The first speaker was Dr. Danny Ha (Chairman & Founder, Academy of Professional Certification (APC)) and his presentation topic was “Privacy Impact Assessment (PIA) and ISO 31000 for ERM”. Dr. Ha quoted ISACA Newsletter (Vol.11: 21 May 2014) that “ERM” and “Information Security and Privacy Program Efforts” were ranked in top ten items of Internal Audit Priorities for 2014.
Dr. Danny Ha introduced Privacy Impact Assessment (PIA) included Personal Identifiable Information (PII), Personal Health Information (PHI), Personal Financial Information (PFI); and IT Audit. The different between Privacy Audit and IT Audit were discussed and their focus comparison was shown as following table.
There were five reasons that organization undertaken a PIA below.
i) Identifying and managing risks
ii) Avoiding unnecessary costs
iii) Inadequate solutions
iv) Avoiding loss of trust and reputation
v) Meeting and exceeding legal requirements
The cyber risks and cybersecurity were mentioned as following diagram.
Then Dr. Ha quoted Prof. Edward Humphreys (Father of ISMS Standard) that the biggest risks were from IoT, Cloud and Big Data.
After that Dr. Danny Ha stated ISO 31000 which like an umbrella to cover different management system standards. Most organizations applying ISO 31000 had inherent reason to bring culture of risk in their business life cycle. Finally, Dr. Ha said PIA, privacy audits were not only becoming more common in response to these risks, but were likely to grow. Business system developers must aware privacy and security controls in business systems acquisition and/or application development methodology. Dr. Ha alerted us that WhatsApp / Facebook privacy problems existed and you had better remove your privacy information away from your mobile.
The second speaker was Ms. May Tsue (Company Secretary and Manager of Accounting and Adminstration Department, CNOOC Insurance Limited) and her presentation named “Captive Insurance and How to Control the Risk in the Group”.
Firstly, Ms. Tsue explained Captive Insurance that provider of insurance for customers of parent company. She said “A bona fid insurance (insurance made or done in an honest and sincere way) or reinsurance company owned by a non-insurance company parent and which insures or reinsures the risk of its parent and/or affiliate companies.”
Two typical structure of Captive were indirect business and direct business which were shown as following diagrams.
Ms. Tsue briefed captive insurer formed could have 50% tax deduction on Profit Tax, to build wealth and to retain risk. The costs to setup and run captive insurer was showed as follow diagram.
At the end, Prof. Mike K.P. So (Co-Regional Director Hong Kong, PRMIA) gave closing speech.
Reference:
PRMIA - http://www.prmia.org/
Meeting with Prof. Edward Humphreys (Father of ISMS Standard) - http://qualityalchemist.blogspot.hk/2012/06/meeting-with-prof-edward-humphreys.html
Thank you for sharing these important messages. Most PIA audits were not in right way and applying correct methods causing higher risks and dangers to our society. ERM ISO 30010 is the world standard for PIA and privacy controls.
回覆刪除-- Danny Ha, APC