US 20070283171 A1
A system and method for assessing the risk associated with the protection of data privacy by software application. A decision engine is provided to assess monitor and manage key issues around the risk management of data privacy. The system creates a core repository that manages, monitors and measures the data privacy assessments of applications across an institution (e.g., a corporation). The system and method employs automated questionnaires that require responses from the user (preferably the manager responsible for the application). The responses are tracked in order to evaluate the progress of the assessment and the status of the applications with respect to compliance with the enterprise's data privacy policies and procedures as well as the regulations and laws of the jurisdictions in which the application is operated. Once a questionnaire has been completed, the application is given ratings both with respect to the data privacy impact of the application and the application's compliance with the data privacy requirements. If a risk exists, a plan for reducing the risk or bringing the application into compliance can be formulated, and progress towards compliance can be tracked. Alternatively, an identified exposure to risk can be acknowledged through the system, which requires sign off by various higher level managers and administrators.
32. A computer implemented method for managing protection of data privacy, the method comprising the steps of:
maintaining a repository for managing data privacy assessments for an entity;
presenting one or more automated questionnaires to one or more users within the entity, wherein the automated questionnaires are directed to one or more policies;
tracking responses associated with each automated questionnaire in the repository;
evaluating compliance with the one or more policies based on the responses;
assigning a rating of exposure to risk associated with the compliance; and
determining an action based on the rating of exposure.
33. The method of
34. The method of
35. The method of
36. The method of
37. The method of
38. The method of
39. The method of
40. The method of
41. The method of
42. The method of
forwarding the rating of exposure to one or more designated users for evaluating the exposure of risk relative to other groups within the entity.
43. The method of
generating one or more reports that provide compliance status.
44. The method of
searching the repository for identifying one or more of risk and compliance information.
45. A computer implemented system for managing protection of data privacy, the system comprising:
a repository for managing data privacy assessments for an entity; and
a decision engine for presenting one or more automated questionnaires to one or more users within the entity, wherein the automated questionnaires are directed to one or more policies; tracking responses associated with each automated questionnaire; evaluating compliance with the one or more policies based on the responses; assigning a rating of exposure to risk associated with the compliance; and determining an action based on the rating of exposure.
46. The system of
47. The system of
48. The system of
49. The system of
50. The system of
51. A method for an enterprise to manage privacy of information, the method comprising:
identifying application information that describes at least one software application used by the enterprise;
storing the application information in a database;
identifying types of information that are contained in or used by the application;
storing the types of information in the database;
determining jurisdiction information that describes the jurisdictions in which the application operates;
storing the jurisdiction information in the database;
identifying the procedures used to protect the privacy of the types of information;
storing procedural information related to the procedures in the database;
automatically determining a compliance rating associated with the application;
storing the compliance rating in the database;
providing status data from the database, wherein the status data comprises at least the compliance rating.
52. The method of
This application claims priority to U.S. Provisional Application No. 60/411,370, filed on Sep. 17, 2002 the entirety of which is incorporated herein by reference.
The present invention generally relates to systems and methods for managing data privacy, and more particularly to systems and methods for managing the risk associated with compliance with applicable laws corporate policy with respect to the collection, use and storage of an individual's data.
Risk management relates to procedures for assessing and managing risk that are established by the enterprise, with accompanying directives by management to comply with the procedures. For example, a given manager of a department may be required to establish the level of risk associated with the operation of a particular computer system (e.g., the risk of losing use of such a computer system for some period of time). This manager may formulate a system for evaluating and reporting the risk, that can be used by lower level and project managers. For example, on a periodic basis such as quarterly, the managers for a given department might be required to communicate to upper management the various risk factors and risk evaluations that are related to its computer information systems operations. The risk factor related information can be documented through various forms or questionnaires for evaluating risk and risk factors associated with projects for which they are responsible. These forms and questionnaires can be compiled into reports and other summary data to provide a department manager with a fairly good idea of the level of compliance with various enterprise procedures.
Typically, if a group within the department is not in compliance with the established procedures for the enterprise, this information can be so noted in the summary or compiled data presented to the department manager. In such a case, the department manager can establish plans to bring the group into compliance, and to monitor the status of the group in progressing with the plan.
The impact of evaluating the risk for a given enterprise can have serious consequences with regard to the success or profitability of the enterprise. If the enterprise has established procedures that are designed to protect the enterprise from liability, or otherwise assure that levels of risk within the enterprise are minimized, the enterprise can be exposed to liability if the procedures are not properly followed. For example, in the area of data privacy, most responsible enterprises have policies and procedures for protecting the personal information of their employees and customers. Further more, each state and Federal government has laws regulating the privacy of personal information. Failure to follow these policies, procedures and laws can expose the enterprise to significant liability.
