suppid_1907.ppt - gapp - the next sox
TRANSCRIPT
A Privacy AuditA Privacy AuditUsingUsing
Generally Accepted Generally Accepted Privacy PrinciplesPrivacy Principles
A Global Privacy FrameworkA Global Privacy Framework
The Next Sarbanes Oxley?The Next Sarbanes Oxley?
AAA Annual Meeting - AnaheimAAA Annual Meeting - Anaheim
August 6, 2008August 6, 2008
2
Everett C. Johnson, CPAEverett C. Johnson, CPA
Title: AICPA/CICA Privacy Task Force Chair
Area of Focus: Information Protection Services, Computer Auditing
Background: Retired Partner – Deloitte & Touche Over 40 years experience in audit, control and security matters
Affiliations:• Former International President - ISACA, IT Governance Institute• Past Chair
• AICPA Electronic Commerce Assurance Services Task Force
• AICPA Information Technology Research Subcommittee• Deloitte’s International Enterprise Risk Services Committee• IFAC Information Technology Committee
• Past National Director – Deloitte’s Computer Assurance Services Group
• Past Chair & USA Representative –• Former Member
• AICPA Information Technology Executive Committee• AICPA Assurance Services Executive Committee
3
Ken Askelson, CPA.CITP, CIAKen Askelson, CPA.CITP, CIA
Title: AICPA/CICA Privacy Task Force Vice Chair
Area of Focus: Information Security, Microcomputer Accounting Systems, IT Infrastructure Management.
Background: Retired Senior IT Audit Manager – JCPenney Over 20 years of IT audit experience
Affiliations:• Former Commissioner – AICPA National Accreditation
Commission• Past Member – AICPA Information Technology Executive
Committee• Past Member – AICPA Information Technology Research
Subcommittee• Past Member – AICPA Business and Industry Executive
Committee• Past Member – IIA Advanced Technology Committee• Past Member – Journal of Accounting Advisory Board• Past participant - Partnership for Critical Infrastructure
Security sponsored by the U.S. Chamber of Commerce and the Critical Infrastructure Assurance Office of the Department of Homeland Security
4
Marilyn Prosch, PhD., CIPPMarilyn Prosch, PhD., CIPP
Title: Associate Professor of Accounting – Arizona State University, School of Global Management
Area of Focus: Privacy, Data Protection, Accounting Information Systems, Internal Controls, eBusiness
Affiliations:• Member – AICPA/CICA Privacy Task Force• Sample of Journal Articles
• International Journal of Corporate Governance• Journal of Emerging Technologies in Accounting• Journal of Information Systems• Journal of Forecasting• Journal of Accountancy• Research in Accounting Regulation• The Accounting Review
AGENDA
• Overview of Privacy Breach Trends• Overview of GAPP & How it may be used• GAPP & Privacy Risk Assessment• Q&A
PrivacyMedia Hype or a Real Problem?
Some of the reported incidents that occurred in 2007…
Wells Fargo via unnamed auditor
Lloyd's of London (FL)
Circuit City and Chase Card Services
Linden Lab
Telesourcevia Vekstar
American Family Insurance
Nikon Inc. and Nikon World Magazine
Howard & Partners law firm via its auditor Morris, Davis & Chan
Life Is Good
Movie Gallery
General Electric
Direct Loansvia its IT contractor ACS T-Mobile USA Inc
VISA/FirstBank
Empire Equity Group
Limewire
Gymboree
Atlantic Plastics, Inc. viaaccounting firm Hancock Askew
Hertz Global Holdings, Inc.
Nissan Motor Co., Ltd.
Avaya
Home Finance Mortgage, Inc.
Greater Media, Inc.
Compulinx
West Shore Bank
Wesco
Starbucks Corp.
Four ARCO gas stations
KSL Services, Inc
ADP
TransUnion Credit Bureau via Kingman, AZ, court office
TD Ameritrade
H&R Block
Premier Bank
Aetna / Nationwide / Wellpoint Group Health Plans via Concentra Preferred Systems
Boeing
Bank of America
Major League Baseball players via SFX Baseball, Inc.
