Case Studies Flashcards
What security controls are missing from the Eureka program?
a. Storage of medical data in the cloud is not permissible under the GDPR
b. Data access is not limited to those who “need to know” for their role
c. Collection of data without a defined purpose might violate the fairness principle
d. Encryption of the data at rest prevents European users from having the right of access and the right of portability of their data
Data access is not limited to those who “need to know” for their role
What step in the system development process did Manasa skip?
a. Obtain express written consent from users of the Handy Helper regarding marketing
b. Work with Sanjay to review any necessary privacy requirements to be built into the product
c. Certify that the Handy Helper meets the requirements of the EU-US Privacy Shield Framework
d. Build the AI feature so that users would not have to input sensitive information into the Handy Helper.
Work with Sanjay to review any necessary privacy requirements to be built into the product
What administrative safeguards should be implemented to protect the collected data while in use by Manasa and her product management team?
a. Document the data flows for the collected data
b. Conduct a Privacy Impact Assessment to evaluate the risks involved
c. Implement a policy restricting data access on a need to know basis
d. Limit data transfers to the US by keeping data collected in Europe within a local data centre
Implement a policy restricting data access on a need to know basis
What element of the Privacy by Design framework might the Handy Helper violate?
a. Failure to obtain opt in consent to marketing
b. Failure to observe data localisation requirements
c. Failure to implement the least privilege access standard
d. Failure to integrate privacy throughout the system developed life cycle
Failure to integrate privacy throughout the system developed life cycle
What can Sanjay do to minimize the risks of offering the product in Europe?
a. Sanjay should advise the distributor that Omnimedia has certified to the Privacy Shield framework and there should be no issues
b. Sanjay should work with Manasa to review and remediate the Handy Helper as a gating item before it is released
c. Sanjay should document the data life cycle of the data collected by the Handy Helper
d. Sanjay should write a privacy policy to include with the Handy Helper user guide
Sanjay should work with Manasa to review and remediate the Handy Helper as a gating item before it is released
To improve the facility’s system of data security, Anton should consider following through with the plan for which of the following?
a. Customer communication
b. Employee access to electronic storage
c. Employee advisement regarding legal matters
d. Controlled access at the company HQ
Controlled access at the company HQ
Which of Anton’s plans for improving the data management of the company is most achievable?
a. His initiative to achieve regulatory compliance
b. His intention to transition to electronic storage
c. His objective for zero loss of personal information
d. His intention to send notice letters to customers and employees
His intention to transition to electronic storage
Which important principle of Data Lifecycle Management will most likely be compromised if Anton executes his plan to limit data access to himself and Kenneth?
a. Practicing data minimalism
b. Ensuring data retrievability
c. Implementing clear policies
d. Ensuring adequacy of infrastructure
Ensuring data retrievability
In terms of compliance with regulatory and legislative changes, Anton has a misconception regarding…
a. The timeline for monitoring
b. The method of recordkeeping
c. The use of internal employees
d. The type of required qualifications
The timeline for monitoring
What would the company’s legal team most likely recommend to Anton regarding his planned communication with customers?
a. To send consistent communication
b. To shift to electronic communication
c. To delay communication until local authorities are informed
d. To consider under what circumstances communication is necessary
To consider under what circumstances communication is necessary
Which of the following is the most effective control to enforce MessageSafe’s implementation of appropriate technical countermeasures to protect the personal data received from A&M LLP?
a. MessageSafe must apply due diligence before trusting Cloud Inc. with the personal data received from A&M LLP.
b. MessageSafe must flow-down its data protection contract terms with A&M LLP to Cloud Inc.
c. MessageSafe must apply appropriate security controls on the cloud infrastructure
d. MessageSafe must notify A&M LLP of a data breach
MessageSafe must flow-down its data protection contract terms with A&M LLP to Cloud Inc.
