Ticker

6/recent/ticker-posts

Privacy Program Assessment - AICPA/CICA Privacy Maturity Model (PMM)

byPrivacy Auditor May 21, 2022

 

 

 AICPA/CICA Privacy Maturity Model (PMM)

 In the absence of bench-marking data, one approach that an organization can use to evaluate its privacy program is by determining the level of its “maturity”.  That is, assessing the progress of both specific privacy projects and the entity’s overall privacy initiative using a maturity model as a “benchmark” .

The American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) created the Privacy Maturity Model (PMM). This model is used to measure the maturity of an organization’s privacy program. The PMM is intended to be used as a tool in order to identify next steps to advance your privacy program.

 

The PMM uses five levels of maturity to determine the maturity posture of an organization’s privacy program. The maturity levels are as follows:

 

1.      Ad hoc –Procedures or processes are informal, incomplete, and inconsistently applied.

2.      Repeatable – Procedures or processes exist; however, they are not fully documented and do not cover all relevant aspects.

3.      Defined – Procedures and processes are fully documented and implemented and cover all relevant aspects.

4.      Managed – Reviews are conducted to assess the effectiveness of the controls in place.

5.      Optimized – Regular review and feedback are used to ensure continuous improvement towards optimization of the given process.

 Each level builds upon the levels that precede it.  For example, organizations at the “Repeatable” level will have satisfied all of the requirements of the “Ad Hoc” level, and organizations at the “Managed” level will have satisfied all of the requirements of the “Ad Hoc”, “Repeatable” and “Defined” levels.

The PMM works hand-in-hand with the Generally Accepted Privacy Practices (“GAPP”), a detailed set of Fair Information Practices promulgated by AICPA and CICA.  The GAPP sets forth ten primary principles, which include the following:

·        Management - The entity defines, documents, communicates and assigns accountability for its privacy policies and procedures.

·        Notice - The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.

·        Choice and Consent - The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information.

·        Collection - The entity collects personal information only for the purposes identified in the notice.

·        Use, Retention and Disposal - The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.

·        Access - The entity provides individuals with access to their personal information for review and update.

·        Disclosure to Third Parties -. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

·        Security for Privacy - The entity protects personal information against unauthorized access (both physical and logical).

·        Quality - The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice.

·        Monitoring and Enforcement - The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.

The AICPA and CICA recommend the following start-up activities for analyzing the maturity of an organization’s privacy program:

  • Identify a project sponsor (Chief Privacy Officer or equivalent).
  • Appoint a project lead with sufficient privacy knowledge and authority to manage the project and assess the findings.
  • Form an oversight committee that includes representatives from legal, human resources, risk management, internal audit, information technology and the privacy office.
  • Consider whether the committee requires outside privacy expertise.
  • Assemble a team to obtain and document information and perform the initial assessment of the maturity level.
  • Manage the project by providing status reports and the opportunity to meet and assess overall progress.
  • Provide a means to ensure that identifiable risk and compliance issues are appropriately escalated.
  • Ensure the project sponsor and senior management are aware of all findings.
  • Identify the organization’s desired maturity level either by specific principle or all principle for bench marking purposes.

Assessing the maturity of your privacy program is not an easy task. However, the AICPA/CICA Privacy Maturity Model provides the structure needed for a successful assessment.

For more details, you can access the AICPA/CICA Privacy Maturity Model document at: https://vvena.nl/wp-content/uploads/2018/04/aicpa_cica_privacy_maturity_model.pdf

Your feedback is always welcomed.

Thanks,


 

Tags
Privacy Auditor

Posted by Privacy Auditor

I am solution-oriented IT professional with 20 + years of integrated auditing, IT security knowledge and skills that are used to successfully conduct value added IS/IT audits, data privacy and IT security reviews in a multi-university environment. My professional certifications include: • Certified Information Systems Auditor (CISA) • Certified Internal Auditor (CIA) • Certified Computing Professional (CCP) • Certification in Risk Management Assurance (CRMA) • Certified Information Privacy Manager (CIPM) • Certified Data Privacy Solutions Engineer (CDPSE) I created this blog to serve as a platform to explore approaches to managing and auditing Data Privacy Programs.

Post a Comment

0 Comments