Deb Shops, Inc.KeyCorp
Altria & United Technologiesvia benefits consultant, Towers Perrin
MoneyGram International
TJ Stores
KB Homes
Chase Bank
CTS Tax Service
Metro Credit Services
Front Range Ski Shop
Piper Jaffrey
Stop & Shop Supermarkets
Rabun Apparel Inc
Johnny's Selected Seeds
Dai Nippon
Science Applications International Corp. (SAIC)
Tax Service Plus
RadioShack
Hortica
Turbo Tax
New Horizons Community Credit Union
Bank of America
CVS Pharmacy
Albertson’s
Neiman Marcus
Ceridian Corp.
Caterpillar, Inc.
Couriers on Demand
J. P. Morgan
IBM
Alcatel-Lucent
Columbia Bank
Check into Cash
Jax Federal Credit Union
HarborOne Credit Union
Pfizer
American Airlines
Texas First Bank
Winn-Dixie
Fidelity National Information Services
Disney Movie Club
Western Union
Kingston Technology Co. Cricket Communications
Fox News
American Education Services
Verisign
Electronic Data Systems
Merrill Lynch
Monster.com
AT&T
McKesson
Gander Mountain
TennCare / Americhoice Inc.
Voxant.com
Gap Inc
eBayABN Amro Mortgage Group
Transportation Security Administrationvia Accenture
Florida National Guard
Illinois Dept. of Corrections
Michigan Dept. of Community Health
U.S. Dept. of Commerceand Census Bureau
North Carolina Dept. of Motor Vehicles
Illinois Dept. of Transportation
Kentucky Personnel Cabinet
Picatinny Arsenal DOD Weapons Research Center
Camp Pendleton Marine Corps base via Lincoln B.P. Management
Florida Labor Department
Congressional Budget Office
Ohio Ethics Committee
Georgia County Clerk
U.S. Army Cadet Command
Colorado Dept. of Human Services via Affiliated Computer Services (ACS)
Internal Revenue Service
Administration for Children's Services - NY
Indiana State Department of Health
PA Dept. of Transportation
Army National Guard 130th Airlift Wing
U.S. State Department
Wisconsin Dept. of Revenuevia Ripon Printers
North Carolina Dept. of Revenue
U.S. Dept. of Veteran's Affairs
Ohio Board of Nursing
Indiana Dept. of Transportation
Massachusetts Dept. of Industrial AccidentsIndian Consulate via Haight Ashbury Neighborhood Council Recycling
Wisconsin Assembly
NY Dept. of State NY Dept. of Labor
Indiana State Web site
Conn. Office of the State Comptroller
Calif. Dept. of Health Services
California National Guard
U.S. Dept. of Agriculture
Ohio State Auditor
Georgia Secretary of State
FEMA
Maine State Lottery Commission
Maryland Dept. of Natural Resources Indiana Dept. of Administration
Georgia Div. of Public Health
Texas Commission on Law Enforcement Standards & Education
Illinois Dept. of Financial and Professional Regulation
NC Dept. of Transportation
Ohio state workers
Idaho Army National Guard
West Virginia Board of Barbers and Cosmetologists
California Public Employees' Retirement System
American Ex-Prisoners of War
Connecticut Dept. of Revenue Services
Maryland Department of the Environment
PA Public Welfare Department
State of Connecticut via Accenture Ltd.
City of Chicago via contractor
Berks Co. Sheriff's Office via contractor Canon Technology Solutions
City of Savannah
Pima Co. Health Dept.
Port of Seattle
Cumberland County, PA
Orange County (FL) Controller
Cleveland Air Route Traffic Control Center
Poulsbo Department of Licensing
City of Visalia, CA
Bowling Green Police Dept.
Chicago Voter Database
Tuscarawas County and Warren County
City of Lubbock
Johnston County, NC City of Grand Prairie
City of Wickliffe, OH
Santa Clara County Employment Agency
Chicago Board of Elections
Washiawa Women, Infants and Children program (HI)
Willamette Educational Service District
San Juan Capistrano Unified School District (CA)
Greenville County School District
Chicago Public Schools via All Printing & Graphics, Inc.