Which of the following is a TRUE statement about the relationship among the organisations?
a. Cloud Inc. must notify A&M LLP of a data breach immediately
b. MessageSafe is liable if Cloud Inc. fails to protect data from A&M LLP
c. Cloud Inc. should enter into a data processor agreement with A&M LLP
d. A&M LLP’s service contract must be amended to list Cloud Inc. as a sub-processor
A&M LLP’s service contract must be amended to list Cloud Inc. as a sub-processor
Which of the following is NOT an obligation of MessageSafe as the email continuity service provider for A&M LLP?
a. Privacy compliesance
b. Security commitment
c. Certifications to relevant frameworks
d. Data breach notification to A&M LLP
Certifications to relevant frameworks
Richard believes that a transition from the use of fax machine to internet facing provides all of the following security benefits EXPECT…
a. Greater accessibility to the faxes at an offsite location
b. The ability to encrypt the transmitted faxes through a secure server
c. Reduction of the risk of data being seen or copied by unauthorised personnel
d. The ability to store faxes electronically, either on the user’s PC or a password protected network server
Greater accessibility to the faxes at an offsite location
As Richard begins to research more about Data Lifecycle Management, he discovers that the law office can lower the risk of a data breach by doing what?
a. Prioritising the data by order of importance
b. Minimising the time it takes to retrieve the sensitive data
c. Reducing the volume and the type of data that is stored in its system
d. Increasing the number of experienced staff to code and categorize the incoming data
Reducing the volume and the type of data that is stored in its system
What Data Lifecycle Management principle should the company follow if they end up allowing departments to interpret the privacy policy differently?
a. Prove the authenticity of the company’s records
b. Arrange for official credentials for staff members
c. Adequately document reasons for inconsistencies
d. Create categories to reflect degrees of data importance
Adequately document reasons for inconsistencies
What is the most likely reason the CIO believes that generating a list of needed IT equipment is NOT adequate?
a. The company needs to have policies and procedures in place to guide the purchasing decisions
b. The privacy notice for customers and the Business Continuity Plan still needs to be reviewed
c. Staff members across departments need time to review technical information concerning any new database
d. Senior staff members need to first commit to adopting a minimum number of Privacy Enhancing Technologies
The company needs to have policies and procedures in place to guide the purchasing decisions
If Amira and Sadie’s ideas about adherence to the company’s privacy policy go unchecked, the Federal Communications Commission could potentially take action against NatGen for what?
a. Deceptive practices
b. Failing to institute the hotline
c. Failure to notify of processing
d. Negligence in consistent training
Failing to institute the hotline
What additional change will increase the effectiveness of the privacy compliance hotline?
a. Outsourcing the hotline
b. A system for staff education
c. Strict communication channels
d. An ethics complaint department
Outsourcing the hotline
Which of the following would be most effectively used as a guide to a systems approach to implementing data protection?
a. Data Lifecycle Management Standards
b. United Nations Privacy Agency Standards
c. International Organisation for Standardisation 9000 Series
d. International Organisation for Standardisation 27000 Series
International Organisation for Standardisation 27000 Series
How can Consolidated’s privacy training program best be further developed?
a. Through targeted curricula designed for specific departments
b. By adopting e-learning to reduce the need for instructors
c. By using industry standard off the shelf programs
d. Through a review of recent data breaches
Through targeted curricula designed for specific departments
What process could most effectively be used to add privacy protections to a new, comprehensive program being developed at Consolidated?
a. Privacy by Design
b. Privacy Step Assessment
c. Information Security Planning
d. Innovation Privacy Standards
Privacy by Design
What stage of the privacy operational lifecycle best describes Consolidated’s current privacy program?
a. Assess
b. Protect
c. Respond
d. Sustain
Protect
Which is the best way to ensure that data on personal equipment is protected?
a. User risk training
b. Biometric security
c. Encryption of the data
d. Frequent data backups
Encryption of the data
From a business standpoint, what is the most productive way to view employee use of personal equipment for work-related tasks?
a. The use of personal equipment is a cost-effective measure that leads to no greater security risks than are always present in a modern organisation
b. Any computer or other equipment is company property whenever it is used for company business
c. While the company may not own the equipment, it is required to protect the business-related data on any equipment used by its employees.
d. The use of personal equipment must be reduced as it leads to inevitable security risks
While the company may not own the equipment, it is required to protect the business-related data on any equipment used by its employees.
