1.1 : Privacy and third Party Management Flashcards
What is privacy
Privacy is the protection of personal information from unauthorized disclosure, use, and distribution.
Personal information
refers to a variety of elements about a private citizen, some of which are not well known,
What organizations that collect personal information must do
Organizations that collect any of the previously mentioned items on behalf of customers or other constituents need to develop policies that define what the organization is permitted to do with this information.
What to consider when outsourcing a service to a third party
a risk assessment should be performed to identify and characterize risks associated with this.
The use of any third-party organization should not be permitted to result in an increase of overall risk to an organization.
Primary risk with a third-party provider
the service provider will have access to some of the organization’s sensitive information.
Types of third -party access
- Physical access to hard copy business records
- Physical access to information systems
- Physical access to storage media such as hard drives, solid-state drives, backup tapes, and optical drives
- Logical access to information systems, sensitive data, or source code
Risks associated with third party Access
- Theft of business records
- Exposure of business records to unauthorized parties • Alteration of business records
- Damage (both deliberate and accidental) to information systems hardware, software, or information • Failure to perform services in a timely manner
- Failure to perform services accurately • Failure to perform services professionally
How to keep the level of risks low when given access to third party provider
By introducing countermeasures and compensating controls.
Requires that third-party provider protect data the same way the organization would do.
Addressing Third-Party Security in Security Policy
An organization should have policies and processes in place to properly assess, measure, and monitor risks related to any third-party service provider.
Measures that an organization would take to mitigate human resources -related risks
- Screening and background checks
- Job description
- Employment agreements
- Monitoring during employment
- Policy and Disciplinary
What is a job decription
A job description is an employer’s formal statement to an employee that says, “This is what we expect and require of you to perform this job.”
Expectation to include in the Job decription
- Name of the position - Job Title
- Requirements - Education, skills and work experience
- Duties and responsibilities - Tasks, projects, and other activities that the employee is expect to perform.
What are included in the employment agreement
- Duties - of the position
- Roles and responsibilities - Job description
- Confidentiality - even after termination
- Compliance - laws, regulations and policies. Consequences for failing to comply must be stated.
- Termination - condition and circumstances by which the organization or the employee can server the agreement .
What employers must do during employemnt
- Periodic renewal of employment agreements
- Repeat background checks
- Access changes when transferred - Remove access for the former position each time an employee is transferred from one position to another
- Awareness training
Employees access to information systems and business premises after termination
All accesses should be immediately revoked