Riverside High School NC
St. Vrain Valley School District (CO)
Big Foot High School, WI
Clay High School, OH
Germanton Elementary School
Troy Athens High SchoolIowa Dept. of Education
Clarksville-Montgomery County Middle and High Schools
Fort Monroe
St. Mary Parish
Los Angeles County Child Support Services
Chicago Public Schools
ChildNet
Champaign Police Officers
San Diego Unified School District
Detroit Water and Sewerage Department
Yuma Elementary School District
Indianapolis Public SchoolsWaco Independent School District
Fresno County/Refined Technologies Inc.
Cedarburg High School
Huntsville CountyLynchburg City
Shamokin Area School District
Fresno County
Harrison County Schools
Cuyahoga County Dept. of Development
City of Encinitas Metropolitan St. Louis Sewer District
Jackson Local Schools
Hidalgo County Commissioner’s Office
New York City Financial Information Services Agency
Loomis Chaffee School
Virginia Commonwealth University
University of Minnesota
Berry College via consultant Financial Aid Services Inc.
University of Colorado-Boulder,Leeds School of Business
Purdue University
University of Iowa – Psychology Dept.
Adams State College
University of Texas at Arlington
Villanova University students & staff Via Insurance broker
University of Virginia
Connors State College
Cal State Los AngelesNassau Community College
UCLA
University of Texas - Dallas
Mississippi State University
Texas Woman's University
Montana State University
University of Idaho
University of New Mexico
Rutgers-Newark University
Vanguard University
Eastern Illinois University
Notre Dame University
University of Missouri
University of Nebraska
Johns Hopkins University
Central Connecticut State University
East Carolina University
Radford University
City College of San Francisco
Georgia Institute of Technology
Metropolitan State College of Denver
Los Rios Community College
Univ. of Montana - Western UC San Francisco
Black Hills State Univ.
Ohio State Univ.
New Mexico State Univ.
Louisiana State Univ
Montgomery College
Goshen College
Community College of Southern Nevada
Stony Brook University
Northwestern University
Gadsden State Community College Grand Valley State University
Georgia Tech Univ.
Texas A&M University
Bowling Green State University
University of California, Davis
Highlands University
Westminster College
Penn State Univ. - USMC
University of Toledo
Yale UniversityLoyola University
University of South Carolina
De Anza College
University of Michigan
Cleveland Clinic
Mercy Medical Center
Beaumont Hospital
DePaul Medical Center
Erlanger Health System
Stevens Hospital via billing company Med Data
Allina Hospitals and Clinics
Manhattan Veteran's Affairs Medical Center & New York Harbor Health Care System
Sisters of St. Francis Health Services via Advanced Receivables Strategy
Jacobs Neurological Institute
Swedish Medical Center
Akron Children's Hospital McAlester Clinic & Veteran's Affairs Medical Center
Intermountain Health Care
Kaiser Permanente Colorado
Gundersen Lutheran Medical Center
Segal Group of New York via web site of Vermont state agency
Emory University Hospital, Emory Crawford Long Hospital, Grady Memorial Hospital,
Geisinger Health System, Williamson Medical Center via Electronic Registry Systems Deaconess Hospital
WellPoint's Anthem Blue Cross Blue Shield
Johns Hopkins Hospital
St. Mary's Hospital, MD
Kaiser Medical Center Seton Healthcare Network
Back and Joint Institute of Texas
Gulf Coast Medical Center Westerly Hospital
Wellpoint's Empire Blue Cross/Blue Shield NY
Health Resources, Inc.
Group Health Cooperative Health Care System
Swedish Urology Group
DCH Health Systems
Georgia Dept. of Community Health
Univ. of Pittsburgh, Med. Center
Healing Hands Chiropractic
Univ. Calif. Irvine Medical Center
Highland Hospital
University of Pittsburgh Medical Center
Beacon Medical Services
Concord Hospital
South County Hospital
Prudential Financial Inc.
St. Vincent Hospital
WorkCare Orem
Providence Alaska Medical Center
Sky Lakes Medical Centervia Verus Inc
Federal Trade Commission
• Has settled 14 cases “challenging faulty data-security practices by companies that handle sensitive consumer information.”
• They almost always require a security audit every 2 years for the next 10-20 years.
Texas – Attorney General Sues Company for Privacy Violations
• Texas Attorney General Greg Abbott is suing EZCORP Inc. for allegedly contributing to the possibility of identity theft.
• The attorney general alleges that EZCORP Inc. of Austin and its subsidiary, EZPAWN, have exposed customers to identity theft by failing to properly protect customer records.