In typical enterprises, the analysis, statuses and reporting to upper management of the procedures with respect to data privacy are often haphazard and inconsistent. For example, some managers may find the requirement of filling out forms and answering questionnaires to be an inefficient use of time, and fail to effectively complete risk assessments. Other managers may have an attitude that protecting data privacy is not an important priority. Furthermore, most departments fail to evaluate the external dependencies that it has, and the impact on its ability to perform its functions should those external entities fail to protect the employees and customer's data.
Where tools for the risk assessments with respect to data privacy do exist, they tend to be form intensive, and inconsistent between various enterprise locations. It is difficult to track and maintain the data that can be obtained from forms related to assessment of data privacy risk, and even more difficult to take an enterprise view of such risk, which is absolutely required for effectively managing the liability of the enterprise. Some computer based systems have been developed to overcome the difficulties with traditional paper based risk assessment systems. It does not appear that any such systems have been developed with respect to assessing and containing the risk associated with data privacy.
The present invention is a system and method for determining an enterprises' compliance with data privacy policies, procedures and laws and assessing the risk associated with non-compliance. The system and method of the present invention provides the capabilities to manage and monitor the protection of employees' and customers' private data. It should be noted that the requirements of data privacy is equally applicable to the information of employees as well as it is to customer's data. For example, employers in all fifty states must comply with the privacy regulations associated with the Federal law entitled the Health Insurance Portability and Accountability Act (HIPAA). This invention enhances current processes to provide a decision engine around key data privacy issues providing the capability for enhanced, monitoring and management around the risk management function.
A first step of the present invention is to create a core repository that manages, monitors and measures all data privacy assessments across an institution (e.g., a corporation). The invention eliminates redundant systems and functions related to data privacy assessment within each of the Lines of Business (LOBs) of the institution.
The present invention utilizes a six-step data privacy management system to develop, assess and test the risk associated with the data privacy protection practices and procedures employed by a corporation. The system identifies and tracks outstanding issues related to data privacy through final resolution or acceptance of the risk posed by the data privacy issue. The system and method employs automated questionnaires that require responses from the user (preferably the manager responsible for the data, i.e., the data owner). The responses are tracked in order to evaluate the progress of the assessment and the status of the data privacy protection program with respect to compliance with the enterprise's policies and procedures as well as state and Federal laws.
One or more responsible parties for a given area are identified or appointed to be responsible for responding to compliance questionnaires. The parties fill in questionnaires designed to focus on various features of risk assessment for specific aspects of the data privacy procedures. For example, the responsible parties for an area that performs customer services would be asked if the customer service agents have been trained to safeguard a customer's private information. The rating for this group's data privacy protection may depend upon such factors as whether the group has established procedures for which information the customer service representatives can provide to it customers and procedures for which information the customer service representatives can collect from customers.
Once a questionnaire or series of questionnaires has been completed, the compliance of the group with the enterprises requirements for the protection of data privacy (including compliance with applicable sate and Federal laws) is assessed and the group is given an overall rating of exposure to risk. Areas of risk can be acknowledged, prompting a sensitivity rating, such as severe, negligible and so forth. Once risk is acknowledged, a plan for reducing the risk or bringing the groups procedures into compliance can be formulated, and progress towards compliance can be tracked. Alternatively, an identified exposure to risk can be disclaimed through the system, which requires sign off by various higher level managers and administrators.
Once the risk assessment is completed for various departments, a higher level manager can review exposure to risk on a broad perspective, and through a user interface, expand particular areas where high risk is identified as a problem. A risk category that is expanded reveals the different departments and/or projects which are responsible for data privacy and their associated risks or compliance statuses. The higher level manager can thus identify particular projects, activity areas and groups where risk exposure exists.
Requirements for compliance with regulatory demands, regulatory agencies, state law and Federal laws are built into the data privacy risk management tool. Project managers and higher level managers can determine in a glance if a particular group's practices and procedures are in compliance with the laws and guidelines. Higher level managers have broader access than lower level mangers to risk assessment information according to level of seniority. For example, a middle level manager can see all the risk assessment factors for each group that they manage, but can see no risk information beyond their allotted level. A high level manager can view all the information available to the mid level manager, in addition to any other manager or group for which the high level manager has responsibility. Accordingly, access to the system is provided on a secure basis that is reflective of the user's level of seniority.
