Ch. 4 Information Management Quiz Flashcards
The role of a privacy professional includes:
a. Monitoring external environment for changes to regulations and laws
b. Alerting stakeholders to divergent perspectives within the industry and legal landscape
c. Identifying compliance challenges, and design policies to address ways to manage the risk
d. All of the above
d. All of the above
Which of the following BEST describes an element of reputational risk?
a. Compliance with contractual commitments, privacy promises and commitments to follow industry standards
b. Protecting the trust of consumers regarding the organization’s commitment to following through on its privacy policies
c. Compliance with applicable state, federal and international laws concerning the use of personal information
d. All of the above
b. Protecting the trust of consumers regarding the organization’s commitment to following through on its privacy policies
Which of the following BEST describes an element of operational risk?
a. Administrative efficiency of the organization’s privacy program
b. Ability of the organization to receive a return on investment in information and related activities.
c. Compliance with applicable state, federal and international laws concerning the use of personal information
d. All of the above
a. Administrative efficiency of the organization’s privacy program
Which of the following BEST describes an element of investment risk?
a. Administrative efficiency of the organization’s privacy program
b. Compliance with applicable state, federal and international laws concerning the use of personal information
c. Ability of the organization to receive a return on investment in information and related activities
d. All of the above
c. Ability of the organization to receive a return on investment in information and related activities
A good information management program
a. Uses a holistic approach in assessing the risks and benefits of processing personal information
b. Helps develop policies for important activities
c. Informs activities and processes used to comply with policies
d. All of the above
d. All of the above
Which of the following BEST describes the four basic steps for managing information?
a. Discover, analyze, build, and communicate
b. Discover, build, communicate, and evolve
c. Search, discover, communicate, and evolve
d. None of the above
b. Discover, build, communicate, and evolve
Which of the following occurs during the Discover phase of information management?
a. Issue identification and self-assessment
b. Procedure development and verification
c. Full implementation
d. All of the above
a. Issue identification and self-assessment
Which of the following occurs during the Discover phase of information management?
a. Issue identification
b. Self-assessment
c. Determination of best practices
d. All of the above
d. All of the above
Which of the following occurs during the Build phase of information management?
a. Procedure development and verification
b. Determination of best practices
c. Education
d. All of the above
a. Procedure development and verification
Which of the following occurs during the Build phase of information management?
a. Issue identification and self-assessment
b. Documentation
c. Full implementation
d. All of the above
c. Full implementation
Which of the following occurs during the Communicate phase of information management?
a. Adaptation
b. Procedure development and verification
c. Documentation
d. All of the above
c. Documentation
Which of the following occurs during the Communicate phase of information management?
a. Determination of best practices
b. Education
c. Full implementation
d. All of the above
b. Education
Which of the following occurs during the Evolve phase of information management?
a. Affirmation
b. Monitoring
c. Adaptation
d. All of the above
d. All of the above
A data inventory is required for businesses in some industries under:
a. Gramm-Leach-Bliley Act Privacy Rule
b. Gramm-Leach-Bliley Act Safeguards Rule
c. APEC Privacy Rule
d. None of the above
b. Gramm-Leach-Bliley Act Safeguards Rule
An organized and documented data inventory:
a. Identifies reputational and legal risks
b. Helps mitigate penalties
c. Should be reviewed and updated on a regular basis
d. All of the above
d. All of the above
Data classification:
a. Defines the level of protection needed for specific types of data based on its sensitivity
b. Identifies legal risks for data during a self-assessment
c. Determines which laws and regulations apply to the data flows occurring both internally and externally
d. All of the above
a. Defines the level of protection needed for specific types of data based on its sensitivity
Holding all data in one system:
a. Is a best practice for ensuring ease of management
b. May help reduce duplicate entries
c. May increase the impact of a single data breach
d. None of the above
c. May increase the impact of a single data breach
A documented well-organized data classification system helps an organization:
a. Respond to compliance audits for specific types of data
b. Respond more effectively to legal discovery requests
c. Efficiently use storage resources
d. All of the above
d. All of the above
Documenting data flows should include:
a. How to respond to legal discovery requests
b. Mapping of systems, applications and processes for handling data
c. A plan for responding to a data breach
d. All of the above
b. Mapping of systems, applications and processes for handling data
Which of the following is a PRIMARY consideration for addressing privacy risk in an organization as it relates to sensitive personal information?
