Secrets to Success! Accountability in Global
Organizations
Marisa Rogers & Jenifer Garone, Microsoft
Ruby Zefo, Intel
AGENDA
• Accountability at the top
• Accountability across the business
• Assessments & Reporting
• Gaining Buy-In for Resources
• Remediation & Incident Response
PRIVACY ACCOUNTABILITY FROM THE TOP
• Tone from the top
• Privacy ≠ Security.
vs.
PRIVACY ACCOUNTABILITY ACROSS THE BUSINESS
• Policies, Tools & Training
vs.
Services
Engineering Groups
HR, Finance,
Legal IT
Sales &
Marketing
The “hub,” Trustworthy Computing, is responsible for:
•Policies, Standards & Procedures (PSPs) •Training •Tools •Reporting •Capacity •Comms
The “spokes” are responsible for implementation and compliance with PSPs.
PRIVACY ACCOUNTABILITY AT MICROSOFT
TwC Privacy
Microsoft governs its privacy program using the “hub & spoke” model, with the corporate privacy team and Privacy Managers, Leads, & Champs in the organizations across the company.
BRINGING A MATRIXED ORGANIZATION TOGETHER
Engineering Groups
Business Groups
Corporate Functions
Privacy Managers
Privacy Leads
Privacy Champs
Services
Engineering Groups
HR, Finance,
Legal IT
Sales &
Marketing
TwC Privacy
BRINGING A MATRIXED ORGANIZATION TOGETHER
Engineering Groups
Business Groups
Corporate Functions
Privacy Managers
Privacy Leads
Privacy Champs
TwC Privacy
Privacy Managers
Privacy Leads
Privacy Champs
Privacy Managers
Privacy Leads
Privacy Champs
Privacy Steering Committee
Privacy Councils (e.g. marketing, advertising, enterprise, vendor)
Privacy Committees (e.g. training, career development, controls)
PRIVACY ROLES
Requirements
•Review
•Approve
•Attest
•Consult
•Validation
Testing
•Test Plans
•UAT
Go/No Go
•Attend
•Vote
Deployment
•Review
•Approve
•Certify
•Consult
•Validation
Business Privacy Manager
Requirements
•Consultation
•Validation
Risk Mitigation
•Consultation
Deployment
•Approve
•Attest
Operate&Maintain
•Consultation
•Validation
•Risk Assessments
•SLT Reporting
•Contract Reviews
•Exceptions
•Policies&Standards
Issue Resolution
•Consultation
•Validation
•Escalations
MSIT Privacy Manager
Requirements
•Consultation
•Exceptions
•Policies&Standards
•Act as Business Privacy manager when gap exists
•MSIT and Business Privacy jointly approach TwC for guidance
Risk Mitigation
•Consultation
Deployment
•Consultation
•PERFs
Operate&Maintain
•Consultation
•Exceptions
•Policies&Standards
Issue Resolution
•Consultation
•Validation
•Escalations
•MSIT and Business Privacy jointly approach TwC for guidance
TwC Privacy
Scenario: Business is working with
MSIT SBU to create, design, deliver
applications & tools.
PRIVACY TOOLS
PAM – PAGO review tool
IMS – Incident & Inquiry management tool
Contacts Tool – Coverage report by org
PrivPub
EGRC – Archer
Streamlined Risk Assessment (SRA)
HOW DO I HANDLE AN EXCEPTION
REQUEST?
PRIVACY TOOLS
QUIZ - TONE AT THE TOP
“If you have something that you don’t want anyone to know
maybe you shouldn’t be
doing it in the first place.”
“You have zero privacy anyway.
Get over it.”
“In reality, we wouldn't share your information in a way you wouldn't want ... The trust you place in
us as a safe place to share information is the most important part of what makes this work.”
ASSESSMENTS/METRICS REPORTING
Everyone can do some metrics! Yes, you.
EXAMPLE ASSESSMENT: PRIVACY ACCOUNTABILITY
Key: Green = Completed; Yellow = In Process; Red = At Risk
EXAMPLE PRIVACY MATURITY ASSESSMENT
Pri
va
cy
Po
lic
ies
A
cc
ou
nta
bilit
y
Ide
nti
fy a
nd
Cla
ss
ify
Inc
ide
nt
an
d
Bre
ac
h
Res
po
nse
No
tic
e
Use
Ac
ce
ss
&
Ac
cu
rac
y
Tra
inin
g
Pri
va
cy b
y
Des
ign
3rd
pa
rty
tran
sfe
r
Inte
rnati
on
al
tra
ns
fer
Rete
nti
on
&
Dis
po
sa
l
Se
cu
rity
x x
x x x x x x
x x
4 - Managed
3 – Defined
2 - Repeatable
5 - Optimized
1 –Ad hoc
High
Low
Current Status = 2 Goal State = 3
Recommended minimum for processing XYZ data
Current Status = ~2 Goal State = 3
x
x
Subsidiary
16
Creating a PAM Assessment
Policy Approval Manager
EXAMPLE PRIVACY IMPACT ASSESSMENT
EXAMPLE PRIVACY PROGRAM METRICS
Metrics via Score carding
EXAMPLE PRIVACY PROGRAM METRICS
Privacy Review volume - YOY
Org Engagement - June 2013
EXAMPLE PRIVACY PROGRAM METRICS
217 174
0
100
200
300
400
July Aug Sept Oct Nov Dec Jan Feb Mar April May June
Privacy Program Monitoring Privacy Inquiries/Reviews
Volume YTD
OBTAINING RESOURCES
What do all these have in common?
REMEDIATION & INCIDENT RESPONSE
MANAGING INCIDENTS
Privacy as a business enabler
Measure, measure, measure – people do what they’re measured on
Leveraging like-minded roles
Have a privacy elevator pitch!
KEY TAKEAWAYS