Ch. 4: Principles of Information Management Flashcards
Roles of privacy professional
1) Alert org to varying perspectives about privacy, risk and compliance. Can be divergent.
2) help org manage risks from processing, consistent with org’s mission, growth, profitability, and other goals.
3) Identify where compliance difficult in practice,
4) Design policies to close gaps between policies and operations.
5) Develop privacy notices and privacy program.
Risks of Using PI Improperly
- Legal risks - laws, contracts, committments.
- Reputational risks -
- Operational risks - administratively efficient privacy program, so as not to be too heavy handed and inhibit beneficial uses.
- Investment risks - ROR on investments in information, IT and processing.
4 Basic Steps for Information Management
- Discover - identify issues, self-assessment, determine practices.
- Build - Procedure development and verification, full implementation.
- Communicate - Document, train/educate
- Evolve - affirmation, monitoring/enforcement, adaptation.
Phase 1 - Discover
- Applicable laws?
- Risk tolerance?
- Competition’s approach?
- Business partners approach?
From these questions, develop policy goals as foundation.
Get broad participation across org.
Phase 2 - Build
- Determine how to meet policy goals by facilitating and restricting data flows.
- Close coordination across org.
Phase 3 - Communicate
- Train individuals who need to know it.
- Assign accountability.
- Broader, high level communication to senior leaders and externally
- Written policies, notice.
Phase 4 - Evolve
- Process for review and update
- Enforce it as well (TL)
Data Inventory
- Customer data and employee data
- Document data flows and location, means of sharing and with whom and why.
- Review and update periodically.
Data Classification
- levels of sensitivity
- clearances of who can handle.
- baseline level of protection.
- data segregation as necessary/appropriate.
- Helps org in compliance audits, respond to discovery requests, and use storage in cost-effective manner.
Determining Data Accountability
- Where, how and for what length of time is the data stored?
- How sensitive is the information? Confidential, proprietary, sensitive, restricted, and public are common categories.
- Should the info be encrypted?
- Will info be transferred to or from other countries and if so, how?
- Who determines the rules that apply to the information?
- How is the information to be processed, and how will these processes be maintained?
- Is the use of such data dependent upon other systems?
-
Communication of Privacy Notice
- Make accessible online. Make accessible in place of business. - Provide updates and revisions. - Ensure appropriate personnel are knowledgeable about the policy (like customer service reps). -
Privacy Laws Requiring Opt-In Consent, and Circumstances Where Opt-In is Appropriate
1) COPPA - consent of parent before collecting PI of children under 13
2) HIPAA - consent before PHI disclosed to 3rd parties, subject to exceptions.
3) FCRA - consent before consumer’s credit report provided to employer, lender or other authorized recipient.
FTC believes opt-in consent should ocurr before PI collected under one privacy notice is processed under a materially changed privacy notice.
Industry segments may require double opt-in - where opt in and then confirm (email marketing, eg).
- Opt-in preferred as best practice for geo-location data
- GDPR requires opt-in for marketing to occur.
No choice / no option cases
- Implied authority to process PI in some cases.
- Online order - shared with shipping company, CC processor, and fulfillment.
- Internal operations, such as improving services offered, fraud prevention, legal compliance, and first party marketing.
- 2012 FTC report noted no consent if processing consistent with context of transaction, company’s relationship with consumer, or required by or specifically authorized by law.
Opt-Out
- GLBA requires opt-out before transferring PI of customer of fin. institution to an unafilliated 3rd party for 3rd party’s own use.
- Video Privacy Protection Act requires opt-out before covered movie / other rental data provided to 3rd party.
- CAN-SPAM requires email marketers to provide an opt-o eut.
- Do Not Call rules provide opt-out of telemarketing calls, both in general and company by company.
- Data & Marketing Association operates opt-out system for consumers not wanting commercial mail sent to their home.
- Ditto for online advertising orgs like The Network Advertising Initiative, TrustArc, and Digital Advertising Alliance.
Managing User Preferences - Challenges
- Scope of an opt-out or opt-in. By channel (email vs. phone, eg),
- Mechanism for providing user preference. Generally, channel for marketing is required channel for user preference (don’t require you to mail in your email preferences).
- Linking. Good practice is to implement opt-out or other user preference across channels and platforms.
- Time period for implementing user prefs. - How soon become operational. CAN-SPAM and Telemarketing Sales Rules mandate specific time periods.
- 3rd party vendors - these should honor the customer preferences.
Customer Access and Redress
Refer to APEC access/redress principles from Chapter 1.
Vendor Contracts
- Confidentiality provision
- No further use of shared information - only for purposes contracted.
- Use of subs - flow down obligations.