• Joe Rotunda, EZCORP president and CEO, responded to the suit by saying that the company has a number of identity protection policies and systems in place.
• Attorney General alleges in his lawsuit that employees at several San Antonio EZPAWN stores dumped personal business records in trash bins behind the stores. The attorney general's investigation found similarly discarded customer data at dumpsters of nearby stores in Austin, Houston, Lubbock and in the Rio Grande Valley area, according to the suit.
Poor Information Management Practices Largely at Fault
• The Gartner Group has estimated that internal employees commit 70% of information intrusions, and more than 95% of intrusions that result in significant financial losses;
— IPC Publication. Identity Theft Revisited: Security is Not Enough, www.ipc.on.ca/userfiles/page_attachments/idtheft-revisit.pdf
Identity Theft Top 10 states for identity theft (per-capita basis)
State Victims/100,000
Arizona 142.5
Nevada 125.7
California 122.1
Texas 117.6
Colorado 95.8
Florida 92.3
New York 92
Washington 91.1
Oregon 87.8
Illinois 87.6
Source: Consumer Sentinel
• Arizona ranks number 1 in the nation for identity theft complaints per capita.
• More than a third of stolen identities in Arizona are used for fraudulent employment.
www.net-security.org/secworld.php?id=5874
Data Lifecycle – Protecting from cradle to grave
Data protection needs to be considered at all phases of the lifecycle– Collection
• What data & why is it collected?
– Use• Appropriate access and documentation?
– Storage• How long & protection of non-redacted
copies?
– Retention & Ultimate Disposal• When, how, and all applicable copies?
Know what data you have and where it is!
McKesson…. Notified patients that the computers were stolen on July 18, 2007. The names of the people being alerted were on one of the two PCs, but it's not known how much of their accompanying identifying information was also contained on the machines.
http://www.informationweek.com/news/internet/showArticle.jhtml?articleID=201804872
Mind the GAPP: Accountants bring GAAP-like principles to the privacy sphere
• “If you haven't heard of the Generally Accepted Privacy Principles (GAPP), take stock: They're likely to become the most important new source of requirements for your IT projects since Y2k and Sarbanes-Oxley.
• Why is this? The accounting industry has closed ranks around the idea that the GAPP is the best international framework for assessing the privacy health of an organization. So when it comes to IT projects, any system or related business process touching personal data will have new rules to play by.”
• Computerworld, December 6, 2007
Wall Street Journal, February 29, 2008
AGENDA
• Overview of Privacy Breach Trends• Overview of GAPP & How it may be
used• GAPP & Privacy Risk Assessment• Q&A
22
Overview of Privacy Audits
• Growing demand• Types of audits
– Internal audits– Regulatory– External– Management
• Elements of the privacy audit– Scope– Measurement criteria
• Generally Accepted Privacy Principles - GAPP
– Type and use of report
23
AGENDA
Privacy: Our Definition
What is GAPP?
Privacy Principles
Components of GAPP
Comparison with International Concepts
Some Benefits of GAPP
Using GAPP for Privacy Audits
Other Application Examples
24
PRIVACY: OUR DEFINITION
PRIVACY encompasses the rights and obligations of individuals and organizations with respect to the…– Collection– Use– Disclosure, and– Retention
…of personal information.
25
Individuals Organizations
• Be aware of the organization’s privacy policies
• Provide accurate and appropriate information suited to the purpose for which the information is needed
• Notify the organization of inaccuracies in or changes to personal information used by the organization
• Adhere to applicable laws and regulations, and other agreements with the organization
• Establish and communicate its privacy policies and commitments to the individual
• Provide choices or seek consent for the use of the personal information
• Collect, use, retain, and disclose personal information according to its privacy policies and commitments
• Allow the individual to update or correct personal information that is used by the organization
• Protect the personal information from unauthorized use and disclosure
• Otherwise adhere to its policies, applicable laws and regulations, and other agreements with the individual
Rig
hts
and
Obl
igat
ions
26
OVERALL PRIVACY OBJECTIVE
Personal information is • collected, • used, • retained, and • disclosed
– in conformity with the commitments in the entity’s privacy notice and
– with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA/CICA.
27
WHAT IS GAPP?
