CCSP Domain 6: Privacy in Cloud Flashcards
What is analyzed in a privacy impact assessment (PIA)?
- how data is collected
- how data is used
- how data is maintained
What does GAPP stand for?
Generally Acccepted Privacy Principles
What ISO standard is concerned with privacy in cloud?
ISO 27018; enables customer trust in CSP
Who developed GAPP?
- American Institute of Certified Public Accountants (AICPA) together with Candian Institute of Chartered Accountants (CICA)
What are the 10 privacy principles of GAPP?
- Management
- Notice
- Choice and Consent
- Collection
- Use, Retention and Disposal
- Access
- Disclosure to Third Parties
- Security for Privacy
- Quality
- Monitoring and Enforcement
What was the intent behind GAPP?
to establish a global framework for privacy management
What are the two documents that were created in a joint effort by American Institute of Certified Public Accountants (AICPA) together with Candian Institute of Chartered Accountants (CICA)?
- Generally Accepted Privacy Principles (GAPP)
- Generally Accepted Accounting Practices (GAAP)
What is the goal of ISO 27018?
provide a code of practice for the protection of personally identifiable information in public cloud environment
How does GAPP define the Management principle?
the entity defines, documents, communicates and assigns accountability for its privacy policies and procedures
What are the criteria that organizations should follow to establish control over the management of their privacy programs?
- creating a written privacy policies and communicaating those policies to personnel
- assigning responsibility and accountability for those policies to a person or a team
- establishing procedures for the review and approval of privacy policies and changes to those policies
- ensuring that privacy policies are consistent with applicable laws and regulations
- performing privacy risk assessments on at least an annual basis
- ensuring that contractual obligations to customres, vendors and partners are consistent with privacy policies
- assessing privacy risks when implementing or changing technology infrastructure
- creating and maintaining privacy incident management process
- conducting privacy awarness and training and establishing qualifications for employees with privacy responsibilities
What is the second GAPP principle and what does it require organizations to do?
Notice; requries organizations to inform individuals about their privacy practices
How is the second GAPP principle defined?
the entity provides a notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed
What criteria are incorporated in the second GAPP principle?
- including notice practices in the organization’s privacy policies
- notifying individuals about the purpose of collecting personal information and the organization’s policies surrounding the other GAPP principles
- providing notice to individuals at the time of data collection, when policies and procedures change, and when the organization intends to use information for new purposes not disclosed in earlier notices
- writing privacy notices in plain and simple langugae and posting them conspicuously
What is the third GAPP principle and what does it allow individuals to do?
Choice and Consent; allows individuals to retain control over the use of their personal information
How is the third GAPP principle defined?
the entity describes choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information
What are the criteria associated with Choice and Consent GAPP principle?
- including choice and consent practices in the organization’s privacy policies
- informing individuals about the choice and consent options available to them and the consequences of refusing to provide personal information or withdrawing consent to use personal information
- obtaining implicit or explicit consent at or before the time that personal information is collected
- notifying individuals of proposed new uses for previously collected information and obtaining additional consent for those new uses
- obtaining direct explicit conset from individuals when the organization collects, uses, or discloses sensitive personal information
- obtaining consent before transferring personal information to or from an individual’s computer or device
What does the Collection GAPP principle govern?
governs the ways organizations come into possession of personal information
How is the Collection GAPP principle defined?
the entity collects personal information only for the purposes identified in the notice
What are the criteria associated with Collection of the GAPP framework?
- including collection pracitces in the organization’s privacy policies
- informing individuals that their personal information will only be collected for identification purposes
- including details on the methods used to collect data and the types of data collected in the organization’s privacy notice
- confirming that any third parties who provide the organizaiton with personal information have collcted it fairly, lawfully and that information is reliable
- informing individuals if the organization obtains additional information about them
What does the Use, Retention and Disposal GAPP principle dictate to organizations?
organizations must maintain the privacy of personal information throughout its lifecycle
How is the Use, Retention and Disposal GAPP principle defined?