The system also provides security features such as logon IDs and passwords. Access levels are assigned based on seniority or management status, and provide a mechanism for a secure review of risk exposure and compliance. Once data is entered into the system it cannot be modified unless the user has proper authorization. The system generates reports to inform persons or groups about their compliance status. A search tool is available for locating various business units, compliance areas, risk status levels and so forth. The system can also be used for training users on risk management policies, how risks are evaluated and how paths to compliance can be determined.
The system according to the present invention thus provides immediate compliance verification, a calendar of events, allows shared best practices and corrective action plans and provides a mechanism for risk acknowledgement communicated to other members of a hierarchy. The system can be used in any hierarchical organization including such risk sensitive enterprises as military units, space missions and highly financed business endeavors.
For the purposes of illustrating the present invention, there is shown in the drawings a form which is presently preferred, it being understood however, that the invention is not limited to the precise form shown by the drawing in which:
The system 10 of the present invention is illustrated in
In step one (50) the person assigned with the responsibility to assess a particular application that involves data with a privacy component describes the application to system 10. The responsibility for describing the application is typically assigned to the manager in charge of the application, as this is the person in the organization with the most intimate knowledge about the current state of the operation of the application at any given time. As further described below, the information for each application is aggregated and rolled up for each higher level of management with the organization. In step two (55) of the process, various roles and responsibilities within the enterprise with respect to the application are defined and assigned. In step three (60) of the method, the impact of data privacy in regard to the operations of the application is reviewed and assessed. In step four (65), the user identifies all of the jurisdictions (e.g., states) in which the application is used. In step five (70) of the method, the manager completes a series of questionnaires that aid system 10 in assessing and classifying the risk associated with the application in regard to the protection of private data. Finally, in step 6 of the process, system 10 provides the manager with access to a library (preferably hyperlinks) to contacts with the enterprise knowledgeable about privacy issues, privacy policies of the enterprise, United States Federal legislation, state legislation and selected international legislation.
Screen 80 is used to input into system 10 the descriptions the applications employed by the enterprise. Only the applications that store or process data with a data privacy component are required to undergo the privacy review of system 10. Many applications employed by the enterprise have no contact with private data, e.g., applications that control the air conditioning in a particular facility. If an application does not have any functionality with respect to private information, the user would enter “not applicable” in response to the questions posed by system 10 as further described below. In a preferred embodiment, another software module (not illustrated in the Figures) known as an Application Portal, retrieves information regarding applications that have already been defined in system 10. In field 85, the user identifies the application by name. In a preferred embodiment of the invention, a dropdown box is provided for field 85 so that the user can recall the data for a previously identified application and edit the information associated with that application if necessary. Once identified, the Application Portal is able to retrieve all of the information it has regarding an application and pre-populates the fields in screen 80. In field 90, the user describes the application. Field 95 is used to identify the location of the production server hosting the application, preferably by Street, City, State and Zip Code. Buttons 100 assists the user in identifying the location of the servers which support the application being described. Part of database 40 of system 10 (
Field 105 is similarly used to identify the location of the development server that is being employed to develop the application. Field 110 is used to identify the location of the quality assurance (Q/A) server employed in the testing of the application. As with the identification of the production server in field 95, the development and Q/A servers in fields 105 and 110 are preferably identified by Street, City, State and Zip Code.
In field 115, the user identifies the current status of the application under review. The user is provided with the choices of identifying the application was being in development (120), in user acceptance testing, UAT (125), in production (130) or that the application has been retired (135).
For each of the roles 155, 185, input screen 150 indicates who performed the assignment of the role 165, when the role was assigned 170, to whom the assignment was made 175 and the date on which the assignment was accepted 180. When an assignment is made, system 10 preferably sends the assignee an email notifying the person of the assignment and the responsibilities associated therewith (see below). The assignee preferably accepts the assignment by replying affirmatively to the email and system 10 updates the applicable database to record the assignment. When a manager is making assignments in input screen 150, some of the roles will have already been pre-populated as certain of the assignments relate to firm-wide responsibilities.
The following section describes the responsibilities of key ones of the roles in the present invention.
The Data Privacy Owner 155 is a manager in an area which generates or processes system information (e.g., application programs and related files), or produces products and services which depend upon system information. Each application of the enterprise must have an Data Privacy Owner 155 accountable for its protection. Applications that are cross-functional in nature, in that they serve the needs of multiple business units, preferably have a central Data Privacy Owner 155 that serves as a focal point. Data Privacy Owners 155 are assigned for every business unit using these applications.