a. Where, how, and how long the data is stored
b. Current laws for obtaining a search warrant
c. Number of team members in Human Resources
d. All of the above
a. Where, how, and how long the data is stored
Which of the following is a PRIMARY consideration for addressing privacy risk in an organization as it relates to sensitive personal information?
a. How a customer’s marital status is documented
b. Determining how sensitive the information is
c. Current laws for authenticating a customer
d. All of the above
b. Determining how sensitive the information is
Which of the following is a PRIMARY consideration for addressing privacy risk in an organization as it relates to sensitive personal information?
a. Whether or not the information should be encrypted
b. Whether or not the information will be transferred to other countries, and how it will be transferred
c. Data authorities who enforce the rules for the information
d. All of the above
d. All of the above
Which of the following is a PRIMARY consideration for addressing privacy risk in an organization as it relates to sensitive personal information?
a. Documenting a customer’s marital status
b. Best practices for providing personal information to law enforcement
c. How the information is processed and the activities performed to maintain the processes
d. All of the above
c. How the information is processed and the activities performed to maintain the processes
Which of the following is a PRIMARY consideration for addressing privacy risk in an organization as it relates to sensitive personal information?
a. Whether the use of the personal information is dependent upon other systems
b. Names of third parties processing data
c. Legal team’s knowledge in the area of privacy
d. All of the above
a. Whether the use of the personal information is dependent upon other systems
A limited retention period:
a. Is not considered a best practice when storing large amounts of personal data
b. Increases reputational risk
c. Reduces the risk of data being breached
d. All of the above
c. Reduces the risk of data being breached
Determining the level of sensitivity of personal data being held is directly dependent on which of the following?
a. Retention policies
b. Data classification
c. State tort laws
d. All of the above
b. Data classification
Which of the following provisions should be included in third party contracts to ensure an understanding of the data controller’s expectations for safeguarding consumer personal information?
a. Notification of arbitration
b. Notification of data breach
c. Notification of merger
d. All of the above
b. Notification of data breach
Which of the following information security provisions should be included in third party contracts, as applicable?
a. Specific security controls
b. Employee background checks
c. Audit rights
d. All of the above
d. All of the above
Which of the following provisions should be included in third party contracts to ensure an understanding of the data controller’s expectations for safeguarding consumer personal information?
a. Information security provisions
b. Indemnification provisions
c. Arbitration provisions
d. All of the above
a. Information security provisions
When evaluating vendors for processing data, which of the following is the least important consideration as part of the evaluation?
a. Reputation
b. Financial condition and insurance
c. Name and address of CEO
d. Information security controls
c. Name and address of CEO
Which of the following information security provisions should be included in third party contracts, as applicable?
a. Encryption of data
b. Network security
c. Access controls
d. All of the above
d. All of the above
When evaluating vendors for processing data, which of the following is the LEAST important consideration as part of the evaluation?
a. Disposal of information
b. Number of employees
c. Employee training
d. Vendor incident response
b. Number of employees
An information management program should effectively address:
a. Legal risk
b. Reputational risk
c. Meet the organization’s goals
d. All of the above
d. All of the above
Effective security risk management balances the potential for loss with what cost?
A. The cost of security protection and management.
B. The cost of statutory compliance and oversight.
C. The cost of notifications related to a data loss.
D. The cost of reduced efficiencies in operations.
A. The cost of security protection and management.
Effective security risk management balances the potential for loss with the cost of security protection and management. Information should be protected in accordance with the value of the asset - the higher the value, the greater the security needed. Foundations of Information Privacy and Data Protection, p. 92.
