7. Operations: Monitoring and Auditing Program Performance

Question 1

What should metrics reflect?

Answer 1

Currency and value to the organization

*Must add value by by accurately reflecting the state of business objectives and goals

Question 2

What should currency and value metrics be like?

Answer 2

1. Simple
2. Quantifiable
3. Easy to use
4. Correlated to
   - Business performance
   - Operational goals
   - Technical outcomes
   - Regulatory guidelines

Question 3

What is good practice when it comes to measurement systems?

Answer 3

1. Easy to understand
2. Repeatable
3. Reflective of relevant indicators to the organization

Question 4

What is a metric?

Answer 4

A unit of measurement that should be as objective as possible and provide data that helps to answer specific questions about the business operations

Question 5

What is the difference between an objective and a goal?

Answer 5

Objective - broad based

Goal - measurable, easy to understand, relevant and useful to the organization

Question 6

In what ways can organizations implement privacy objectives?

Answer 6

Metrics that

1. Normalize the privacy concepts - allow for meaningful privacy regime conversations
2. Eliminate terminology and jargon - allow for decisions at an operational level
3. Not based on a specific technology or application
4. Advance the maturity of the privacy program and operations

Question 7

What should metrics demonstrate?

Answer 7

1. Compliance
2. Program success
3. Program maturity
4. Resource utilization
5. Return on investment
6. Process improvement

Question 8

What do metrics highlight?

Answer 8

Trends, issues, and gaps.

Question 9

What do the right metrics allow for?

Answer 9

The development of KPIs that assist the organization in setting and tracking multiple objectives and goals.

Question 10

What are general industry guidelines for metrics?

Answer 10

1. Identify the privacy goals critical to the organization (why and to whom)
2. Develop the formal intent of the metric based on goals
3. Apply practical measurement to qualify the output (success, failure, goal met etc.)
4. Evaluate and categorize metric data

Question 11

What should metrics reflect?

Answer 11

1. Compliance
2. Data-driven decision making
3. Overall impact of the privacy program

*Practical privacy program management in creating and maintaining compliance factors

Question 12

What is the role of the metric owner?

Answer 12

Evangelize the purpose and intent of the metric.

Question 13

What should a metric owner know?

Answer 13

1. What is critical about the metric

AND

2. How it fits into the business objective

Question 14

What is the responsibility of the metric owner?

Answer 14

Monitoring process performance, variance, and undertaking visualizations

Preforming regular reviews to determine if the metric is still effective and provides value

Question 15

What is one of the easiest statistical methods for data reporting?

Answer 15

Trend analysis - spot patterns in the information as viewed over a period.

Question 16

What are examples of trending methods?

Answer 16

1. Simple data patterns
2. Fitting a trend
3. Trends in random data
4. Goodness of fit

Question 17

What is a time series analysis?

Answer 17

Shows trends in an upward or downward tendency

*E.g.: number of incidents over time, how many PIAs were completed, number of privacy training and awareness sessions

Question 18

What is a cyclical component?

Answer 18

Shows data over a period focused on regular functions

*E.g.: measuring the number of incident responses in the month after an organization rolls out new privacy training - analysis focuses on explaining any changes in the number of reported incidents as the stance from the training increases

Question 19

What is an irregular component?

Answer 19

Analysis that focuses on what is left over when the other components of the series (time and cyclical) have been accounted for

E.g.: Absence incidents over a long period

Question 20

What is return on investment (ROI)?

Answer 20

An indicator to measure financial gain or loss or a project or program in relation to its cost.

Question 21

What is an ROI analysis?

Answer 21

Provides the quantitative measurement of benefits and costs, strengths and weaknesses of the organization’s privacy controls

The data can be:
1. Fixed or variable
2. Represent the best attempt to form an economic risk assessment to determine the probability of a loss
3. Maximize the benefits of investments that do not generate revenue, rather prevent loss

Question 22

What are the considerations when developing a ROI assessment?

Answer 22

1. ROI of the function must be related to the reason for implementing the function
2. The value of the asset must be defined (E.g., the cost of producing or reproducing the information, repercussions if the information is not available, harm to reputation, loss of confidence

Question 23

What is the best approach to developing a privacy ROI?

Answer 23

Look at a risk that has been mitigated and how to track the risk in financial terms

Question 24

How is business resiliency measured?

