Project Managers have a very structured way of conducting activities. This skill is very helpful when managing data governance projects and your intention is to add more value to the expected deliverables, keeping everything else on track.
When I was a hired by xMatters I was given a very specific mission: ISO 27001 certification by March 2019. My obvious decision was to over-complicate things and plan for, not only a certification endeavor, but create an entire portfolio for my team. The Information Assurance (IA) Portfolio became a true obsession and a way to prove we could do more in a limited time frame and with limited resources.
Just in case you don’t manage privacy and security for a living, ISO 27001 provides requirements for an information security management system (ISMS). Taking the ISO certification in consideration, my first step was to divide the IA portfolio into two separate programs: Privacy and Security. After that, working on an inventory of assets with all data I already had in hands was the natural path.
Our customers have high standards for privacy and security, and we have always tried to exceed those standards. By doing so, we provide a better SaaS experience and give our customers a sense of confidence that their assets are safe. We also add value to our products and increase our competitive advantage. To have the best possible experience, our customers also need self-service access to important privacy and security information.
This is no small feat. It requires a careful balance between industry best practices, customer demands, and our strategic goals to create the Information Assurance Portfolio.
So here are a few suggestions for success, which you will read about below:
- Centralize management of processes and methods
- Work with a subject matter expert
- Obtain evidence of the results of your work that you can show to customers
- Provide self-service access to information
- Write a project plan and be patient
Managing many different projects that often share the same assets can get unwieldy and can lead to mistakes. So, we centralized management of processes and methods for a more controlled environment and fewer errors. This was the true Data Governance portion: acquiring a Governance, Risk, and Compliance (GRC) software, organize and connect all assets. Gaining visibility of your processes and controls over the assets helped me and my team becoming more efficient.
Our Security Program is composed of different projects with the following deliverables:
- ISO 27001:2013 certification
- Semi-annual third party audits for Security Controls
- SOC 2 Type 2 external verification program based on two principles: Security and Availability
- Maintenance of EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy for HR data and client data
The main objective of our Privacy Program is to demonstrate compliance (assurance) with the most relevant privacy regulations. I hired a third-party subject matter expert (non bias) to create a comprehensive privacy framework and conduct an eight-week in-depth audit of our documents, tools, website, and systems. The scope of this audit is in compliance with:
- General Data Protection Regulation – Europe (GDPR)
- Personal Information Protection and Electronic Documents Act – Canada (Pipeda)
- Australia Privacy Principles – Australia (APPs)
- California Consumer Privacy Act – California, USA (CCPA)
The idea is to create new verification projects every year and include the regulations that were already formally audited as part of our operations, when maintaining compliance will be in scope. We can optimize the use of the resources and deliver multiple results at the same time.
When privacy verification is concluded, we will be provided an attestation letter given by an independent Privacy Manager and organized information in the format of a Privacy Code of Conduct and Artifacts that maps our compliance to each specific law. This is beyond any requirements, and it gives our customers a sense of confidence.
As a project manager, the main goal to keep all deliverables under control, planning effectively, choosing the appropriate tools and techniques to monitor the projects and, more importantly, communicating the milestones to keep asset owners and external stakeholders engaged.