Role-based access controls are based on what basic security principle?
A. Access should be granted to employees on the basis of the lowest possible level.
B. Employees shall not be granted access without management approval from CIO or CEO.
C. Employees should be granted access when it is determined they may have a legitimate need to know.
D. Employees should not be able to access personal information unless it is from a public source.
A. Access should be granted to employees on the basis of the lowest possible level.
Role-based access controls are based on the basic security principle that access should be granted to employees on the basis of the lowest possible level.
No employee should have greater information access than is necessary to capably perform his or her job function. These types of precautions are known as “role-based access controls.” Foundations of Information Privacy and Data Protection, p. 94.
Use of a smart card would be identified as what type of safeguard?
A. Two-factor authentication.
B. Intrusion prevention systems.
C. Public key infrastructure.
D. Perimeter control.
A. Two-factor authentication.
Use of a smart card would be identified as a two-factor authentication safeguard.
A two- factor authentication process will combine a username and password with a token that generates a one-time password.
Smart cards use technology, such as a magnetic strip, to generate the password. Foundations of Information Privacy and Data Protection, p. 132.
What is the most likely purpose for which an organization creates a data inventory? A. showing the public which data is stored B. creating an overview of data, helpful for creating a compliance and security approach C. complying with a US legal requirement D. identifying storage size requirements
B. creating an overview of data, helpful for creating a compliance and security approach
Which of the following statements is not true regarding data classification? A. organizations are free to classify data elements a certain way to place it inside or outside of the scope of certain laws B. data classification can help identify applicable laws C. to assist in creating a security strategy D. help breach response
A. organizations are free to classify data elements a certain way to place it inside or outside of the scope of certain laws
What types of risk should an organization consider when designing and administering a privacy program? Select all that apply.
A. Legal
B. Reputational
C. Operational
D. Investment
E. Resources
A. Legal B. Reputational C. Operational D. Investment
Which step in the process for developing an incident response program involves permitting affected systems back into the production environment and ensuring no threat remains?
A. Containment
B. Eradication
C. Recovery
D. Lessons learned
C. Recovery
Who may need privacy training? Select all that apply.
A. Customer service representatives
B. Leaders at the executive level
C. Marketing managers
D. Sales executives
E. IT staff
A. Customer service representatives
B. Leaders at the executive level
C. Marketing managers
D. Sales executives
E. IT staff
Which is the best method to improve accountability for a system administrator who has security functions? include security responsibilities in the job description require them to obtain security certifications train them on pen testing and vulnerability assessment
include security responsibilities in the job description
What is the primary role of the information security manager in the process of information classification within an organization?
defining and ratifying the classification structure of information assets
What metric would be an indicator of improving discipline among control owners? Trend line in the number of control self assessments completed Trend line in the number of process documents not reviewed within 13 months of prior review Trend line in the number of control exceptions in external audits Trend line in the number of external control tests completed
Trend line in the number of control exceptions in external audits
Which document defines specific configuration details for compliance? policy procedure standard guideline
Standard A standard is a detailed document that defines configurations, protocols or products to be used in the organization
An executive has delegated responsibility for granting access requests to the IT department. The IT department in this role is functioning as the: owner custodian
custodian
Types of controls
preventive - prevent unwanted event. ie keycards, login screens detective - records good and bad events. ie cctv, event logs deterrent - convinces people to avoid an activity. ie dogs, warning signs, cctv corrective - activated after unwanted event happens. ie improving a process that didn’t work as well as desired compensating - used if other direct control can’t be used. ie a sign-in register if you can’t use video surveillance. recovery - restores state of a system. ie backup software
acceptable risk is achieved when: residual risk is minimized control risk is minimized
residual risk is minimized
Authentication is: A. The process by which a user provides a password in order to gain access to protected information B. The process by which a person or a computer system determines that another entity actually is who/what it claims to be C. The process by which a user is granted access rights and permissions to protected information D. The process by which a user is assigned security clearance to protected information
B. The process by which a person or a computer system determines that another entity actually is who/what it claims to be
Which one of the following best describes the process of “two-factor” authentication? A. An associate enters his or her user ID and password to access a protected resource. B. An associate enters his or her user ID, password and social security number/social indentification number in order to access a protected resource. C. An associate enters his or her user ID, password, and swipes his or her smart card to access a protected resource. D. An associate swipes his or her badge to access a protected resource.