- Requirement to notify and disclose breach
- Infosec provisions.
Vendor Due Diligence Standards
- Reputation
- Financial condition and insurance.
- Info sec controls.
- Point of transfer - secure transfer.
- Disposal of info.
6 Employee training and user awareness. - Vendor incident response.
- Audit rights.
Key New Provisions in GDPR
(1) notification of security breaches,
(2) new requirements for processors (contractors who act on behalf of data controllers),
(3) designation of data protection officers,
(4) accountability obligations,
(5) rules for international transfers and
(6) sanctions of up to four percent of worldwide revenues.
What types of risks should be considered when using PI ?
- Legal Risks
- Reputation Risks
- Operational Risks
- Investment Risks
What do the Legal Risks stem from?
Failure to comply with applicable law, contractual commitments, privacy promises, and industry standards.
What do the Reputational Risks stem from?
Legal enforcement and if they announce privacy policies but do not carry them out. .
What do the Operational Risks stem from?
Administrative efficiency and cost effectiveness.
What do the Investment Risks stem from?
The ability to receive an appropriate return on it investments in information, Information technology, etc.
What are the 4 basic steps for Information Management?
- Discover
- Build
- Communicate
- Evolve
What should practices and controls that organizations use for managing PI address?
- Data Inventory
- Data Classification
- Documenting Data Flows
- Determining Data Accountability
What does Data Inventory involve?
An inventory of the PI (employee and customer) that the organization collects, stores, uses, or discloses. It should document data location and flow as well as evaluate how, when, and with whom the organization shares such information - and the means for data transfer used.
What does Data Classification involve?
Classifying data according to its level of sensitivity. It should define the clearance of individuals who can access or handle the data, as well as the baseline level of protection that is appropriate for that data.
What does Documenting Data Flows involve?
The mapping and documenting of the systems, applications, and processes handling data.
What does Determining Data Accountability involve?
The responsibility to assure compliance with privacy laws and policies.
What do Privacy Policies do?
They inform relevant employees about how PI must be handled, and in some cases are made public in the form of a privacy notice.
When does one Privacy Policy make sense?
When an organization has a consistent set of values and practices for all its operations.
When do multiple Privacy Policies make sense?
When a company that has well-defined divisions of lines of business, especially if each division uses customer data in very different ways, does not typically, share PI with other divisions and is perceived in the marketplace as a different business.
What should a company do if it revises its Privacy Policy?
- Announce the change to employees
- Announce the change to current and former customers
- Per the FTC, obtain express affirmative consent (opt-in) before making material retroactive changes to privacy representations
What methods may a company communicate its Privacy Notice?
- Make the notice accessible in places of business
- Make the notice accessible online
- Provide updates and revisions
- Ensure that the appropriate personnel are knowledgeable about the policy.
What is an opt-in?
One of two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties.
What legal bodies require opt-ins?
COPPA, HIPPA, FCRA
What is an opt-out?
One of two central concepts of choice. It means an individual’s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, their information will be shared with third parties.
What is no consumer choice or no option?
When companies use consumer data for practices that are consistent with the context of the transaction, consistent with the company’s relationship with the consumer, or as required or specifically authorized by law.
What are some management challenges of user preferences?
- The scope of the opt-out or other user preference can vary.
- The mechanism for providing an opt-out or other user preference can vary.
3, Linking of a user’s interactions. - The time period for implementing user preferences.
- Third party vendors often process PI on behalf of the company.
What laws give consumers the right to access the PI held about them?
- FCRA
- HIPAA
- Statements on fair information practices - OECD Guidelines, APEC Principles
What precautions should be included in vendor contracts?
- Confidentiality provision
- No further use of shared information.
- Use of subcontractors.
- Requirement to notify and to disclose breach
- Information security provisions
What vender due diligence standards should a company consider using?
- Reputation.
- Financial Condition and insurance
- Information Security Controls
- Point of Transfer
- Disposal of information
- Employee Training and User Awareness
- Vendor incident response
Which of the following are the three stages for implementing and managing information systems?
A. selection
B. control
C. Compliance
D. Evaluation
A
B
D
Regarding controls on the information, what should organizations focus on?
- Information security
* Information quality
Regarding controls on the information, what should organizations do with respect to information security?
Organizations should use reasonable administrative, technical and physical safeguards to protect personal information against unauthorized access, use, disclosure, modification and destruction.
Regarding controls on the information, what should organizations do with respect to information quality?
Organizations should maintain accurate, complete and relevant personal information for the purposes identified in the notice.
Organizations should address the life cycle of information, including what elements?
Collection
Use and retention
Disclosure.
Building a privacy strategy may mean changing the ______ and ______ of an entire organization.
mindse
perspective
________ in an organization has a role to play in protecting the personal information an organization collects, uses and discloses.
