includes privacy
            descriptions for privacy
                                       descriptions for privacy    objectives in the job
            staff that require them
                                       staff that require them     descriptions of all staff
            to be CIPPs including at
                                       to be CIPPs including       accessing personal
            least one with a title
                                       one with the "Chief         information, and has
            reflecting privacy
                                       Privacy Officer" or         been able to reduce the        1
            leadership, and enough
                                       similar title, and enough   number of full-time
            privacy staff to meet
                                       privacy staff to meet all   privacy staff because
            most business
                                       business objectives         privacy is so systemic in
            objectives related to
                                       related to privacy.         the enterprise.
            privacy.




                                       The organization has
            A person on the
                                       consciously placed the      The leader of the
            organization's Executive
                                       privacy function in a       privacy function has
            Committee has been
                                       particular department to    direct access to the
            formally assigned to be
                                       support its business        CEO and is a routine
            the privacy champion,
                                       strategy, and the           part of business               1
            and the privacy function
                                       function has direct         strategy
            provides an annual
                                       access to the Executive     decisionmaking.
            report to the Board.
                                       Committee.
                              The organization uses a
The organization has a        Balanced Privacy           The dollars spent by the
specific privacy budget       Scorecard or similar       privacy function are
that routinely includes       measurement approach       exceeded by the privacy
enough dollars to             to determine its privacy   dollars by the rest of the
accomplish most               budget, which is           organization as a result      1
business objectives           sufficient to accomplish   of privacy becoming
related to privacy.           all business objectives    endemic.
                              related to privacy.




The organization
                              The organization
annually communicates                                    The organization
                              annually measures its
its privacy policies to all                              annually compares its
                              employees'
of its personnel that                                    privacy policy
                              comprehension of and
encounter personal                                       compliance with other
                              compliance with its
information, and
                              privacy policies, and
                                                         organizations, and has        1
delivers detailed                                        achieved "best
                              uses those results to
privacy training to                                      practices" status among
                              improve its privacy
personnel based on                                       its peers.
                              program.
their roles.




                              The organization
The organization's                                       The organization
                              annually reviews
privacy policies address                                 annually compares its
                              changes in its business
all 8 privacy principles,                                documented privacy
                              operations, processes,
are publicly displayed,                                  policies and standards
                              people, technology,
and are accompanied                                      with other
by detailed standards
                              legal, contracts, and
                                                         organizations, and has        1
                              SLAs, and
and procedures                                           achieved "best
                              correspondingly
implementing the                                         practices" status among
                              updates its privacy
principles.                                              its peers.
                              policies and standards.




                              The organization
The organization has          measures at least once
                                                         Process controls make
developed standard            per year the degree to
                                                         it virtually impossible for
contractual clauses for       which its contracts
                                                         the organization to
data privacy and              include standard privacy
security and defined a        and security clauses
                                                         adopt privacy and             1
                                                         security commitments
process for internal          and its internal
                                                         that it cannot meet.
compliance with them.         practices comply with
                              them.
The organization has
detailed checklists and
procedures, and has                                     Process controls make
assigned personnel, for     The organization            it virtually impossible for
ensuring the design,        routinely measures and      the organization to
acquisition,                tests the compliance of     deploy new information-
development, and            its information-related     related products and
implementation of           products and services       services that are not         1
information-related         with its privacy policies   compliant with its
products and services       and procedures.             privacy policies and
are compliant with                                      procedures.
relevant privacy
policies.




The organization has
detailed checklists and
procedures, and has                                     Process controls make
assigned personnel, for     The organization            it virtually impossible for
ensuring the design,        routinely measures and      the organization to
acquisition,                tests the compliance of     deploy new information-
development, and            its information-related     related products and
implementation of           products and services       services that are not         1
information-related         with its privacy policies   compliant with its
products and services       and procedures.             privacy policies and
are compliant with                                      procedures.
relevant privacy
policies.