C. An associate enters his or her user ID, password, and swipes his or her smart card to access a protected resource.
Which one of the following is not used in biometric systems to authenticate individuals? A. Password B. Fingerprinting C. Voice recognition D. Iris scan
A. Password
The best way to ensure compliance with privacy standards in IT development is: A. Sending memoranda to the IT group B. Creating a privacy requirements document for the IT group C. Ensuring that internal audit knows how to audit for privacy concerns D. All of the above
D. All of the above
An/a is a private data network that outside partners can access. A. Intranet B. Local Area Network (LAN) C. Extranet D. Web portal
C. Extranet
While browsing an automotive Website, you are served a banner advertisement for sporting and hiking equipment. This ad is most likely to have been delivered by which one of the following Web technologies: A. A Web beacon B. A persistent third-party cookie C. A persistent first-party cookie D. A pixel tag
B. A persistent third-party cookie
Information Privacy Case Study Jim is a systems engineer for Productis, a major U.S. consumer goods company and his job requires him to spend many hours on planes traveling to and from the company’s far-flung locations and plants. During such trips, Jim relies on his office laptop computer to connect to the company’s network and communicate with his employees. Jim’s teenage son, Randy, felt sorry about his father’s travel schedule and wanted to do something entertaining to help relieve the stress. One weekend, Randy downloaded a multimedia game player onto his father’s office laptop computer. However, neither Randy nor Jim realized at the time that the “free” multimedia player Randy downloaded came bundled with another software application –a “spyware” program— that captured information regarding Jim’s network connection, IP address and system log-on. TRUE/FALSE Jim should not remove the multimedia player without the aid of an expert because the act of removal can damage Jim’s laptop settings.
TRUE
Jim is a systems engineer for Productis, a major U.S. consumer goods company and his job requires him to spend many hours on planes traveling to and from the company’s far-flung locations and plants. During such trips, Jim relies on his office laptop computer to connect to the company’s network and communicate with his employees. Jim’s teenage son, Randy, felt sorry about his father’s travel schedule and wanted to do something entertaining to help relieve the stress. One weekend, Randy downloaded a multimedia game player onto his father’s office laptop computer. However, neither Randy nor Jim realized at the time that the “free” multimedia player Randy downloaded came bundled with another software application –a “spyware” program— that captured information regarding Jim’s network connection, IP address and system log-on. TRUE/FALSE As a general rule, the company’s policy should expressly state that only Jim should have custody of his company laptop.
TRUE
Jim is a systems engineer for Productis, a major U.S. consumer goods company and his job requires him to spend many hours on planes traveling to and from the company’s far-flung locations and plants. During such trips, Jim relies on his office laptop computer to connect to the company’s network and communicate with his employees. Jim’s teenage son, Randy, felt sorry about his father’s travel schedule and wanted to do something entertaining to help relieve the stress. One weekend, Randy downloaded a multimedia game player onto his father’s office laptop computer. However, neither Randy nor Jim realized at the time that the “free” multimedia player Randy downloaded came bundled with another software application –a “spyware” program— that captured information regarding Jim’s network connection, IP address and system log-on. TRUE/FALSE Most companies have embedded controls that prevent the downloading of all non-approved software applications.