Generally Accepted Privacy Principles
– Developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA)
– Help guide organizations in implementing, sustaining and auditing privacy programs
28
WHAT IS GAPP?
– A set of 10 privacy principles and 66 related criteria for privacy and the handling of personal information throughout an organization
– Incorporates concepts from domestic and foreign laws, regulations, guidelines, and other bodies of knowledge on privacy
– One of a series of Trust Services offered by CPAs which also include:
• Security• Process integrity• Availability• Confidentiality• Privacy
29
What are the Principles?1 - Management: The entity defines,
documents, communicates, and assigns accountability for its privacy policies and procedures.
2 - Notice: The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
3 - Choice and Consent: The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, retention, and disclosure of personal information.
4 - Collection: The entity collects personal information only for the purposes identified in the notice.
5 - Use and Retention: The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes.
30
6 - Access: The entity provides individuals with access to their personal information for review and update.
7 - Disclosure: The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
8 - Security for Privacy: The entity protects personal information against unauthorized access (both physical and logical).
9 - Quality: The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
10 - Monitoring & Enforcement: The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.
What are the Principles?
31
COMPONENTS OF GAPP
Section Definition
Policies and Communication:Privacy Policies
Communication to Internal Personnel
32
COMPONENTS OF GAPP
Responsibility and Accountability
for Policies
33
COMPARISON OF INTERNATIONAL CONCEPTS
AICPA/CICA GAPP
US FTC FIPs
Canada PIPEDA
Australia US Safe Harbor EU Data Protection Directive OECD
Management Accounta-bility
Notification Accountability
Notice Notice Identifying Purposes, Openness
Openness Notice Information to be Given to the Data Subject Purpose Specification,
Openness
Choice & Consent
Choice Consent Use and Disclosure
Choice Criteria for Making Data Processing Legitimate, Data Subject’s Right to Object
Collection Limitation
Collection Limiting Collection
Collection, Sensitive
Information, Anonymity
Data Integrity Principles Relating to Data Quality, Exemptions and Restrictions
Collection Limitation (including consent)
Use and Retention
Limiting Use, Disclosure,
and Retention
Identifiers, Use and Disclosure
(implied but not specified)
Making Data Processing Legitimate, Special Categories of Processing, Principles Relating to
Data Quality, Exemptions and Restrictions, The Data Subject’s Right to Object
Use Limitation (including disclosure limitation)
Access Individual Access
Access and Correction
Access The Data Subject’s Right of Access to Data Individual Participation
Disclosure Limiting Use, Disclosure,
and Retention
Use and Disclosure, Trans-border Data Flows
Onward Transfer Transfer of Personal Data to Third Countries Use Limitation
Security for Privacy
Security Safeguards Data Security Security Confidentiality and Security of Processing Security Safeguards
Integrity Integrity Accuracy Data Quality Data Integrity Principles Relating to Data Quality Data Quality
Monitoring & Enforcement
Enforce-ment
Challenging Compliance
(Enforcement by the Office of the
Privacy Commissioner)
Enforcement Judicial Remedies, Liability and Sanctions, Codes of Conduct, Supervisory Authority and Working Party on the Protection of Individuals with Regard to the
Processing of Personal Data
Individual Participation
34
SOME BENEFITS OF GAPP
• Business, rather than regulatory, focused
• Examples based upon best practices
• Aligned with key regulations
35
Using GAPP for Privacy Audits - 1
• Reason for audit– Public reporting - “external audit”
• Could include a “WebTrust Seal” on website
– Management reporting - “internal audit”– Regulatory requirement
• FTC and Ontario Privacy Commissioner
• Scope for an external audit– Entire business– Business segment– Needs to address entire information cycle
• Collection through destruction• Includes consideration of third-party processors
– Needs to include all 10 privacy principles
36
Using GAPP for Privacy Audits - 2
• Performed under AICPA Attestation Standards
• Report covers a period of time and opines on
– Effectiveness of controls over privacy of personal information collected based on its privacy notice and GAPP
– Complied with the commitments in its privacy notice
• Important that client is ready
37
Using GAPP for Privacy Audits - 3
Other Types of Privacy “Audits”– Internal audit
• GAP GAPP Assessment• Focused on a few principles or all• Maturity model assessment• Report for management use only
– Regulatory audits• Usually required following a breach• FTC has focused on security• Ontario Privacy Commissioner has
required a GAPP audit
38
OTHER GAPP APPLICATION EXAMPLES
• Company A adopts GAPP as the basis of its privacy program for its U.S.-based online operations and includes GAPP’s principles and criteria in its online privacy policy. GAPP’s criteria and illustrations serves as the basis for the privacy procedures.