The organization has
detailed the roles and      The organization
responsibilities of those   routinely measures its      Because of its rigorous
responding to privacy       suspected privacy           response process, the
incidents, defined          incidents and tests its     organization has
privacy incidents by        compliance with its         resolved all known
policy, and maintains       privacy-incident            privacy incidents within      1
detailed procedures,        policies, and makes         30 days for at least the
forms, and reference        improvements based on       past year.
materials for managing      those measurements.
privacy incidents.




                                                                                      1.0   2   9%   0.09   0.45
                                                        The organization
                            The organization
                                                        regularly measures its
The organization has        annually measures its
                                                        data subjects' usage
defined different types     compliance with its
                                                        and comprehension of
of privacy notices for      privacy-notice
                                                        privacy notices,
different situations, all   standards and makes
                                                        benchmarks them             1
of them based on the        improvements to the
                                                        against peers, and
same privacy policy.        notices based on
                                                        systematically improves
                            results and feedback.
                                                        them and the process.




                            The organization
The organization has        measures at least           Because of process
adopted a standard          annually what grade         controls, it is virtually
requiring its privacy       level its privacy notices   impossible for a privacy
notices to read at no       read at and how             notice to read at higher
higher than grade 8 and     conspicuously displayed     than grade 8 or be          1
be conspicuously            they are, and make          inconspicuously
displayed.                  improvements based on       displayed.
                            results.




The organization has
adopted a policy to
provide privacy notices
                            The organization
when personal
                            annually measures its       The organization
information is collected,
                            compliance with its         systematically
when privacy policies
                            privacy-notice tming        eliminates any
are materially changed,
or when personal
                            standards and makes         noncompliance with its      1
                            improvements to the         standard on the timing
information is used for
                            process based on            of privacy notices.
new purposes not
                            results and feedback.
previously identified, or
as soon as practical
thereafter.



                                                                                    1.0   2   9%   0.09   0.45
                                                     The organization's
The organization has
                                                     privacy-choice policy
documented, detailed
                                                     distinguishes between
standards for offering      The organization
                                                     implicit and explicit
the privacy choices         measures its policy
                                                     consent, consent for
required by the             compliance, enforces
                                                     new purposes and uses
jurisdictions where it      policy noncompliance,
does business, and of       and at least annually
                                                     of data, consent for           1
                                                     online data transfers to
notifying individuals of    reviews regulations that
                                                     or from an individual's
the consequences of         might change its policy.
                                                     computer, and consent
denying or withdrawing
                                                     for sensitive
a privacy choice.
                                                     information.
                          The organization
                                                    Customers routinely
The organization has      measures its privacy-
                                                    express the highest
documented a data         choice process
                                                    satisfaction with the
scheme that, when         performance and
                                                    privacy choices offered
implemented, would        customer interaction
                                                    by the organization, and
integrate its privacy     with privacy choices,
                                                    virtually all uses of        1
choices and use           and makes at least
                                                    personal data can be
external opt-out lists    annual process
                                                    traced to a recorded
where applicable.         improvements based on
                                                    privacy choice.
                          that data.


                                                                                 1.0   2   9%   0.09   0.45
                          The organization
                          measures and reports
                          at least annually its     Because of technical
The organization          compliance with its data- and procedural controls,
maintains a data map or classification policies,    it is virtually impossible
inventory of its personal enforces                  to retain personal data      1
data, by classification. noncompliance, and         in the organization
                          makes process             without classifying it.
                          improvements based on
                          that data.




                          The organization
                          measures and reports Because of procedural
                          at least annually its     controls, it is virtually
The organization has      compliance with its data- impossible to initiate
defined its lawful and    collection policies,      new collections of
acceptable uses of        enforces                  personal data in the         1
personal data.            noncompliance, and        organization without
                          makes process             managerial or legal
                          improvements based on approval.
                          that data.




                         The organization
                         measures and reports
                         at least annually its
The organization has     compliance with its
                                                    Because of procedural
defined detailed         policy on third-party
                                                    controls, it is virtually
standards and            data sources and has
                                                    impossible to initiate
processes for ensuring adopted a policy of not
                                                    new third-party sources
third-party sources of   using third-party data
data have the            about individuals
                                                    of personal data without     1
                                                    complying with the
appropriate authority to without their informed
                                                    organization's policies
share that information consent, enforces
                                                    and procedures.
with the organization.   noncompliance, and
                         makes process
                         improvements based on
                         that data.