FALSE
Jim is a systems engineer for Productis, a major U.S. consumer goods company and his job requires him to spend many hours on planes traveling to and from the company’s far-flung locations and plants. During such trips, Jim relies on his office laptop computer to connect to the company’s network and communicate with his employees. Jim’s teenage son, Randy, felt sorry about his father’s travel schedule and wanted to do something entertaining to help relieve the stress. One weekend, Randy downloaded a multimedia game player onto his father’s office laptop computer. However, neither Randy nor Jim realized at the time that the “free” multimedia player Randy downloaded came bundled with another software application –a “spyware” program— that captured information regarding Jim’s network connection, IP address and system log-on. TRUE/FALSE Jim should have contacted the technical support department in his company and immediately stopped using his computer once he realized that unauthorized software was downloaded.
TRUE
Jim is a systems engineer for Productis, a major U.S. consumer goods company and his job requires him to spend many hours on planes traveling to and from the company’s far-flung locations and plants. During such trips, Jim relies on his office laptop computer to connect to the company’s network and communicate with his employees. Jim’s teenage son, Randy, felt sorry about his father’s travel schedule and wanted to do something entertaining to help relieve the stress. One weekend, Randy downloaded a multimedia game player onto his father’s office laptop computer. However, neither Randy nor Jim realized at the time that the “free” multimedia player Randy downloaded came bundled with another software application –a “spyware” program— that captured information regarding Jim’s network connection, IP address and system log-on. TRUE/FALSE As a general rule, Jim would not cause a serious privacy or security breach if he used his laptop with unauthorized software as long as it didn’t connect to his company’s mainframe or network.
FALSE
Jim is a systems engineer for Productis, a major U.S. consumer goods company and his job requires him to spend many hours on planes traveling to and from the company’s far-flung locations and plants. During such trips, Jim relies on his office laptop computer to connect to the company’s network and communicate with his employees. Jim’s teenage son, Randy, felt sorry about his father’s travel schedule and wanted to do something entertaining to help relieve the stress. One weekend, Randy downloaded a multimedia game player onto his father’s office laptop computer. However, neither Randy nor Jim realized at the time that the “free” multimedia player Randy downloaded came bundled with another software application –a “spyware” program— that captured information regarding Jim’s network connection, IP address and system log-on. TRUE/FALSE The act of downloading the spyware program, without Jim’s consent, is a violation of U.S. federal law.
FALSE
Jim is a systems engineer for Productis, a major U.S. consumer goods company and his job requires him to spend many hours on planes traveling to and from the company’s far-flung locations and plants. During such trips, Jim relies on his office laptop computer to connect to the company’s network and communicate with his employees. Jim’s teenage son, Randy, felt sorry about his father’s travel schedule and wanted to do something entertaining to help relieve the stress. One weekend, Randy downloaded a multimedia game player onto his father’s office laptop computer. However, neither Randy nor Jim realized at the time that the “free” multimedia player Randy downloaded came bundled with another software application –a “spyware” program— that captured information regarding Jim’s network connection, IP address and system log-on. TRUE/FALSE The act of downloading the spyware program without Jim’s consent always creates legal liability for multimedia software company.
FALSE
Jim is a systems engineer for Productis, a major U.S. consumer goods company and his job requires him to spend many hours on planes traveling to and from the company’s far-flung locations and plants. During such trips, Jim relies on his office laptop computer to connect to the company’s network and communicate with his employees. Jim’s teenage son, Randy, felt sorry about his father’s travel schedule and wanted to do something entertaining to help relieve the stress. One weekend, Randy downloaded a multimedia game player onto his father’s office laptop computer. However, neither Randy nor Jim realized at the time that the “free” multimedia player Randy downloaded came bundled with another software application –a “spyware” program— that captured information regarding Jim’s network connection, IP address and system log-on. TRUE/FALSE The act of downloading the spyware program without Jim’s knowledge is always a violation of law.