In order to determine the best course of action, how should this incident most productively be viewed?
a. As the accidental loss of personal property containing data that must be restored
b. As a potential compromise of personal information through unauthorised access
c. As an incident that requires the abrupt initiation of a notification campaign
d. As the premediated theft of company data, until shown otherwise
As a potential compromise of personal information through unauthorised access
What should you do first to ascertain additional information about the loss of data?
a. Interview the person reporting the incident following a standard protocol
b. Call the police to investigate even if you are unsure a crime occurred
c. Investigate the background of the person reporting the incident
d. Check company records of the latest backups to see what data may be recoverable
Interview the person reporting the incident following a standard protocol
What is the most realistic step the organisation can take to help diminish liability in the event of another incident?
a. Requiring the vendor to perform periodic internal audits
b. Specific mandatory data protection practices in vendor contracts
c. Keeping the majority of processing activities within the organisation
d. Obtaining customer consent for any 3rd party processing of personal data
Specific mandatory data protection practices in vendor contracts
Nationwide Grill needs to create better employee awareness of the company’s privacy program by doing what?
a. Varying the modes of communication
b. Communicating to the staff more often
c. Improving inter-departmental cooperation
d. Requiring acknowledgement of company memos
Varying the modes of communication
How could the objection to Spencer’s training suggestion be addressed?
a. By requiring training only on an as-needed basis
b. By offering alternative delivery methods for training
c. By introducing a system of periodic refreshing trainings
d. By customising training based on length of employee tenure
By offering alternative delivery methods for training
The senior advisor, Spencer, has a misconception regarding?
a. The amount of responsibility that a data controller retains
b. The appropriate role of an organisation’s security department
c. The degree to which training can lessen the number of security incidents
d. The role of HR employees in an organisation’s privacy program
The amount of responsibility that a data controller retains
What does this example best illustrate about training requirements for privacy protection?
a. Training needs must be weighed against financial costs
b. Training on local laws must be implemented for all personnel
c. Training must be repeated frequently to respond to new legislation
d. Training must include assessments to verify that the material is mastered
Training on local laws must be implemented for all personnel
Knowing that the regulator is now investigating, what would be the best step to take?
a. Consult an attorney experienced in privacy law and litigation
b. Use your background and knowledge to set a course of action
c. If you know the organisation is guilty, advise it to accept the punishment
d. Negotiate the terms of a settlement before formal legal action takes place
If you know the organisation is guilty, advise it to accept the punishment
What should you advise this company regarding the status of security cameras at their offices in the US?
a. Add security cameras at facilities that are now without them
b. Set policies about the purpose and use of the security cameras
c. Reduce the number of security cameras located inside the building
d. Restrict access to surveillance video taken by the security cameras and destroy the recordings after a designated period of time
Set policies about the purpose and use of the security cameras
Since it is too late to restructure the contract with the vendor or prevent the app from being deployed, what is the best step for you to take next?
a. Implement a more comprehensive suite of information security controls than the one used by the vendor
b. Ask the vendor for verifiable information about their privacy protections so weaknesses can be identified
c. Develop security protocols for the vendor and mandate that they be deployed
d. Insist on an audit of the vendor’s privacy procedures and safeguards
Ask the vendor for verifiable information about their privacy protections so weaknesses can be identified
Which is the best first step in understanding the data security practices of a potential vendor?
a. Requiring the vendor to complete a questionnaire assessing International Organisation for Standardisation 27001 compliance
b. Conducting a physical audit of the vendor’s facilities
c. Conducting a penetrating test of the vendor’s data security structure
d. Examining investigation records of any breaches the vendor has experienced
Requiring the vendor to complete a questionnaire assessing International Organisation for Standardisation 27001 compliance
What safeguard can most efficiently ensure that privacy protection is a dimension of relationships with vendors?