Everyone
Management needs to :
approve funding to resource and equip the privacy team,fund important privacy-enhancing resources and technologies,support privacy initiatives such as training and awareness, andhold employees accountable for following privacy policies and procedures.
Sales personnel must:
secure business contact data and respect the choices of these individuals.
Developers and engineers must
1) incorporate effective security controls,
2) build safe websites, and
3) create solutions that require the collection or use of only the data necessary to accomplish the purpose.
An organization experienced a breach of credit card data, how should it respond?
notify affected card brands immediately. They are required to notify all affected credit card brands
An organization experienced a breach of credit card data, how should it respond?
Notify affected credit card brands immediately (it’s a requirement)
When should executives be made aware of changes in applicable cybersecurity laws?
during a routine monthly risk update
The classification of an incident is an indication of what 3 things?
data, application or system involved (incident classification can also be tied to the location)
A CISO noticed that dwell time metrics aren’t improving, what should be done?
improve incident detection capabilities
Does an executive level security council include allocating security budgets to business units?
no.
It’s a good way to get executives talking about cyber risk and business risk, and making risk decisions
In a quantitative risk analysis, how is risk expressed in terms of the partial loss of functionality of an asset?
Exposure Factor (EF)
A risk assessment of an organization’s SDLC might compel the organization to do what?
Introduce secure coding standards
not update coding standards, because that may not address security specifically
What elements should be included in a business case document template?
Current State Desired End State Requirements Approach Plan
A basic security incident response has how many steps, and what are they?
8
detect initiate evaluate eradicate recovery remediate closure review
True or False?
In addition to documenting roles and responsibilities, an incident response program should include detailed procedures for responding to common incidents
True
What activity helps ensure a security program is aligned with a security strategy?
Periodic Management Review
What is the best indicator of effectiveness?
The trend line for the number of critical and high vulnerabilities found in application penetration tests
How does the percentage of effective controls show value (how is it a value delivery metric?)
By illustrating how well the security program is ensuring control effectiveness
Who is included in a directory of parties to notify in an emergency?
regulators offsite media storage companies contract personnel services suppliers law enforcement insurance company agents
What is the problem with the following control statement, “Endpoints are protected from malware with McAfee Antivirus”
It’s overly specific.
If they switched to Symantec, they would technically be out of compliance
Note that it is also unambiguous, but that’s not the best answer.
How will a security manager determine the actions needed to achieve the desired end state for a new security program?
Perform a gap analysis
That will help understand the present state and the actions needed to move from the present to the desired state
How can a CISO best understand the organization’s risk tolerance?
Interview board members and senior executives.
Examining the risk ledger or other artifacts or capabilities may not accurately reflect the organization’s current risk tolerance.
A control’s effectiveness can be tested with a review. True or False?
False.
A self-assessment, internal or external audit are all ok but a review is less rigorous
What does this describe?
A document describing the need for a mobile device management program that describes required resources, benefits, and a high-level plan
Business case
not a proposal
If an organization has a nonstandard IT governance framework, should the security governance framework be built to resemble it?
Yes
An organization’s security governance framework should be similar to other frameworks, especially that of IT
(don’t build it around industry standards)
If an auditor examines a business activity for which there is no control and scores the control as ineffective, what’s the best response?
To treat the activity as though a control should exist - develop a control and ensure it’s effective
Can organizations ever opt out of PCI DSS controls?
no
Compare leading vs trailing indicators
1) trailing indicators show past events
2) leading indicators show future risks
Is it common to require project managers to earn security certifications?
no
Security related improvements to project management would not include getting the PM certified in security
Is a control self-assessment the most effective way to determine compliance with internal policies?
yes
What does a qualified opinion mean?
That the audit has failed in one or more of its high-level control objectives. This is cause for concern and further inquiry
What’s the next step after a security policy has been reviewed and update?
Publish it and inform workers where to find it
not require them to sign it
not include changes in security awareness training
not simply publishing it
What’s the purpose of a security addendum in a legal contract?
To specific security-related terms and conditions
document marking
“Restricted. For Limited Distribution”
procedure
1) describes step by step instructions to perform a task
2) it can be part of a process
What information will an external pen tester need to plan a pen test of an organization’s externally facing applications?
URL’s (not IP ranges)
time of day to test
emergency contact information
An auditor examines an activity for which no control exists and scores it as ineffective. What is the best response?
Develop a written control and ensure it’s effective
not perform a risk analysis to determine if a control should be developed
A developer informs the CISO that the organization is out of compliance with PCI-DSS. How should the CISO proceed?