                                                                                 1.0   2   9%   0.09   0.45
The organization            The organization
maintains a data-           annually measures its
                                                      Because of procedural
steward process or its      compliance with its
                                                      controls, it is virtually
equivalent that is          limited-use policy,
                                                      impossible to initiatiate
designed to ensure          enforces
personal data is only       noncompliance, and
                                                      a new data use in the       1
                                                      organization without
used for purposes           makes process
                                                      approval.
identified in privacy       improvements based on
policies.                   the results.



                          The organization has
                          defined data                The organization's
                          classifications and their   retention policy
The organization has
                          corresponding retention     distinguishes between
defined data
                          periods, and the            anonymized, redacted,
classifications and their
corresponding retention
                          organization annually       de-identified, deleted,     1
                          measures changes to         and destroyed data, and
periods.
                          regulations that could      is viewed by peers as a
                          change its data-            model approach.
                          retention policies.




All information systems     The organization
in the organization         annually measures its
                                                      Because of procedural
routinely delete            compliance with its data-
                                                      controls, it is virtually
information according to    retention policy,
                                                      impossible to retain
their retention periods,    enforces
and backup media are        noncompliance, and
                                                      personal data past their    1
                                                      retention periods
used or cycled in such a    makes process
                                                      without formal approval.
way that all deleted data   improvements based on
is wiped or overwritten.    the results.




                                                                                  1.0   1   5%   0.05   0.23
                         The organization
                         annually measures its
The organization
                         compliance with its data- Virtually all data
maintains detailed
                         access policy, enforces subjects can access
standards and
                         noncompliance, and        virtually all their
procedures for providing
                         makes process             personal data held by
data subjects
                         improvements based on the organization in an
authenticated access to
                         the results. The          understandable format,         1
all of the essential
                         organization doesn't use secure and timely
elements of their
                         government-issued         manner, and
personal data that the
                         identifiers to            reasonable cost.
organization holds.
                         authenticate for data
                         access.
The organization
maintains detailed
standards and
procedures for enabling
                             The organization
data subjects to correct
                             annually measures its
all of the essential                                   Virtually all data
                             compliance with its data-
elements of their                                      subjects can correct
                             correction policy, trains
personal data that can                                 virtually all their
                             employees, enforces
appropriately be
                             noncompliance, and
                                                       correctable personal         1
corrected, and, where                                  data held by the
                             makes process
critical and feasible, the                             organization.
                             improvements based on
organization provides
                             the results.
the correcting
information to any third-
party sources of that
data.




The organization
maintains detailed
                             The organization
standards and
                             annually measures its
procedures for
                             compliance with its       Because of strong
legitimately denying
                             access-denial policy,     procedural controls, it is
data subjects access to
                             trains employees,         virtually impossible for
their personal data,
informing them in
                             enforces                  the organization to          1
                             noncompliance, and        provide inappropriate
writing of the
                             makes process             access to data subjects.
justification of denying
                             improvements based on
access, and any ability
                             the results.
of the data subject to
appeal the denial.



                                                                                    1.0   3   14%   0.14   0.68

                                                       The organization's
The organization has                                   policy on PII disclosure
inventoried the third                                  to third parties
                             The organization
parties with whom it                                   addresses disclosures
                             annually reviews how
shares personal                                        for new purposes and
                             regulations and risks
information and                                        uses, legal purposes,
                             may require changes to
identified the people in                               government
                             its policy on third-party
the organization
                             data disclosure. The
                                                       requirements, antifraud      1
responsible for those                                  objectives, and other
                             organization documents
third-party relationships,                             detailed purposes, and
                             all PII disclosures to
and has communicated                                   is fully consistent with
                             third parties.
the organization's policy                              the organization's
to these people.                                       privacy-choice policy
                                                       and procedures.
The organization has a
defined set of standard      The organization
contractual clauses for      measures at least
privacy and security,        annually the portion of
which, at a minimum,         applicable contracts         Because of procedural
prohibit them from           that include its standard    controls, it is virtually
initiating new uses of       clauses for privacy and      impossible to enter into
the organization's           security, takes remedial     a third-party contract
personal information         action in response to        without including the       1
without prior consent of     third-party misuse of its    standard clauses on
the individual, and it has   personal information,        privacy and security.
a documented process         and makes process
ensuring that all third-     improvements based on
party contracts include      the results.
these clauses.