a. Include appropriate language about privacy protection in vendor contracts
b. Perform a privacy audit on any vendor under consideration
c. Require that a person trained in privacy protection be part of all vendor selection teams
d. Do business only with vendors who are members of privacy trade associations
Include appropriate language about privacy protection in vendor contracts
You want to point out that normal protocols have NOT been followed in this matter. Which process in particular has been neglected?
a. Forensic inquiry
b. Data mapping
c. Privacy breach prevention
d. Vendor due diligence vetting
Vendor due diligence vetting
You see evidence that company employees routinely circumvent the privacy officer in developing new initiatives. How can you best draw attention to the scope of this problem?
a. Insist upon one-on-one consultation with each person who works around the privacy officer
b. Develop a metric showing the number of initiatives launched without consultation and include it in reports, presentations, and consultation
c. Hold discussions with the department head of anyone who fails to consult with the privacy officer
d. Take your concerns straight to the CEO
Develop a metric showing the number of initiatives launched without consultation and include it in reports, presentations, and consultation
What would be the best kind of audit to recommend for Gadgo?
a. A supplier audit
b. An internal audit
c. A 3rd party audit
d. A self-certification
A 3rd party audit
What phase in the Privacy Maturity Model does Gadgo’s privacy program best exhibit?
a. Ad hoc
b. Defined
c. Repeatable
d. Managed
Ad hoc
Incipia Corporation just trained the last of its 300 employees on their new privacy policies and procedures. If Incipia wanted to analyse the effectiveness of the training over the next 6 months, which form of trend analysis should they use?
a. Cyclical
b. Irregular
c. Statistical
d. Standard variance
Cyclical
To determine the steps to follow, what would be the most appropriate internal guide for Ben to review?
a. Incident Response Plan
b. Code of Business Conduct
c. IT Systems and Operations Handbook
d. Business Continuity and Disaster Recovery Plan
Incident Response Plan
If this were a data breach, how is it likely to be categorized?
a. Availability Breach
b. Authenticity Breach
c. Confidentiality Breach
d. Integrity Breach
Confidentiality Breach
Going forward, what is the best way for IgNight to prepare its IT team to manage these kind of security events?
a. Tabletop exercises
b. Update its data inventory
c. IT security awareness training
d. Share communications relating to scheduled maintenance
Tabletop exercises
In consideration of the company’s new initiatives, which of the following laws and regulations would be most appropriate for Albert to mention at the interview as a priority concern for the privacy team?
a. Gramm-Leach-Bliley Act (GLBA)
b. GDPR
c. The Telephone Consumer Protection Act (TCPA)
d. Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA)
On which of the following topics does Albert most likely need additional knowledge?
a. The role of privacy in retail companies
b. The necessary maturity level of privacy programs
c. The possibility of delegating responsibilities related to privacy
d. The requirements for a managerial position with privacy protection duties
The requirements for a managerial position with privacy protection duties
Based on Albert’s observations, executive leadership should most likely pay closer attention to what?
a. Awareness campaigns with confusing information
b. Obsolete data processing systems
c. Outdated security frameworks
d. Potential in-house threats
Potential in-house threats
Based on Albert’s observations regarding recent security incidents, which of the following should he suggest as a priority for Treasure Box?
a. Appointing an internal ombudsman to address employee complaints regarding hours and pay
b. Using a 3rd party auditor to address privacy protection issues not recognised by the prior internal audits
c. Working with the HR department to make screening procedures for potential employees more rigorous
d. Evaluating the company’s ability to handle personal health information if the plan to acquire the medical supply company goes forward
Working with the HR department to make screening procedures for potential employees more rigorous
What is one important factor that Albert fails to consider regarding Treasure Box’s response to their recent security incident?
a. Who has access to the data
b. What the nature of the data is
c. How data at the company is collected
d. How long data at the company is kept
What the nature of the data is
The company may start to earn back the trust of its customer base by following Albert’s suggestion regarding which handling procedure?
a. Access
b. Correction
c. Escalation
d. Data integrity
Access
To establish the current baseline of Ace Space’s privacy maturity, Penny should consider all of the following factors EXCEPT?