FALSE
Jim is a systems engineer for Productis, a major U.S. consumer goods company and his job requires him to spend many hours on planes traveling to and from the company’s far-flung locations and plants. During such trips, Jim relies on his office laptop computer to connect to the company’s network and communicate with his employees. Jim’s teenage son, Randy, felt sorry about his father’s travel schedule and wanted to do something entertaining to help relieve the stress. One weekend, Randy downloaded a multimedia game player onto his father’s office laptop computer. However, neither Randy nor Jim realized at the time that the “free” multimedia player Randy downloaded came bundled with another software application –a “spyware” program— that captured information regarding Jim’s network connection, IP address and system log-on. TRUE/FALSE One of the most important controls to prevent problems with unauthorized downloads and spyware is to educate employees about the risk.
TRUE
Jim is a systems engineer for Productis, a major U.S. consumer goods company and his job requires him to spend many hours on planes traveling to and from the company’s far-flung locations and plants. During such trips, Jim relies on his office laptop computer to connect to the company’s network and communicate with his employees. Jim’s teenage son, Randy, felt sorry about his father’s travel schedule and wanted to do something entertaining to help relieve the stress. One weekend, Randy downloaded a multimedia game player onto his father’s office laptop computer. However, neither Randy nor Jim realized at the time that the “free” multimedia player Randy downloaded came bundled with another software application –a “spyware” program— that captured information regarding Jim’s network connection, IP address and system log-on. TRUE/FALSE Because of increased risks associated with spyware, it is a good idea to expressly include “dos and don’ts” about unauthorized downloads in the company’s security policy or standard operating procedures.
TRUE
What are the four steps involved in the development of a privacy program? A. Discover, build, communicate, evolve B. Research, design, build, audit C. Brainstorm, propose, implement, follow-through D. Test, learn, revise, monitor
A. Discover, build, communicate, evolve
Rules that govern the collection and handling of personal information regarding internet activity can be categorized as what type of privacy?
Information privacy
_________ refers to the use of authentication systems for reasons other than their intended purposes. A. change of plans B. function creep C. privacy breach D. widening scope
B. function creep
Which of the following is NOT considered a risk of an information management program? A. return on investment B. reticence and over-compliance costs C. change management practices D. legal compliance obligations
C. change management practices
Which step in the process for developing an incident response program involves permitting affected systems back into the production environment and ensuring no threat remains? A. Containment B. Eradication C. Recovery D. Lessons learned
C. Recovery
The purpose of a security incident tabletop exercise includes all of the following except which one? Maintain familiarity with incident response procedures Ensure that procedures are still correct and relevant Ensure that internal and external communications are established Ensure that an organization will be able to detect an incident
D. Ensure that an organization will be able to detect an incident
Minimum standards for securing the technical infrastructure should be defined in: a) security strategy b) security architecture c) security guidelines d) security model
a) architecture The security architecture defines how components are secured and the security services that should be in place.
When developing an information security program, what’s the most useful source of information for determining available resources? a) organization chart b) skills inventory c) job descriptions d) Google
b) skills inventory
Who should drive risk analysis for an organization? a) senior management b) security manager c) data owner d) CFO
a) security manager senior management should support and sponsor it, but the security manager will have the know-how and management of it.
When implementing effective security governance within the requirements of the company’s security strategy, which is the most important factor to consider? a) preserving confidentiality of sensitive data b) adhering to corporate privacy standards c) establishing system manager responsibility for information security d) hacking techniques
a) preserving confidentiality of sensitive data The goal of information security is to protect the organization’s information assets.