In each case, the Data Privacy Owner's 155 responsibilities are the most extensive and involve ensuring compliance with the policies and procedures of the enterprise relative to the applications under her supervision. The Data Privacy Owner 155 is tasked with ensuring compliance with specific policies and procedures of the enterprise, including: developing, testing and maintaining the application in compliance with all data privacy regulations existing in the jurisdiction where the enterprise conducts business; ensuring that Outside Service Providers (OSPs) involved with the application develop, test and maintain the application in compliance with all data privacy regulations existing in the jurisdiction where the enterprise conducts business; ensuring that all data elements within the application and related files are classified according the data privacy impact rating; ensure that Risk Acknowledgments (see below) are in place for each area of non-compliance with data privacy policies; coordinate with local information owners to ensued that all of the responsibilities are properly fulfilled; ensure that the application is in compliance with Information Technology control policies; training employees, as needed, to comply with all data privacy regulations existing in the jurisdiction where the enterprise conducts business; inform all users of applications of the policies and procedures with respect to the application; identify an alternative Data Privacy Owner; and develop a Corrective Action Plan (see below) for any area of the application that is non-compliant.
The Data Privacy Risk Manager 185 generally reports to senior management within the enterprise and is responsible for ensuring that the enterprise complies with the enterprise's established data privacy control policies. The responsibilities of the Data Privacy Risk Manager 185 includes the following: coordinating the business unit's compliance with the enterprise's data privacy policies and procedures, as well as compliance with local, state and Federal regulations and laws related to data privacy; ensuring implementation of a data privacy awareness program for the business to address data privacy risks and to develop and offer Data Privacy Owner 155 and user training; administering the Risk Acknowledgement process and insuring they are performed by Data Privacy Owners 155 in compliance with the procedures of the enterprise; review and monitor technology audits and audit responses to validate the effectiveness of the response and the timeliness of any corrective actions; monitor on-going compliance with enterprise's data privacy policies and procedures, as well as compliance with local, state and Federal regulations and laws related to data privacy; ensure that a process is in place to assess technology platforms and associated applications for data privacy protection and compliance; ensure that a process is developed for the timely notification of terminated or transferred Data Privacy Owners 155 and insuring an alternate resource; insure the development and implementation of Corrective Action plans with respect to any area not in compliance with data privacy protection policies and procedures; and insure business units ensure compliance of their OSPs with respect to data privacy policies and procedures.
Screen 150 also allows the user to assign alternates to the one or more of the roles defined as the Primary Role. In the example depicted in
Returning for the moment to
With respect to each of the questions 255, 295-335, system 10 provides the user with the ability to describe if and how the application has contact with the type of data and the nature of the contact. Specifically, system 10 asks the user if the application processes the data in question (260), whether it transmits the data 265, whether it collects the data itself 270 and whether it stores the data 275. System 10 further asks the user as to whether the data in question is data from a customer 280 or data from an employee of the enterprise 285. Typically, an application would process only customer 280 or employee 285 data, but certain applications (e.g., storage or transport applications) could have contact with both customer 280 and employee 285 data. System 10 additionally allows the user to answer Not Applicable (N/A) 290 with respect to any type of data, indicating that the application does not touch that type of data. The user is able to answer affirmatively to any of the questions 255, 295-335 by checking the selection box in the column 260-290 of the answer that applies. As seen in
As can be seen in
As seen in
After the user has answered the questions on the data privacy impact assessment input screens (e.g., screen 250) she uses the Submit button 340 in order to have the data saved by system 10 in database 40 (
System 10 computes criticality rating for the application based on the responses provided by the user with respect to the questions described above. The analysis process of system 10 results in a privacy impact rating for the application of LOW to HIGH. The specific algorithm used to analyze and determine the overall data privacy impact rating of the application (in light of the manager's responses) is subject many factors including, among others, the types of data involved (e.g., Social Security number versus address) and the types of functionality performed by the application (e.g., storage, processing . . . ). The respective ratings of particular types of data are based upon industry/governmental guidelines. For example, Social Security numbers are ranked as High and demographic information is ranked as medium. These rankings are embedded in system 10. In a preferred embodiment, the application is assigned the criticality of the highest criticality of the data that is touched by the application.
