Recommended
More Related Content
Viewers also liked
Similar to Grc r33
Similar to Grc r33 (20)
More from SelectedPresentations
More from SelectedPresentations (20)
Grc r33
- 1. Session ID: Session Classification: John DeLong Director of Compliance National Security Agency GRC-R33 Intermediate Privacy Compliance and Oversight in the National Security Context
- 2. NATIONAL SECURITY AGENCY RolesDefineAreasFocus Privacy Compliance Privacy Specific Procedures What We Comply With Externally Approved Compliance Compliance Program How We Stay Compliant Director of Compliance High-Level Privacy ComplianceTaxonomy
- 3. NATIONAL SECURITY AGENCY External Oversight Internal Oversight Compliance Organizationally and structurally independent Structurally (not organizationally) independent Verifiable consistency with clearly defined rules Compliance and Oversight
- 4. NATIONAL SECURITY AGENCY ► Specific procedures ► Adopted externally ► Reasonably designed ► In light of the purpose or technique of the particular surveillance ► To minimize the acquisition and retention and prohibit the dissemination of U.S. persons information ► Consistent with need of U.S. to obtain, produce, and disseminate foreign intelligence Minimization Procedures (High Level)
- 5. NATIONAL SECURITY AGENCY ► Specific procedures ► Adopted externally ► Reasonably designed ► In light of the purpose or technique of the particular surveillance ► To minimize the acquisition and retention and prohibit the dissemination of U.S. persons information ► Consistent with need of U.S. to obtain, produce, and disseminate foreign intelligence Authorization and Regulation 1. Describe 2. Authorize + Regulate 3. Operate 4. Evaluate Authorization Acquire Process Retain Disseminate Regulation
- 6. NATIONAL SECURITY AGENCY The Mission Compliance Program must take into account and tie together all four steps 1. Descriptions (often complex) must be accurate and at the right level of granularity 2. Specific authorizations and regulation (specific procedures) must be the“root”of all activities conducted 3. Operations and Technology must be consistent with approved procedures, over time and through change 4. Evaluations done in light of each of the previous steps Four Phases of Compliance
- 8. NATIONAL SECURITY AGENCY Compliance Rules TechnologyOperations Two Models of Interaction Compliance Rules TechnologyOperations
- 9. NATIONAL SECURITY AGENCY ABCD AB A B CD C D CCO L,P Documentation Accuracy (In Practice) AA BB B and CB and C C and DC and D
- 10. NATIONAL SECURITY AGENCY ABCD AB A B CD C D CCO L,P Documentation Accuracy (In Practice) AA BB B and CB and C C and DC and D 1 2 2 2 2 33
- 12. NATIONAL SECURITY AGENCY Authorization 1 Acquire Process Retain Disseminate Authorization 2 Acquire Process Retain Disseminate Authorization 3 Acquire Process Retain Disseminate … … … … … Authorization N Acquire Process Retain Disseminate Authorizations and Procedures
- 13. NATIONAL SECURITY AGENCY Authorization 1 Acquire Process Retain Disseminate Authorization 2 Acquire Process Retain Disseminate Authorization 3 Acquire Process Retain Disseminate … … … … … Authorization N Acquire Process Retain Disseminate Authorizations and Procedures Common Function 1Common Function 1
- 14. NATIONAL SECURITY AGENCY Authorization 1 Acquire Process Retain Disseminate Authorization 2 Acquire Process Retain Disseminate Authorization 3 Acquire Process Retain Disseminate … … … … … Authorization N Acquire Process Retain Disseminate Authorizations and Procedures Common Function 1Common Function 1 Common Function 2Common Function 2
- 16. NATIONAL SECURITY AGENCY Authorizations Rules Automation Documentation Rules Architecture (High Level)
- 17. NATIONAL SECURITY AGENCY Rules Architecture (More Detail) Authorization Rules AutomationDocumentation ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ … {auth1, duration1, tags1, …} {auth2, duration2, tags2, …} … if (…) then …
- 18. NATIONAL SECURITY AGENCY Authorizations Link to Documents Authorization Rules AutomationDocumentation ~~ ~~ ~~ ~~ ~~ if (…) then … ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ … {auth1, duration1, tags1, …} {auth2, duration2, tags2, …} …
- 19. NATIONAL SECURITY AGENCY Automation Connects Documentation and Authorization Authorization Rules AutomationDocumentation ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ … {auth1, duration1, tags1, …} {auth2, duration2, tags2, …} … Authori‐ zation 1 Acquire Process Retain Dissem‐ inate if (…) then …
- 20. NATIONAL SECURITY AGENCY Documentation Authorizations Rule Automation Primary Users People People, Systems Systems, People Predominant Work Roles Legal, Policy, Compliance, Operations, Technology Operations, Technology, Compliance, Policy, Legal Technology, Operations, Compliance, Policy, Legal Loading Time Fast Fastest Faster Transaction / Access Time Human speed Fast Very Fast Interfaces GUI, System GUI, System System, GUI Rules Architecture Comparison
- 21. NATIONAL SECURITY AGENCY Against the backdrop of constant technology change: 1. Build Conduits: Prioritize controls that build and maintain direct connections among legal, policy, operations, and technology. ► As a compliance professional, avoid becoming those conduits. 2. Consider a Functional Approach: Identify where systems and people fit into the overall operations. ► Design, implement, and monitor controls more functionally, across multiple regulatory slices. 3. Tag the Data Smartly: A rules architecture supports an efficient and effective use of a tagged-data regime. ► This allows proper data-handling to be successful even with constant technology change. Summary