Information security policy enforcement is the responsibility of the: a) security steering committee b) CIO c) CISO d) CFO
a) CISO
The primary concern of an information security manager documenting a formal data retention policy would be A) business requirements B) legislative and regulatory requirements C) Data mapping exercise D) Hackers
A) business requirements The primary concern will be to comply with legislation and regulation but only if they are genuine business requirments
What should be fixed first to ensure successful infosec governance in an organization? A) CIO approves security policy changes B) infosec oversight committee only meets quarterly C) data center manager has final signify on all security projects
C) data center manager has final signify on all security projects The fact that the data center manager has final signoff for all security projects indicates that a steering committee is not being used and that information security is relegated to a subordinate place in the organization It is not inappropriate for an oversight or steering committee to meet quarterly. Similarly, it may be desirable to have the chief information officer (CIO) approve the security policy due to the size of the organization and frequency of updates
Which of the following are considered part of information security? A. evaluating security threats and taking countermeasures B. preventing unauthorized use of personal data C. hiring only licensed processors to access the information D. making sure that collected data is complete and correct
A. evaluating security threats and taking countermeasures B. preventing unauthorized use of personal data D. making sure that collected data is complete and correct
Which of the following is information that may be included in a log file? A. first and last name of computer owner B. how a visitor navigated to the page C. bytes sent and received D. IP address of computer user
z
What are the three main components of a successful information security program? A. availability, confidentiality, integrity B. compliance, integrity, availability C. availability, enforceability, confidentiality D. privacy, Availability. Integrity
?
OMB Circular A-130 includes guidelines on which of the following? A. information management such as data sharing, storage, and sisclosure B. The privacy responsibilities of individual government agencies and departments C. reporting procedures D. development of new privacy legislation
A
Which of the following responsibilities outlined under Appendix 1 of OMB Circular A-130 must only be followed by the specified agency? A. The National Archives and Records must review System of Records Notice every two years. B. The Office of Personnel Management must create privacy training programs for government employees. C. The Office of Management and Budget must assist agencies in implementing the Privacy Act by providing guidelines. D. The Office of Management and Budget must review privacy training programs every two years.
D
How often must Privacy Act and Matching Program Reports be published by government agencies? A. annually B. only upon major changes C. every two years D. twice a year
A B C
lonta A Biennial Privacy Act report should include: and appeals that were approved and denied A. Record of all privacy incidents B. statistics on requests and appeals that were approved and denied C. List of routine uses D. statistics on number of records
B C
A Biennial Matching Activity Report should include: matching agreement violations A. cost/benefit analysis B. List of any matching agreement violations C. results of the matching program D. Information about the Data Integrity Board
C
A New or Altered Systems or Matching Program report should include: A. a listing of other systems or changes that were rejected B. a transmittal letter signed by a senior official C. Documentation stating the reasons for the change or new system D. the routine uses of the system and their compatibility with the Privacy Act
B C D
OMB Memorandum 01-05: Guidance on Inter-agency Sharing of Personal Data reinforced privacy guidelines already set forth in what U.S. laws? A. the Privacy Act of 1974 B. the Children’s Online Privacy Protection Act C. the Freedom of Information Act D. the Computer Matching and Privacy Protection Act
A D
Which of the following were recommendations made in M-01-05 A. Agencies should limit the disclosure of information to other agencies unless i is necessary for legal of national security reasons. B. Data collected should be the minimum amount necessary. C. Privacy Impact Assessments should be completed for new information systems. D. Agencies must maintain records of all third party disclosures.
B C
Which of the following are other names for files sharing technology? A. Peer to Peer В. РЗР C. P2P D. networking
A C
Why was the use of file sharing technology banned under M-04-26? C. It is often used for illegally downloading copyrighted files. B. It puts information systems at greater risk for unauthorized access. A. It puts information systems at great risk for computer viruses. D. It is illegal to use file sharing technology.