Once system 10 has calculated the data privacy impact rating for the application, the rating is stored in database 40 (
The above described procedure for determining the data privacy impact rating for an application can, and is preferably performed for each of the applications identified in system 10. Although the data privacy impact rating for a particular application may be High, this does not mean that there is a problem with the application. It simply means that sensitivity that the enterprise should take with respect to the protection of the privacy data employed by this application is increased. As shown below, if the data privacy impact rating is High, the scrutiny given to the procedures of the enterprise for protecting the data is heightened. Furthermore, the acceptance of the risk associated with the data privacy aspects of the application is more carefully reviewed, in the preferred embodiment by higher levels of management.
If the user erroneously inputs a jurisdiction into area 405, she can highlight the erroneous jurisdiction and then activate the Delete button 415 to delete the entry from area 405. Once all of the applicable jurisdictions have been input into area 405, the Submit button 440 is activated to cause system 10 store the jurisdictions in database 40 (
As illustrated in
When a user provides a negative answer to any of the questions in any of the assessments in system 10, system 10 automatically asks the manager if she would like to develop a Corrective Action Plan (CAP) if the gap will be remediated within ninety days. As implied by its name, a Corrective Action Plan is a plan to correct the condition that has caused the manager to answer a question negatively. If the manager answers yes to developing a CAP, system 10 brings the manager to a CAP input screen in which the manager describes the condition which caused the negative response, the reason for the condition (e.g., funding) the plan to correct the condition, the person responsible for seeing that the correction is done, a target date by which the correction will be completed, and any attachments which are required to more fully explain the CAP. The CAP that is developed is stored in the database and appropriately linked to the records for this department. Comments section 570 indicates if a CAP is in place to correct the issue that caused the particular question to be answered negatively.
If the manager says “No” when asked if she wants to develop a CAP, the manager is automatically brought to a Risk Acknowledgement screen. In this screen, the manager is required to describe the reasons for the requirement of the Risk Acknowledgement; what compensating controls are in place, if any; the likelihood of an impact due to the risk involved (high, medium or low); a description of the potential impact; a rating of the potential impact (catastrophic, severe, moderate, negligible); and an implementation plan. The Risk Acknowledgement by the manager is reviewed and approved by the appropriate LOB management. If the Risk Acknowledgement is not approved by management, a CAP must be developed in order to correct the risk condition. Comments section 570 indicates if a Risk Acknowledgement (RA) is in place to acknowledge the risk associated with the issue that caused the particular question to be answered negatively.
Tables 1 through 7 illustrate preferred categories of questions and the preferred questions that are posed to the user in order to classify the risk associated with the data privacy aspects of the application under review.
As illustrated in Tables. 1-7, the system and process of the present invention provides a systematic, standardized and comprehensive review of the data privacy issues associated with the applications employed by an enterprise. For areas that require attention or do not meet policy compliance, a corrective action, risk acknowledgment or risk acceptance process will automatically be invoked. Such processes identify the condition, remediation plan, identification of accountable personnel and targeted deadlines for implementation.
A determination is made on whether the application is in compliance with the privacy guidelines, either by meeting all the requirements of the applicable policies or categories in the various risk assessments, or by having an approved process or plan in place to achieve compliance. If the application is compliant, then the indicators displayed in
One of the significant features of the present invention is the ability of system 10 to rollup all of the collected information into clear and easily comprehensive status report.
As seen in
The status of the issues associated with the data privacy review of the applications used by a Line of Business is depicted as a colored icon, e.g., icon 640. Each icon represents a different status. In addition to each icon being a different color, it is also a different shape. This allows user having devices without color capability to quickly determine the status of a particular item.
It should be apparent that while the user is presented with a visual indication of risk status as a result of the process shown in
As indicated by icon 645, there is a Corrective Action Plan (CAP) in place to address the non compliance indicated by icon 640. As previously described, this CAP is documented on system 10. By clicking on the status icon 645 in the Corrective Action Plan column 610, the user can immediately bring up the CAP developed by the manager. If the manager did not develop a CAP, but rather performed a Risk Acknowledgement, this is indicated in column 650. Similarly, by clicking on the icon 650 in Risk Acknowledgement column 615, the user is be able to see the specific Risk Acknowledgement developed by the manager.
If the user clicks on one of the status icons in the Data Privacy column 605, system 10 drills down the data to the next level of status as illustrated in
As with the Line of business as a whole described above with respect to Status Screen 600 (
Although the present invention has been described in relation to particular embodiments thereof, many other variations and other uses will be apparent to those skilled in the art. It is preferred, therefore, that the present invention be limited not by the specific disclosure herein, but only by the gist and scope of the disclosure.