8. Operations: Training and Awareness

Question 1

What risk mitigating tests can incident response teams preform?

Answer 1

1. Incident response testing
2. Red team testing
3. Threat intel sharing
4. Data loss prevention

Question 2

What accounts for 67% of data breach events?

Answer 2

Credential theft, social attacks (phishing), business email compromises, and administrative errors.

Question 3

Are the majority of incidents internal or external?

Answer 3

70% are external

Question 4

What is the most common method of breach attack?

Answer 4

Attacking web applications through stolen credentials (80%) or brute force credentials

Question 5

What is the difference between training and awareness?

Answer 5

Training - strives to produce relevant and needed skills and competencies

Awareness - focuses on a specific topic such as security

*NIST SP 800-50: “The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to preform a specific function, while awareness seeks to focus an individual’s attention on an issue or set of issues”

Question 6

Is training a regulatory requirement?

Answer 6

Yes, it is a key control with most privacy regulations.

Question 7

What must privacy training address?

Answer 7

1. Applicable laws and policies
2. Identify potential violations
3. Address privacy complaints and misconduct
4. Include proper reporting procedures and consequences for violations

Question 8

To whom internal training extend to?

Answer 8

Business partners and vendors.

Question 9

What should trainees be required to acknowledge?

Answer 9

That they received training and agree to abide by company policies and applicable law.

Question 10

What functions do training and awareness serve?

Answer 10

Training - communicates the organizations privacy message, policies and procedures, including those for data usage and retention, access control and incident reporting

Awareness - reinforces the privacy message through reminders, continued advertisement, and mechanisms such as quizzes, posters, flyers, and lobby video screens

Question 11

What should be considered when privacy breaches occur?

Answer 11

1. Leverage lessons learned from events that make the headlines
2. Use mistakes as learning opportunities to improve process
3. Use stories
4. Hold lunch and learn sessions
5. Make it fun
6. Develop slogans that can be used in presentations to capture the essence of the message

Question 12

What methods can lead to the development and execution of an effective training and awareness plan?

Answer 12

1. Ingrain operational accountability
2. Ensure a holistic data protection view
3. Allow for the incorporation of compliance requirement changes
4. Identify, catalog, and maintain all document requirements update as privacy requirements change

Question 13

What is the most effective targeted training effort?

Answer 13

Where the privacy office spends time with the business unit’s leader to learn about risk areas and modifies the training or presentation accordingly.

Question 14

What should the intention behind training and awreness?

Answer 14

Changing bad behaviours and reinforcing good ones.

Question 15

What are some training and awareness methods?

Answer 15

1. Formal education
2. E-learning
3. Brown bag and department team meeting
4. Newsletters, emails, and posters
5. Handouts
6. Slogans and comics
7. Internal social media page
8. Webpages
9. Hallways or lobby monitors to broadcast
10. Contests

Question 16

Why are training metrics useful?

Answer 16

They show how the privacy program supports the company’s mission and prove to regulators they are actively addressing compliance risks