Assess Flashcards
1
Q
Privacy operational life cycle: 4 phases
A
- Assess (measure) current processes, procedures, management and practices for privacy management
- Protect (improve)
- Sustain (evaluate)
- Respond (support)
2
Q
Assessment maturity models definition
A
methods to measure progress against established benchmarks and measurements-provides standardised reference for companies to use in assessing level of maturity of privacy program
3
Q
Assessment models
A
- AICPA/CICA
- PROP (privacy risk optimisation process)/PbD
- FTC/PbD
4
Q
PbD definition
A
Embed privacy into design of technology, business practices, physical design (for assess and protect phases); dictates that privacy and DP embedded throughout life cycle of technologies
- proactive:
- life cycle protection
- embedded in design
- by default
- respect for users
- visibility/transparency
- positive sum
5
Q
AICPA/CICA 5 level privacy maturity model
A
- ad hoc: informal, incomplete, inconsistent
- repeatable: procedures exist but with gaps
- defined: fully documented, cover all
- managed: reviews conducted for effectiveness of controls in place
- optimized: regular reviews and feedback towards optimization
6
Q
PROP (privacy risk optimisation process)
A
used to integrate PbD into business processes
7
Q
FTC consumer PbD
A
Baseline principle of PBD is that companies promote consumer privacy throughout organization at every stage of development of products and services. Includes: 1. Substantive privacy practices: -data security -reasonable collection limits -sound retention and disposal -data accuracy -procedural protections to implement substantive principles Privacy protection PIA
8
Q
Assess key areas of business
A
- Audit: identify risks and gaps
- IT- BC and DR and alignment with privacy policy
- IS-IT systems, building, remote users, vendors; CIA and AA (confidentiality, integrity, availability, accountability, assurance); IRP
- HR/Ethics - latter should be independent
- Legal - due diligence - which privacy laws apply
- Compliance - privacy program track and investigate roles and responsibility
- Processors/3P vendors - privacy controls in K; vet vendors then monitor and control