                             The organization
                                                        It is virtually impossible
                             measures and reports
                                                        to initiate new third-
                             at least annually its
                                                        party relationships
                             compliance with its third-
                                                        involving personal data
The organization has         party assurance
                                                        without complying with
defined detailed             policies, enforces
                                                        the organization's
standards and                noncompliance, and
                                                        policies and
processes for ensuring       makes process
                                                        procedures. Vendors
third parties take           improvements based on
                                                        are fully integrated into     1
appropriate and              that data. It routinely
                                                        the organization's
equivalent privacy and       measures and manages
                                                        training and awareness
security measures.           compliance gaps at its
                                                        program for privacy and
                             vendors, enforces a
                                                        to the organization's
                             process to manage PII
                                                        privacy-choice and data-
                             incidents among its
                                                        access procedures.
                             vendors.




                                                                                      1.0   4   18%   0.18   0.91
The organization has         The organization has
clearly defined job          clearly defined job          The organization
descriptions for data-       descriptions for data-       includes data-security
security staff that          security staff that          objectives in the job
require them to be           require them to be           descriptions of all staff
CISPs including at least     CISPs including one          accessing personal
one that with a title        with the "Chief              information, and has
reflecting data-security     Information Security         been able to reduce the     1
leadership, and enough       Officer" or similar title,   number of full-time data-
data-security staff to       and enough data-             security staff because
meet most business           security staff to meet all   data security is so
objectives related to        business objectives          systemic.
data security.               related to data security.
A security program has
been developed,
documented, approved,
and implemented that         The organization has
includes administrative,     consciously placed the      The data-security
technical, and physical      data-security function in   function is independent
safeguards to protect        a particular department     of the IT function,
personal information         to support its business     closely integrated with
from loss, misuse,           strategy, and the           the privacy function,         1
unauthorized access,         function has direct         and has representatives
disclosure, alteration,      access to the Executive     in every business unit.
and destruction, and the     Committee.
data-security function
provides an annual
report to the Board.




The organization
                             The organization
annually communicates                                  The organization
                             annually measures its
its data-security policies                             annually compares its
                             employees'
to all of its personnel                                data-security policy
                             comprehension of and
that encounter personal                                compliance with other
                             compliance with its data-
information, and
                             security policies, and
                                                       organizations, and has          1
delivers detailed data-                                achieved "best
                             uses those results to
security training to                                   practices" status among
                             improve its data-
personnel based on                                     its peers.
                             security program.
their roles.



                        The organization
                        annually reviews
The organization has                                     The organization
                        changes in its business
based its data-security                                  annually compares its
                        operations, processes,
policies on recognized                                   data-security policies
                        people, technology,
external standards,                                      and standards with
                        legal, contracts, and
such as ISO 27001, and
                        SLAs, and
                                                         other organizations, and      1
has documented related                                   has achieved "best
                        correspondingly
standards and                                            practices" status among
                        updates its data-
procedures.                                              its peers.
                        security policies and
                        standards.




The organization has
detailed checklists and
                                                         Process controls make
procedures, and has          The organization
                                                         it virtually impossible for
assigned personnel, for      routinely measures and
                                                         the organization to
ensuring the design,         tests the compliance of
                                                         deploy new information-
acquisition,                 its information-related
                                                         related products and
development, and             products and services
                                                         services that are not         1
implementation of            with its data-security
                                                         compliant with its data-
information-related          policies and
                                                         security policies and
products and services        procedures.
                                                         procedures.
are compliant with its
data-security policies.
                         The organization has
                         only a few material gaps
The organization has     between its                The organization's
launched enough          implemented logical-       entire information-
projects to meet, in     access controls and the    systems environment
time, the logical-access requirements of a          has been certified to
control requirements of recognized industry         meet a recognized           1
a recognized industry    standard such as ISO       external standard such
standard such as ISO     27001 or PCI DSS, and      as ISO 27001 or PCI
27001 or PCI DSS.        sufficiently funded        DSS.
                         projects are in progress
                         to close those gaps.




