CCSP Domain 6: Privacy in Cloud

Question 1

What is analyzed in a privacy impact assessment (PIA)?

Answer 1

1. how data is collected
2. how data is used
3. how data is maintained

Question 2

What does GAPP stand for?

Answer 2

Generally Acccepted Privacy Principles

Question 3

What ISO standard is concerned with privacy in cloud?

Answer 3

ISO 27018; enables customer trust in CSP

Question 4

Who developed GAPP?

Answer 4

• American Institute of Certified Public Accountants (AICPA) together with Candian Institute of Chartered Accountants (CICA)

Question 5

What are the 10 privacy principles of GAPP?

Answer 5

1. Management
2. Notice
3. Choice and Consent
4. Collection
5. Use, Retention and Disposal
6. Access
7. Disclosure to Third Parties
8. Security for Privacy
9. Quality
10. Monitoring and Enforcement

Question 6

What was the intent behind GAPP?

Answer 6

to establish a global framework for privacy management

Question 7

What are the two documents that were created in a joint effort by American Institute of Certified Public Accountants (AICPA) together with Candian Institute of Chartered Accountants (CICA)?

Answer 7

1. Generally Accepted Privacy Principles (GAPP)
2. Generally Accepted Accounting Practices (GAAP)

Question 8

What is the goal of ISO 27018?

Answer 8

provide a code of practice for the protection of personally identifiable information in public cloud environment

Question 9

How does GAPP define the Management principle?

Answer 9

the entity defines, documents, communicates and assigns accountability for its privacy policies and procedures

Question 10

What are the criteria that organizations should follow to establish control over the management of their privacy programs?

Answer 10

• creating a written privacy policies and communicaating those policies to personnel
• assigning responsibility and accountability for those policies to a person or a team
• establishing procedures for the review and approval of privacy policies and changes to those policies
• ensuring that privacy policies are consistent with applicable laws and regulations
• performing privacy risk assessments on at least an annual basis
• ensuring that contractual obligations to customres, vendors and partners are consistent with privacy policies
• assessing privacy risks when implementing or changing technology infrastructure
• creating and maintaining privacy incident management process
• conducting privacy awarness and training and establishing qualifications for employees with privacy responsibilities

Question 11

What is the second GAPP principle and what does it require organizations to do?

Answer 11

Notice; requries organizations to inform individuals about their privacy practices

Question 12

How is the second GAPP principle defined?

Answer 12

the entity provides a notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed

Question 13

What criteria are incorporated in the second GAPP principle?

Answer 13

• including notice practices in the organization’s privacy policies
• notifying individuals about the purpose of collecting personal information and the organization’s policies surrounding the other GAPP principles
• providing notice to individuals at the time of data collection, when policies and procedures change, and when the organization intends to use information for new purposes not disclosed in earlier notices
• writing privacy notices in plain and simple langugae and posting them conspicuously

Question 14

What is the third GAPP principle and what does it allow individuals to do?

Answer 14

Choice and Consent; allows individuals to retain control over the use of their personal information

Question 15

How is the third GAPP principle defined?

Answer 15

the entity describes choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information

Question 16

What are the criteria associated with Choice and Consent GAPP principle?

Answer 16

• including choice and consent practices in the organization’s privacy policies
• informing individuals about the choice and consent options available to them and the consequences of refusing to provide personal information or withdrawing consent to use personal information
• obtaining implicit or explicit consent at or before the time that personal information is collected
• notifying individuals of proposed new uses for previously collected information and obtaining additional consent for those new uses
• obtaining direct explicit conset from individuals when the organization collects, uses, or discloses sensitive personal information
• obtaining consent before transferring personal information to or from an individual’s computer or device

Question 17

What does the Collection GAPP principle govern?

Answer 17

governs the ways organizations come into possession of personal information

Question 18

How is the Collection GAPP principle defined?

Answer 18

the entity collects personal information only for the purposes identified in the notice

Question 19

What are the criteria associated with Collection of the GAPP framework?

Answer 19

• including collection pracitces in the organization’s privacy policies
• informing individuals that their personal information will only be collected for identification purposes
• including details on the methods used to collect data and the types of data collected in the organization’s privacy notice
• confirming that any third parties who provide the organizaiton with personal information have collcted it fairly, lawfully and that information is reliable
• informing individuals if the organization obtains additional information about them

Question 20

What does the Use, Retention and Disposal GAPP principle dictate to organizations?

Answer 20

organizations must maintain the privacy of personal information throughout its lifecycle

Question 21

How is the Use, Retention and Disposal GAPP principle defined?