- the entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implcit or explicit consent
- the entity retains personal informlation for only a long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information
What are the criteria associated with teh Use, Retention and Disposal of the GAPP prinicple?
- including collection practices in the organization’s privacy policies
- informing individuals that their personal information will only be used for disclosed purposes for which the organization has obtained consent and then abiding by that statement
- informing individuals that their personal data will be retained for no longer than necessary and then abiding by that statement
- informing individuals that information that is no longer needed will be disposed of securely and then abiding by that statement
What is the GAPP definition of the Access principle?
the entity provides individuals with access to their personal information for review and update
What are the criteria associated with Access of the GAPP principle?
- inlcuding practices around access to personal information in the organization’s privacy policies
- informing individuals about the procedures for reviewing, updating and correcting their personal information
- providing individuals with a mechanism to determine whether the organization maintain personal information about them and review any such information
- authenticating an individual’s identity before providing them with access to personal information
- providing access to information in an understandable format within a reasonable period of time and either for a reasonable charge that is based on the organization’s actual cost or at no cost
- informing individuals in writing why any requests to access or update personal information were denied and informing them of any appeal rights they may have
- providing mechanism for individuals to update or correct perosnal information and providing that updated information to third parties who received it from the organization
How is the Disclosure to Third Parties GAPP principle defined?
the entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual
What are the criteria associated with the disclosure to third parties?
- including third-party disclosure practices in the organization’s privacy policies
- informing individuals of any third-party disclosures that take place and the prupose of those disclosures
- informing third parties who receive personal informaltion form the organization that they must comply with the organizations privacy policy and handling practices
- disclosing personal information to third parties without notice or for purposes other than those diclosed in the notice only when requried to do so by law
- disclosing information to third parties only under the aspices of an agreement that the third party will protect the information consistent with the organization’s privacy policy
- implementing procedures designed to verify that the privacy controls of third parties receiving personal ofnormation from the organization are functioning effectively
- taking remedial action when the organization learns that a third party has mishandled personal informlation shared wiht the organization
What was the first international standard addressing the privacy aspects of cloud computing for consumers?
ISO/IEC 27018
What NIST standard defines PII?
NIST 800-122
What are 3 types of private data?
- PI
- PII
- payment data (contractual)
When it comes to private data, what does the security team must understand?
- what type of data organization is processing
- where it is being processed
- any associated requirements, such as contractual obligations
What’s the Canadian privacy law?
Personal Information Protection and Electronic Documents Act (PIPEDA)
What does PIPEDA cover?
information about an individual that is identifiable to that specific individual (DNA, medical, age, edu, employment, ethnicity …)
Does PIPEDA include a data breach notification requirement?
yes
What can supersede PIPEDA?
province-specific laws, that are deemed substantially similar to PIPEDA
Different laws and regulations may apply depending on the location of what?
- data subject
- data collector
- cloud service provider
- subcontracts processing the data
- company HQ of the entities involved
Due to different jurisdiction implications, what impact can legal concerns have when utilizing cloud services?
- it can prevent utilization of a cloud service provider
- add cost and time to market
- drive changes to technical architectures required to deliver services
ISO 27018 was published as a component of which ISO standard?
27001
Is AWS, GCP and Azure ISO 27000 compliant?
yes
GAPP is widely incorporated which framework as an optional criterion?
SOC2; organizations puruing a SOC2 audit can include these privacy controls, if appropriate (depends on type of sercice provided)
How is Security for Privacy of GAPP principle defined?
personal information is protected against both physical and logical unauthorized access
How is Quality of GAPP principle defined?
organization maintains accurate, complete and relevant personal information that is necessary for the purposes defined
How is Monitoring and Enforcement of GAPP principle defined?
organization monitors compliance with its privacy policies and procedures; also has procedures in place to address privacy-related complaints and disputes
Which ISO document covers best practices for implementing privacy controls?
ISO 27701
What does Privacy Impact Assessment focus on?
what, why, and how of personally identifiable information, including legal and policy requirements, risks, and controls