A B C
What are the three recommendations put forth in OMB Memorandum 04-26 to prevent the use of file sharing technology bu government employees? A. create legislation 1imiting the legal usage of P2P technology D. provide employee training on P2P and other privacy issues C. implement security controls to prevent tje use of P2P technology B. requiring employees to sign personal use agreements
B C D
OMB Memorandum 05-08 called for the designation of a privacy officer in government agencies pursuant to the recommendations in Executive Order 13353 which: A. created the Safeguarding American Civil Liberties Board B. led to the creation of the privacy act C. led to the creation of the fair information privacy practices D. Gave the FTC power to enforce
A
Which of the following are responsibilities of the Privacy Officer of an agency? A. act as a member of the Safeguarding Civil Liberties Board B. Work with policy makers in the agency to develop legislation and practices that maintain privacy protection C. Work with privacy advocates in the private sector to promote the protection of civil liberties D. oversee privacy compliance in the agency
B D
OMB Memorandum 06-15 reiterates which aspect of the Privacy Act? A. notice B. consent C. minimizations D. safeguarding data
D
What are the three types of safeguards that must be implemented to adequately safeguard information? A. technical B. electronic C. physical D. administrative
A C D
M-06-15 specifically asked privacy officers to: policies to ensure compliance with the privacy act and r privacy officials within the agency to assis their findings A. designate a team of junior privacy official within the agency to assist in thier duties B. Review privacy policies to ensure compliance with the privacy act and report their findings C. publish Privacy Impact Assessments and Systems of Records Notices D. confer with the Safeguarding American Civil Liberties Board to create new privacy legislation
B
OMB Memorandum 06-16 dealt with the protection of : B. Protected Health Information A. Personally Identifiable Information C. Sensitive Information D. public access to information
C
Protections on remote access devices should include: A. a time-out function B. Encryption C. Two-factor authentication D. Restricted access to sensative information
A B C
Under OMB Memorandum 06-16 data extracts containing sensitive information that is no longer being used should be deleted: A. within 24 hours B. within 30 days C. within 90 days D. within one year
C
What is the government agency/department/group that issues technical requirements for safeguarding information? A. the Federal Trade Commission B. the National Institute of Standards and Technology C. the Office of Management and Budget D. the Office of Personnel Management
B
Which of the following are part of the remote access checklist issued by NIST and reiterated in M-06-16 to safeguard sensitive information? A. PII at increased security risk due to remote access may not be accessed, used. or disclosed. B. PII at increased security risk due to remote access must be identified. C. Organizational policy must be reviewed for compliance and efficacy. D. Virtual Private Networks should be used to increase security controls and provide further authentication of the user’s identity.
B C D
A privacy notice does NOT relate to which principle of the Information Lifecycle?
A. Use and retention.
B. Collection.
C. Monitoring and enforcement.
D. Disclosure.
C. Monitoring and enforcement.
A privacy notice does not relate to the monitoring and enforcement principle of the Information Lifecycle. The Information Lifecycle includes collection, use and retention, disclosure and storage and destruction. Foundations of Information Privacy and Data Protection, p. 13, 16.
What is the correct definition of a privacy policy?
A. An external statement that summarizes an organization’s handling practices of personal information directed at data protection authorities.
B. An internal statement that summarizes the issues relating to an organization’s handling practices of personal information directed at its managers.
C. An internal statement that governs an organization’s handling practices of personal information directed at the users of personal information.
D. An external statement that describes an organization’s handling pratices of personal information which is directed at the public.
C. An internal statement that governs an organization’s handling practices of personal information directed at the users of personal information.
However, it is common to use the organization’s privacy policy as a privacy notice in lieu of creating a separate document. Throughout the IAPP certification programs, privacy policy always refers to the internal statement, while privacy notice or privacy statement refers to the public-facing explanation to data subjects. Foundations of Information Privacy and Data Protection, p. 11.
Successful implementation of information privacy governance will FIRST require:
A. privacy awareness training.
B. updated privacy policies.
C. a computer incident management team.
D. a privacy architecture.
Answer: B
B. updated privacy policies.
Updated privacy policies are required to align management objectives with privacy procedures; management objectives translate into policy; policy translates into procedures. Privacy procedures will necessitate specialized teams such as the computer incident response and management group as well as specialized tools such as the security mechanisms that comprise the security architecture. Privacy awareness will promote the policies, procedures and appropriate use of the privacy mechanisms.
All of the following are factors in determining whether an organization can craft a common solution to the privacy requirements of multiple jurisdictions EXCEPT:
A. Effective date of most restrictive law.
B. Implementation complexity.
C. Legal regulations.
D. Cost.
A. Effective date of most restrictive law.