a. Ace Space’s documented procedures
b. Ace Space’s employee training program
c. Ace Space’s vendor engagement protocols
d. Ace Space’s content sharing practices on social media
Ace Space’s content sharing practices on social media
What is the best way for Penny to understand the location, classification and processing purpose of the personal data Ace Space has?
a. Analyse the data inventory to map data flows
b. Audit all vendors’ privacy practices and safeguards
c. Conduct a Privacy Impact Assessment for the company
d. Review all cloud contracts to identify the location of data servers used
Analyse the data inventory to map data flows
What information will be LEAST crucial from a privacy perspective in Penny’s review of vendor contracts?
a. Audit rights
b. Liability for a data breach
c. Pricing for data security protections
d. The data a vendor will have access to
Pricing for data security protections
To help Penny and her CEO with their objectives, what would be the most helpful approach to address her IT concerns?
a. Roll out an encryption policy
b. Undertake a tabletop exercise
c. Ensure inventory of IT assets is maintained
d. Host a town hall discussion for all IT employees
Undertake a tabletop exercise
Collection, Access and Destruction are aspects of what privacy management process?
a. The data governance strategy
b. The breach response plan
c. The metric lifecycle
d. The business case
The data governance strategy
After conducting research, you discover a primary data protection issue with cloud computer. Which of the following should be your biggest concern?
a. An open programming model that results in easy access
b. An unwillingness of cloud providers to provide security information
c. A lack of vendors in the cloud computing market
d. A reduced resilience of data structures that may lead to data loss
An open programming model that results in easy access
What is the best way to prevent the Finnish vendor from transferring data to another party?
a. Restrict the vendor to using company security controls
b. Offer company resources to assist with the processing
c. Include transfer prohibitions in the vendor contract
d. Lock the data down in its current location
Include transfer prohibitions in the vendor contract
What process can best answer your questions about vendor’s data security safeguards?
a. A 2nd part of supplier audit
b. A reference check with other clients
c. A table top demonstration of a potential threat
d. A public records search for earlier legal violations
A 2nd part of supplier audit
What is the best way for your vendor to be clear about the Society’s breach notification expectations?
a. Include notification provisions in the vendor contract
b. Arrange regular telephone check-ins reviewing expectations
c. Send a memorandum of understanding on breach notification
d. Email the regulations that require breach notifications
Include notification provisions in the vendor contract
Which of the following elements of the incident did you adequately determine?
a. The nature of the data elements impacted
b. The likelihood the incident may lead to harm
c. The likelihood that the information is accessible and useable
d. The number of individuals whose information was affected
The number of individuals whose information was affected
Regarding the notification, which of the following would be the greatest concern?
a. Informing the affected individuals that data from other individuals may have also been affected
b. Collecting more personally identifiable information than necessary to provide updates to the effected individuals (Correct, it doesn’t call this out in the case study but this is the biggest concern I think – Joe)
c. Using a postcard with the logo of the vendor who made the mistake instead of your company’s logo
d. Trusting a vendor to send out a notice when they already failed once by not encrypting the database
Collecting more personally identifiable information than necessary to provide updates to the effected individuals
What is the most concerning limitation of the incident response council?
a. You convened it to diffuse blame
b. The council has an overabundance of attorneys
c. It takes 8 hours of emails to come to a decision
d. The leader just joined the company as a consultant
It takes 8 hours of emails to come to a decision
Regarding the credit monitoring, which of the following would be the greatest concern?
a. The vendor’s representative does not have enough experience
b. Signing a contract with CRUDLOK which lasts longer than 1 year
c. The company did not collect enough identifiers to monitor one’s creditT
d. You are going to notify affected individuals via a letter followed by an email
The company did not collect enough identifiers to monitor one’s credit
Which of the following was done CORRECTLY during the above incident?
a. The process by which affected individuals sign up for email notifications
b. Your assessment of which credit monitoring company you should hire
c. The speed at which you sat down to reflect and document the incident
d. Finding a vendor who will offer the affected individuals additional services
The speed at which you sat down to reflect and document the incident
You are charged with making sure that privacy safeguards are in place for new product and initiatives. What is the best way to do this?