Answer 24

Through metrics associated with:
1. Data privacy
2. Incident response
3. Compliance
4. System outages
5. Other factors defined through business objectives

Question 25

What are the benefits to a strong business resilience program?

Answer 25

Help the organization prepare for audits and demonstrate compliance with regulatory requirements

Question 26

What is a Privacy Maturity Model (PMM)?

Answer 26

A useful metric that focuses on a scale rather than an endpoint.

Question 27

What are the five privacy maturity levels?

Answer 27

1. Ad hoc - informal procedures and processes applied inconsistently
2. Repeatable - procedures and processes are not fully documented and do not cover all relevant aspect
3. Defined - fully documented procedures and processes and cover all relevant aspects
4. Managed - reviews are conducted to assess the effectiveness of the control in place
5. Optimized - regular review and feedback are used to ensure continual improvement toward optimization of a given process

Question 28

What are the types of privacy monitoring?

Answer 28

1. Compliance through audits - focuses on the collection, use, and retention of PI
2. Regulation through monitoring changes in legislation and regulation requirements - focuses on updating policies accordingly
3. Environment monitoring - focuses on vulnerabilities (E.g., physical concerns, programmatic concerns, insider threats, cybersecurity threat)
4. Training data - focuses on ensuring that employees are aware of laws, regulations, and organization requirements for the handling of data

Question 29

What are the common approaches to compliance monitoring through audits?

Answer 29

1. Self-monitoring
2. Audit management
3. Security/system management
4. Risk management

*Compliance monitoring is essential for detecting and correcting violations, supporting enforcement actions, and evaluating progress.

Question 30

What are forms of monitoring?

Answer 30

1. Scanning tools for network storage - used to identify risks to PI and monitor internal policy compliance
2. Internal and external audits
3. Breach management practices
4. Compliant monitoring process
5. Data retention and record management
6. Privacy controls at the operational and program level
7. Privacy protection across HR processes
8. Supplier/third party monitoring

Question 31

What is an audit?

Answer 31

An ongoing process of evaluating the effectiveness of controls throughout the organization’s operations, systems, and processes.

Question 32

What can audits identify?

Answer 32

Risks posed by vulnerabilities and weaknesses and provide opportunities to strengthen the organization.

Question 33

What is the purpose of a privacy audit?

Answer 33

Determine the degree to which technology, processes and people comply with privacy policies and practices.

*Based on the purpose, audits may be conducted regularly, ad hoc, or on demand.

Question 34

What is the rationale for a privacy audit?

Answer 34

Provide evidence regarding whether privacy operations are doing what they were designed to do and whether privacy controls are correctly managed.

Question 35

What are the phases of a privacy audit?

Answer 35

1. Plan
2. Prepare
3. Audit
4. Report
5. Follow-up

Question 36

What are the elements of an audit plan?

Answer 36

1. Conducting a risk assessment
2. Setting a schedule
3. Selecting the auditor
4. Preparing a pre-audit questionnaire
5. Hosting an introductory meeting
6. Completing a checklist

Question 37

What are the elements of an audit preparation?

Answer 37

1. Confirm the schedule
2. Prepare additional checklists
3. Sample criteria
4. Finalize the audit plan

Question 38

What are the elements of the audit?

Answer 38

1. Meeting with stakeholders and business process owners
2. Execute the functional goals of the audit

Question 39

What are the elements of an audit report?

Answer 39

1. Record and report noncompliance (categorizing instances as major or minor)
2. Draft a formal audit report
3. Host a case-out meeting
4. Distribute copies of the audit report

*Audit report is a formal record of what was audited and when, insight into areas that comply (or do not), details to support the findings, and suggested corrective action and work estimates.

*Instances of non-compliance are documented to include facts, evidence, best practices, and standards that help assess the situation

*Findings should be communicated to stakeholders along with risk, remediation plans, and associated cots

Question 40

What are the elements of an audit follow-up?

Answer 40

1. Confirmation of the scope of remediation activities, scheduling those activities, and addressing any requirements around methodology

Question 41

What are the different types of audits?

Answer 41

1. First- party (internal) - reflect constant, standardized, and valid privacy management that aligns with to a particular standard, guideline, or policy
2. Second-party (supplier)
3. Third-party (independent) - identify weaknesses of internal controls, legitimize first-party audits, provide expert recommendations