Answer 21

1. the entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implcit or explicit consent
2. the entity retains personal informlation for only a long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information

Question 22

What are the criteria associated with teh Use, Retention and Disposal of the GAPP prinicple?

Answer 22

• including collection practices in the organization’s privacy policies
• informing individuals that their personal information will only be used for disclosed purposes for which the organization has obtained consent and then abiding by that statement
• informing individuals that their personal data will be retained for no longer than necessary and then abiding by that statement
• informing individuals that information that is no longer needed will be disposed of securely and then abiding by that statement

Question 23

What is the GAPP definition of the Access principle?

Answer 23

the entity provides individuals with access to their personal information for review and update

Question 24

What are the criteria associated with Access of the GAPP principle?

Answer 24

• inlcuding practices around access to personal information in the organization’s privacy policies
• informing individuals about the procedures for reviewing, updating and correcting their personal information
• providing individuals with a mechanism to determine whether the organization maintain personal information about them and review any such information
• authenticating an individual’s identity before providing them with access to personal information
• providing access to information in an understandable format within a reasonable period of time and either for a reasonable charge that is based on the organization’s actual cost or at no cost
• informing individuals in writing why any requests to access or update personal information were denied and informing them of any appeal rights they may have
• providing mechanism for individuals to update or correct perosnal information and providing that updated information to third parties who received it from the organization

Question 25

How is the Disclosure to Third Parties GAPP principle defined?

Answer 25

the entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual

Question 26

What are the criteria associated with the disclosure to third parties?

Answer 26

• including third-party disclosure practices in the organization’s privacy policies
• informing individuals of any third-party disclosures that take place and the prupose of those disclosures
• informing third parties who receive personal informaltion form the organization that they must comply with the organizations privacy policy and handling practices
• disclosing personal information to third parties without notice or for purposes other than those diclosed in the notice only when requried to do so by law
• disclosing information to third parties only under the aspices of an agreement that the third party will protect the information consistent with the organization’s privacy policy
• implementing procedures designed to verify that the privacy controls of third parties receiving personal ofnormation from the organization are functioning effectively
• taking remedial action when the organization learns that a third party has mishandled personal informlation shared wiht the organization

Question 27

What was the first international standard addressing the privacy aspects of cloud computing for consumers?

Answer 27

ISO/IEC 27018

Question 28

What NIST standard defines PII?

Answer 28

NIST 800-122

Question 29

What are 3 types of private data?

Answer 29

1. PI
2. PII
3. payment data (contractual)

Question 30

When it comes to private data, what does the security team must understand?

Answer 30

1. what type of data organization is processing
2. where it is being processed
3. any associated requirements, such as contractual obligations

Question 31

What’s the Canadian privacy law?

Answer 31

Personal Information Protection and Electronic Documents Act (PIPEDA)

Question 32

What does PIPEDA cover?

Answer 32

information about an individual that is identifiable to that specific individual (DNA, medical, age, edu, employment, ethnicity …)

Question 33

Does PIPEDA include a data breach notification requirement?

Answer 33

yes

Question 34

What can supersede PIPEDA?

Answer 34

province-specific laws, that are deemed substantially similar to PIPEDA

Question 35

Different laws and regulations may apply depending on the location of what?

Answer 35

1. data subject
2. data collector
3. cloud service provider
4. subcontracts processing the data
5. company HQ of the entities involved

Question 36

Due to different jurisdiction implications, what impact can legal concerns have when utilizing cloud services?

Answer 36

• it can prevent utilization of a cloud service provider
• add cost and time to market
• drive changes to technical architectures required to deliver services

Question 37

ISO 27018 was published as a component of which ISO standard?

Answer 37

27001

Question 38

Is AWS, GCP and Azure ISO 27000 compliant?

Answer 38

yes

Question 39

GAPP is widely incorporated which framework as an optional criterion?

Answer 39

SOC2; organizations puruing a SOC2 audit can include these privacy controls, if appropriate (depends on type of sercice provided)

Question 40

How is Security for Privacy of GAPP principle defined?

Answer 40

personal information is protected against both physical and logical unauthorized access

Question 41

How is Quality of GAPP principle defined?

Answer 41

organization maintains accurate, complete and relevant personal information that is necessary for the purposes defined

Question 42

How is Monitoring and Enforcement of GAPP principle defined?

Answer 42

organization monitors compliance with its privacy policies and procedures; also has procedures in place to address privacy-related complaints and disputes

Question 43

Which ISO document covers best practices for implementing privacy controls?

Answer 43

ISO 27701

Question 44

What does Privacy Impact Assessment focus on?

Answer 44

what, why, and how of personally identifiable information, including legal and policy requirements, risks, and controls