Create an entry in the risk ledger and look into the matter.
not conduct an investigation, it’s good but not the best initial reaction
Document that describes the need for a business capability, including costs and benefits is a what?
business case
file integrity monitoring
Periodically scan file systems and report on any changes that occur.
Changes may be due to maintenance but also indicate compromise
file activity monitoring
Monitor directories and files to detect unusual activities that may indicate compromise.
do not use this for help with making sure servers are consistently configured
RACI Chart
Responsible
Accountable
Consulted
Informed
Assigns levels of responsibility to individuals and groups.
Helps personnel determine roles for various business activities
How often should incident escalation procedures be updated?
Once per year, or when executive personnel changes
If a risk register has grown too large, what is the best remedy?
Implement a GRC (Governance, Risk, Compliance) platform with management module.
Automating through a risk management module in a GRC platform is best.
After a security policy has been reviewed and updated, what are the next steps?
Publish and inform workers
What’s the best way to introduce security into the hiring process?
perform background checks, use NDA’s, verify licenses and certifications, verify prior employment
Not require candidates to complete security awareness training
What’s special about leading indicators?
they’re potential indicators of future attacks / events
ie a percentage of critical servers that are not patched in 30 days
An auditor examines a business activity for which no written control exists and scores it as ineffective. What’s the best response?
Develop a written control and ensure it is effective. Generally, if an auditor examines a business activity as though a control exists, but does not, the organization should formally develop the control.
Not - perform risk analysis to determine whether a control should be developed
Process (Process Document)
Document that describes the overall activities to take place on a particular activity
Process (Process Document)
Document that describes the overall activities to take place on a particular activity
Describes all of the actions to take place regarding vulnerability management
The most complete business case for security solutions is one that…
includes appropriate justification
Which is the most effective technique to determine compliance with internal policies?
control self-assessment
vulnerability assessment
risk assessment
threat assessment
control self-assessment
one disadvantage of preventive controls compared to detective controls?
preventive take longer to certify
preventive requires more training
detective are easier to implement
preventive sometimes prevent desired outcomes
preventive controls sometimes prevent desired outcomes.
for example, blocking legitimate email as spam, or an IPS that prevents legitimate downloads
business record consisting of identified security issues is a?
risk assessment
risk ledger
vulnerability assessment
penetration test
Risk Ledger
not a risk assessment because that only identifies some but not all issues
In designing and administering a privacy program, an organization should consider and balance four types of risks.
1) Legal risks.
2) Reputational risks.
3) Operational risks.
4) Investment Risks
Investment risks.
The organization must be able to receive an appropriate return on its investments in information, information technology and information-processing programs in light of evolving privacy regulations, enforcement and expectations.”
Operational risks.
The organization must ensure that its privacy program is administratively efficient. If a privacy program is too heavy-handed, it may interfere with relationships and inhibit uses of PI that benefit the organization and its customers, such as for personalization or risk management.
Reputational risks
The organization can face reputational harm if it announces privacy policies but does not carry them out; 9 it may also face enforcement actions—particularly from the Federal Trade Commission (FTC). An organization should seek to protect its reputation as a trusted institution with respected brands.
Legal risks.
The organization must comply with applicable state, federal and international laws regarding its use of information or potentially face litigation or regulatory sanctions such as consent decrees, which may last for many years. The company must also comply with its contractual commitments, privacy promises and commitments to follow industry standards, such as the Payment Card Institute Data Security Standard (PCI DSS).
Decades of opinion surveys show that people can be categorized in three groups:
1) the “privacy fundamentalists” (people with a strong desire to protect privacy), 2) the “privacy unconcerned” (people with low worries about privacy), and
3) the “privacy pragmatists” (people whose concern about privacy varies with context and who are willing to give up some privacy in exchange for benefits).
True/ False
In most organizations, information management requires a combination of skills, including legal, marketing, sales, human resources, public and government relations, and information technology. In large organizations, privacy professionals may be part of a team that draws on a mix of these skill sets.”
True
Privacy professionals help their organizations by:
a) manage a range of risks that can arise from processing personal information, and do so in a manner consistent with meeting the organization’s growth, profitability and other goals.
b) to identify areas where compliance is difficult in practice, and design policies to close gaps between stated policies and actual operations.”
True/ False
One role for privacy professionals is to alert their organizations to these often-divergent perspectives.
True
It is now increasingly common for companies to develop an information management program that seeks
a holistic approach to the risks and benefits of processing PI.
The program, in turn, helps create policies and practices for important parts of the organization’s activities. Common activities for such policies include:
1) maintaining preference lists for direct marketing,
2) developing appropriate security for human resources data,
3) executing proper contracts to authorize international data flows and
4) publishing online privacy notices when data is collected.”