                         The organization has
                         only a few material gaps
The organization has
                         between its                All of the organization's
launched enough
                         implemented physical-      facilities containing
projects to meet, in
                         access controls and the    personal information
time, the physical-
                         requirements of a          have been certified to
access control
                         recognized industry        meet a recognized           1
requirements of a
                         standard, and              industry standard for
recognized industry
                         sufficiently funded        physical-access control.
standard.
                         projects are in progress
                         to close those gaps.




                         The organization has
                                                    The organization has
                         only a few material gaps
                                                    been certified to meet a
The organization has     between its
                                                    recognized industry
launched enough          implemented
                                                    standard for the
projects to meet, in     environmental
                                                    protection of its
time, the environmental- safeguards and the
                                                    personal information
safeguards               requirements of a
                                                    against unlawful            1
requirements of a        recognized industry
                                                    destruction, accidental
recognized industry      standard, and
                                                    loss, natural disasters,
standard.                sufficiently funded
                                                    and environmental
                         projects are in progress
                                                    hazards.
                         to close those gaps.



                                                                                1.0   1   5%   0.05   0.23

                         The organization
The organization has     measures and reports
                                                   Virtually all personal
defined detailed         at least annually its
                                                   data is subject to an
standards and            compliance with its data-
                                                   annual review process
processes for ensuring   quality policy, enforces
the accuracy and         noncompliance, and
                                                   designed to ensure its       1
                                                   accuracy and
completeness of          makes process
                                                   completeness.
personal data.           improvements based on
                         the data.
                                       The organization
            The organization has
                                       measures and reports
            defined detailed
                                       at least annually its
            standards and                                        Virtually all personal
                                       compliance with its data-
            processes for ensuring                               data is subject to an
                                       relevance policy,
            the personal data it                                 annual review process
            collects are relevant to
                                       enforces
                                                                 designed to ensure its        1
                                       noncompliance, and
            the stated purposes for                              relevance.
                                       makes process
            which they are
                                       improvements based on
            collected.
                                       the data.




                                                                                              1.0       2   9%   0.09   0.45

                                                                The organization has a
                                                                detailed and well-
            The organization
                                       The organization at      communicated process
            documents every
                                       least annually measures for resolving privacy
            privacy-related
                                       and reports its handling complaints, but receives
            complaint and its
                                       of privacy complaints,   few, if any, complaints,
            resolution, and
                                       and makes regular        because it rarely varies       1
            communicates the
                                       process improvements from the privacy
            resolution to the
                                       based on the results.    expectations it sets with
            complainant.
                                                                customers and
                                                                employees.




                                       The organization          No changes in business
            The organization has       reviews at least          operations are
            defined detailed           annually changes in its   undertaken without a
            standards and              business operations or    privacy impact
            processes for              external privacy          assessment, and new
            monitoring its ongoing     standards that may        privacy standards rarely
            compliance with            affect its privacy        impose new obligations        1
            changes in business        compliance, and takes     on the organization
            operations and external    initiatives to address    because of its already
            privacy standards.         any new areas of          mature approach to
                                       noncompliance.            privacy.



                                                                                             highest
                              SM                                                            possible:
Maturity Score :                                            20
                                                                                            100
, THE PRIVACY MATURITY MODEL IS NOT LEGAL ADVICE. MINNESOTA PRIVACY
 YOU ON THE LAW. YOU AGREE THAT YOUR RELIANCE ON THE PRIVACY MATURITY MODEL IS

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:12
posted:10/28/2011
language:English
pages:43
xiaohuicaicai xiaohuicaicai
About