Case Studies Flashcards
What security controls are missing from the Eureka program?
a. Storage of medical data in the cloud is not permissible under the GDPR
b. Data access is not limited to those who “need to know” for their role
c. Collection of data without a defined purpose might violate the fairness principle
d. Encryption of the data at rest prevents European users from having the right of access and the right of portability of their data
Data access is not limited to those who “need to know” for their role
What step in the system development process did Manasa skip?
a. Obtain express written consent from users of the Handy Helper regarding marketing
b. Work with Sanjay to review any necessary privacy requirements to be built into the product
c. Certify that the Handy Helper meets the requirements of the EU-US Privacy Shield Framework
d. Build the AI feature so that users would not have to input sensitive information into the Handy Helper.
Work with Sanjay to review any necessary privacy requirements to be built into the product
What administrative safeguards should be implemented to protect the collected data while in use by Manasa and her product management team?
a. Document the data flows for the collected data
b. Conduct a Privacy Impact Assessment to evaluate the risks involved
c. Implement a policy restricting data access on a need to know basis
d. Limit data transfers to the US by keeping data collected in Europe within a local data centre
Implement a policy restricting data access on a need to know basis
What element of the Privacy by Design framework might the Handy Helper violate?
a. Failure to obtain opt in consent to marketing
b. Failure to observe data localisation requirements
c. Failure to implement the least privilege access standard
d. Failure to integrate privacy throughout the system developed life cycle
Failure to integrate privacy throughout the system developed life cycle
What can Sanjay do to minimize the risks of offering the product in Europe?
a. Sanjay should advise the distributor that Omnimedia has certified to the Privacy Shield framework and there should be no issues
b. Sanjay should work with Manasa to review and remediate the Handy Helper as a gating item before it is released
c. Sanjay should document the data life cycle of the data collected by the Handy Helper
d. Sanjay should write a privacy policy to include with the Handy Helper user guide
Sanjay should work with Manasa to review and remediate the Handy Helper as a gating item before it is released
To improve the facility’s system of data security, Anton should consider following through with the plan for which of the following?
a. Customer communication
b. Employee access to electronic storage
c. Employee advisement regarding legal matters
d. Controlled access at the company HQ
Controlled access at the company HQ
Which of Anton’s plans for improving the data management of the company is most achievable?
a. His initiative to achieve regulatory compliance
b. His intention to transition to electronic storage
c. His objective for zero loss of personal information
d. His intention to send notice letters to customers and employees
His intention to transition to electronic storage
Which important principle of Data Lifecycle Management will most likely be compromised if Anton executes his plan to limit data access to himself and Kenneth?
a. Practicing data minimalism
b. Ensuring data retrievability
c. Implementing clear policies
d. Ensuring adequacy of infrastructure
Ensuring data retrievability
In terms of compliance with regulatory and legislative changes, Anton has a misconception regarding…
a. The timeline for monitoring
b. The method of recordkeeping
c. The use of internal employees
d. The type of required qualifications
The timeline for monitoring
What would the company’s legal team most likely recommend to Anton regarding his planned communication with customers?
a. To send consistent communication
b. To shift to electronic communication
c. To delay communication until local authorities are informed
d. To consider under what circumstances communication is necessary
To consider under what circumstances communication is necessary
Which of the following is the most effective control to enforce MessageSafe’s implementation of appropriate technical countermeasures to protect the personal data received from A&M LLP?
a. MessageSafe must apply due diligence before trusting Cloud Inc. with the personal data received from A&M LLP.
b. MessageSafe must flow-down its data protection contract terms with A&M LLP to Cloud Inc.
c. MessageSafe must apply appropriate security controls on the cloud infrastructure
d. MessageSafe must notify A&M LLP of a data breach
MessageSafe must flow-down its data protection contract terms with A&M LLP to Cloud Inc.
Which of the following is a TRUE statement about the relationship among the organisations?
a. Cloud Inc. must notify A&M LLP of a data breach immediately
b. MessageSafe is liable if Cloud Inc. fails to protect data from A&M LLP
c. Cloud Inc. should enter into a data processor agreement with A&M LLP
d. A&M LLP’s service contract must be amended to list Cloud Inc. as a sub-processor
A&M LLP’s service contract must be amended to list Cloud Inc. as a sub-processor
Which of the following is NOT an obligation of MessageSafe as the email continuity service provider for A&M LLP?
a. Privacy compliesance
b. Security commitment
c. Certifications to relevant frameworks
d. Data breach notification to A&M LLP
Certifications to relevant frameworks
Richard believes that a transition from the use of fax machine to internet facing provides all of the following security benefits EXPECT…
a. Greater accessibility to the faxes at an offsite location
b. The ability to encrypt the transmitted faxes through a secure server
c. Reduction of the risk of data being seen or copied by unauthorised personnel
d. The ability to store faxes electronically, either on the user’s PC or a password protected network server
Greater accessibility to the faxes at an offsite location
As Richard begins to research more about Data Lifecycle Management, he discovers that the law office can lower the risk of a data breach by doing what?