a. Hold a meeting with stakeholders to create an interdepartmental protocol for new initiatives
b. Institute Privacy by Design principles and practices across the organisation
c. Develop a plan for introducing privacy protections into the product development stage
d. Conduct a gap analysis after deployment of new products, then mend any gaps that are revealed
Institute Privacy by Design principles and practices across the organisation
The CEO likes what he’s seen of the company’s improved privacy program, but wants additional assurance that it is fully compliant with industry standards and reflects emerging best practices. What would best help accomplish this goal?
a. An external audit conducted by a panel of industry experts
b. An internal audit team accountable to upper management
c. Creation of a self-certification framework based on company policies
d. Revision of the strategic plan to provide a system of technical controls
An internal audit team accountable to upper management
The company has achieved a level of privacy protection that established new best practices for the industry. What is a logical next step to help ensure a high level of protection?
a. Brainstorm methods for developing an enhanced privacy framework
b. Develop a strong marketing strategy to communicate the company’s privacy practices
c. Focus on improving the incident response plan in preparation for any breaks in protection
d. Shift attention to privacy for emerging technologies as the company begins to use them
Shift attention to privacy for emerging technologies as the company begins to use them
What metric can Goddard use to assess whether costs associated with implementing new privacy protections are justified?
a. Compliance ratio
b. Cost-effective mean
c. Return on investment
d. Implementation measure
Return on investment
You give a presentation to your CEO about privacy program maturity. What does it mean to have a “managed” privacy program, according to the AICPA/CICA Privacy Maturity Model?
a. Procedures or processes exist however they are not fully documented and do not cover all relevant aspects
b. Procedures and processes are fully documented and implemented, and cover all relevant aspects.
c. Reviews are conducted to assess the effectiveness of the controls in place
d. Regular review and feedback are used to ensure continuous improvement toward optimisation of the given process.
Reviews are conducted to assess the effectiveness of the controls in place
Which of the following best demonstrates the effectiveness of a firm’s privacy incident response process?
a. The decrease of security breaches
b. The decrease of notifiable breaches
c. The increase of privacy incidents reported by users
d. The decrease of mean time to resolve privacy incidents
The decrease of mean time to resolve privacy incidents
If the IT engineers had originally set the default for customer credit card information to, “do not save”, this action would have been in line with what concept?
a. Use limitation
b. Privacy by Design
c. Harm minimisation
d. Reactive risk management
Privacy by Design
What key mistake set the company up to be vulnerable to a security breach?
a. Collecting too much information and keeping it for too long
b. Overlooking the need to organise and categorize data
c. Failing to outsource training and data management to professionals
d. Neglecting to make a backup copy of archived electronic files
Collecting too much information and keeping it for too long
How would a strong data lifecycle management policy have helped prevent the breach?
a. Information would have been ranked according to importance and stored in separate locations
b. The most sensitive information would have been immediately erased and destroyed
c. The most important information would have been regularly assessed and tested for security
d. Information would have been categorised and assigned a deadline for destruction
Information would have been categorised and assigned a deadline for destruction
How was Pacific Suites responsible for protecting the sensitive information of its offshoot, PHT?
a. As the parent company, it should have transferred personnel to oversee the secure handling of PHT’s data
b. As a parent company, it should have performed an assessment of PHT’s infrastructure and confirmed complete separation of the two networks.
c. As the parent company, it should have ensured its existing data access and storage procedures were integrated into PHT’s system
d. As the parent company, it should have replaced PHT’s electronic files with hard-copy documents stored securely on site
As the parent company, it should have ensured its existing data access and storage procedures were integrated into PHT’s system
What must Pacific Suite’s primary focus be as it manages this security breach?
a. Minimising the amount of harm to the effected individuals
b. Investigating the cause and assigning responsibility
c. Determining whether the affected individuals should be notified
d. Maintaining operations and preventing publicity
Minimising the amount of harm to the effected individuals