• Company B adopts GAPP as the basis for its global privacy program so it can follow consistent privacy practices and use similar terminology across its various countries of operations. Although country specific exceptions and variations still exist, they are being captured in policy and procedures.
• Company C uses GAPP as a benchmark against internal privacy practices and procedures.
• Company D uses GAPP as a basis for a risk assessment
39
So - Is GAPP the Next SOX?
• More breaches might result in a mandatory audit requirement to protect personal information
• More organizations will voluntarily want an audit to demonstrate that they have an effective privacy program
• Organizations will want the 3rd party processors they use to have an audit of their privacy-related controls
AGENDA
• Overview of Privacy Breach Trends• Overview of GAPP & How it may be used• GAPP & Privacy Risk Assessment• Q&A
IT and Privacy Risk Assessments
AGENDA
IT Risk Assessment
Privacy Risk Assessment
Case Study
Risk Assessment Tools
IT Risk Assessment
Assessment AreasSystem Availability Information SecurityData IntegrityMaintainabilityGovernance
Five Principles - 22 Criteria
IT and Privacy Risk Assessment - Template
IT Area Criteria Current Practices/ Controls
Assessment/Gaps Remediation Plans
Likeli-hood
Impact
Inform. Security
Logical Access
Procedures in place to authenticate all users authorized to access systems
Current security architecture has various methods to authenticate a user such as………
Some authentication systems do not interface to the central authentication repository
IT Security has plans to interface all remaining systems by 2nd Qtr. 2007
M H
Authentication controls provide for individual accountability
Employees are assigned unique IDs
Some business systems use generic IDs
IT management will re-evaluate the need for generic IDs and restrict access to systems requiring them.
M H
Change passwords every 90 days and require minimum length of at least seven characters
Password complexity and change frequency is enforced for employees accessing the network.
Password complexity is not in place for some local system accounts for business applications.
IT Security will monitor local accounts quarterly to ensure a local account password is changed.
M H
IT Risk Assessment
Illustration
IT Risk Assessment Tool
Narrative Template
Privacy Risk AssessmentCase Study
Scope – Customer Information
U.S. Laws and Regulations
Privacy Notice
Industry Regulations – DMA’s Privacy Promise
PCI Data Security Standards
Privacy Risk Assessment
Access Disclosure Security Quality Monitoring/
Enforcement
Assessment Areas – Case Study
Management Notice Choice/Consent Collection Use/Retention
Privacy Risk Assessment
Requirement Practice/Control In Place
Not In
Place
Remarks
DISCLOSURE
Upon customer request, JCPenney must furnish to customers (a) information regarding “PII” disclosed to third parties for direct marketing purposes, or (b) a copy of its privacy policy that indicates that customers may “opt-out” of such sharing.(California Civil Code, §1798.83)
The JCPenney Privacy Policy provides for the opt-out requirement at www.jcp.com.
X
Privacy Risk Assessment Template – CASE STUDY
Attorney Client Privileged – Draft for Discussion Purposes Only
AICPA/CICA GAPP
Uses
Benchmarking
Best Practice
Privacy Risk Assessment
Privacy Audits
Training and Awareness
Privacy Risk Assessment
Illustration
AICPA/CICA Privacy Risk Assessment Tool
IT Risk Assessment
Frameworks AICPA’s Trust Services - SysTrust
ISO 17799
CoBiT – IT Governance Institute
ITIL
PCI Data Security Standards
NIST Computer Security Division
SOX General IT Controls
IIA GTAG – IT Controls
51
RESOURCES
The AICPA and the CICA have many privacy resources– AICPA Privacy Resources
• http://www.aicpa.org/privacy
– CICA Privacy Resources• http://www.cica.ca/privacy
Agenda
• Overview of Privacy Breach Trends• Overview of GAPP & How it may be used• GAPP & Privacy Risk Assessment• Q&A