a. Prioritising the data by order of importance
b. Minimising the time it takes to retrieve the sensitive data
c. Reducing the volume and the type of data that is stored in its system
d. Increasing the number of experienced staff to code and categorize the incoming data
Reducing the volume and the type of data that is stored in its system
What Data Lifecycle Management principle should the company follow if they end up allowing departments to interpret the privacy policy differently?
a. Prove the authenticity of the company’s records
b. Arrange for official credentials for staff members
c. Adequately document reasons for inconsistencies
d. Create categories to reflect degrees of data importance
Adequately document reasons for inconsistencies
What is the most likely reason the CIO believes that generating a list of needed IT equipment is NOT adequate?
a. The company needs to have policies and procedures in place to guide the purchasing decisions
b. The privacy notice for customers and the Business Continuity Plan still needs to be reviewed
c. Staff members across departments need time to review technical information concerning any new database
d. Senior staff members need to first commit to adopting a minimum number of Privacy Enhancing Technologies
The company needs to have policies and procedures in place to guide the purchasing decisions
If Amira and Sadie’s ideas about adherence to the company’s privacy policy go unchecked, the Federal Communications Commission could potentially take action against NatGen for what?
a. Deceptive practices
b. Failing to institute the hotline
c. Failure to notify of processing
d. Negligence in consistent training
Failing to institute the hotline
What additional change will increase the effectiveness of the privacy compliance hotline?
a. Outsourcing the hotline
b. A system for staff education
c. Strict communication channels
d. An ethics complaint department
Outsourcing the hotline
Which of the following would be most effectively used as a guide to a systems approach to implementing data protection?
a. Data Lifecycle Management Standards
b. United Nations Privacy Agency Standards
c. International Organisation for Standardisation 9000 Series
d. International Organisation for Standardisation 27000 Series
International Organisation for Standardisation 27000 Series
How can Consolidated’s privacy training program best be further developed?
a. Through targeted curricula designed for specific departments
b. By adopting e-learning to reduce the need for instructors
c. By using industry standard off the shelf programs
d. Through a review of recent data breaches
Through targeted curricula designed for specific departments
What process could most effectively be used to add privacy protections to a new, comprehensive program being developed at Consolidated?
a. Privacy by Design
b. Privacy Step Assessment
c. Information Security Planning
d. Innovation Privacy Standards
Privacy by Design
What stage of the privacy operational lifecycle best describes Consolidated’s current privacy program?
a. Assess
b. Protect
c. Respond
d. Sustain
Protect
Which is the best way to ensure that data on personal equipment is protected?
a. User risk training
b. Biometric security
c. Encryption of the data
d. Frequent data backups
Encryption of the data
From a business standpoint, what is the most productive way to view employee use of personal equipment for work-related tasks?
a. The use of personal equipment is a cost-effective measure that leads to no greater security risks than are always present in a modern organisation
b. Any computer or other equipment is company property whenever it is used for company business
c. While the company may not own the equipment, it is required to protect the business-related data on any equipment used by its employees.
d. The use of personal equipment must be reduced as it leads to inevitable security risks
While the company may not own the equipment, it is required to protect the business-related data on any equipment used by its employees.
In order to determine the best course of action, how should this incident most productively be viewed?
a. As the accidental loss of personal property containing data that must be restored
b. As a potential compromise of personal information through unauthorised access
c. As an incident that requires the abrupt initiation of a notification campaign
d. As the premediated theft of company data, until shown otherwise
As a potential compromise of personal information through unauthorised access
What should you do first to ascertain additional information about the loss of data?
a. Interview the person reporting the incident following a standard protocol
b. Call the police to investigate even if you are unsure a crime occurred
c. Investigate the background of the person reporting the incident
d. Check company records of the latest backups to see what data may be recoverable
Interview the person reporting the incident following a standard protocol
What is the most realistic step the organisation can take to help diminish liability in the event of another incident?
a. Requiring the vendor to perform periodic internal audits
b. Specific mandatory data protection practices in vendor contracts
c. Keeping the majority of processing activities within the organisation
d. Obtaining customer consent for any 3rd party processing of personal data
Specific mandatory data protection practices in vendor contracts
Nationwide Grill needs to create better employee awareness of the company’s privacy program by doing what?
a. Varying the modes of communication
b. Communicating to the staff more often
c. Improving inter-departmental cooperation
d. Requiring acknowledgement of company memos
Varying the modes of communication
How could the objection to Spencer’s training suggestion be addressed?
a. By requiring training only on an as-needed basis
b. By offering alternative delivery methods for training
c. By introducing a system of periodic refreshing trainings
d. By customising training based on length of employee tenure
By offering alternative delivery methods for training