Ch. 4: Principles of Information Management

Question 1

Roles of privacy professional

Answer 1

1) Alert org to varying perspectives about privacy, risk and compliance. Can be divergent.
2) help org manage risks from processing, consistent with org’s mission, growth, profitability, and other goals.
3) Identify where compliance difficult in practice,
4) Design policies to close gaps between policies and operations.
5) Develop privacy notices and privacy program.

Question 2

Risks of Using PI Improperly

Answer 2

1. Legal risks - laws, contracts, committments.
2. Reputational risks -
3. Operational risks - administratively efficient privacy program, so as not to be too heavy handed and inhibit beneficial uses.
4. Investment risks - ROR on investments in information, IT and processing.

Question 3

4 Basic Steps for Information Management

Answer 3

1. Discover - identify issues, self-assessment, determine practices.
2. Build - Procedure development and verification, full implementation.
3. Communicate - Document, train/educate
4. Evolve - affirmation, monitoring/enforcement, adaptation.

Question 4

Phase 1 - Discover

Answer 4

• Applicable laws?
• Risk tolerance?
• Competition’s approach?
• Business partners approach?

From these questions, develop policy goals as foundation.

Get broad participation across org.

Question 5

Phase 2 - Build

Answer 5

• Determine how to meet policy goals by facilitating and restricting data flows.
• Close coordination across org.

Question 6

Phase 3 - Communicate

Answer 6

• Train individuals who need to know it.
• Assign accountability.
• Broader, high level communication to senior leaders and externally
• Written policies, notice.

Question 7

Phase 4 - Evolve

Answer 7

• Process for review and update

- Enforce it as well (TL)

Question 8

Data Inventory

Answer 8

• Customer data and employee data
• Document data flows and location, means of sharing and with whom and why.
• Review and update periodically.

Question 9

Data Classification

Answer 9

• levels of sensitivity
• clearances of who can handle.
• baseline level of protection.
• data segregation as necessary/appropriate.
• Helps org in compliance audits, respond to discovery requests, and use storage in cost-effective manner.

Question 10

Determining Data Accountability

Answer 10

• Where, how and for what length of time is the data stored?
• How sensitive is the information? Confidential, proprietary, sensitive, restricted, and public are common categories.
• Should the info be encrypted?
• Will info be transferred to or from other countries and if so, how?
• Who determines the rules that apply to the information?
• How is the information to be processed, and how will these processes be maintained?
• Is the use of such data dependent upon other systems?

-

Question 11

Communication of Privacy Notice

Answer 11

- Make accessible online.
Make accessible in place of business.
- Provide updates and revisions.
- Ensure appropriate personnel are knowledgeable about the policy (like customer service reps).
-

Question 12

Privacy Laws Requiring Opt-In Consent, and Circumstances Where Opt-In is Appropriate

Answer 12

1) COPPA - consent of parent before collecting PI of children under 13
2) HIPAA - consent before PHI disclosed to 3rd parties, subject to exceptions.
3) FCRA - consent before consumer’s credit report provided to employer, lender or other authorized recipient.

FTC believes opt-in consent should ocurr before PI collected under one privacy notice is processed under a materially changed privacy notice.

Industry segments may require double opt-in - where opt in and then confirm (email marketing, eg).

• Opt-in preferred as best practice for geo-location data
• GDPR requires opt-in for marketing to occur.

Question 13

No choice / no option cases

Answer 13

• Implied authority to process PI in some cases.
• Online order - shared with shipping company, CC processor, and fulfillment.
• Internal operations, such as improving services offered, fraud prevention, legal compliance, and first party marketing.
• 2012 FTC report noted no consent if processing consistent with context of transaction, company’s relationship with consumer, or required by or specifically authorized by law.

Question 14

Opt-Out

Answer 14

• GLBA requires opt-out before transferring PI of customer of fin. institution to an unafilliated 3rd party for 3rd party’s own use.
• Video Privacy Protection Act requires opt-out before covered movie / other rental data provided to 3rd party.
• CAN-SPAM requires email marketers to provide an opt-o eut.
• Do Not Call rules provide opt-out of telemarketing calls, both in general and company by company.
• Data & Marketing Association operates opt-out system for consumers not wanting commercial mail sent to their home.
• Ditto for online advertising orgs like The Network Advertising Initiative, TrustArc, and Digital Advertising Alliance.

Question 15

Managing User Preferences - Challenges

Answer 15

1. Scope of an opt-out or opt-in. By channel (email vs. phone, eg),
2. Mechanism for providing user preference. Generally, channel for marketing is required channel for user preference (don’t require you to mail in your email preferences).
3. Linking. Good practice is to implement opt-out or other user preference across channels and platforms.
4. Time period for implementing user prefs. - How soon become operational. CAN-SPAM and Telemarketing Sales Rules mandate specific time periods.
5. 3rd party vendors - these should honor the customer preferences.

Question 16

Customer Access and Redress

Answer 16

Refer to APEC access/redress principles from Chapter 1.

Question 17

Vendor Contracts

Answer 17

1. Confidentiality provision
2. No further use of shared information - only for purposes contracted.
3. Use of subs - flow down obligations.
4. Requirement to notify and disclose breach
5. Infosec provisions.

Question 18

Vendor Due Diligence Standards

Answer 18

1. Reputation
2. Financial condition and insurance.
3. Info sec controls.
4. Point of transfer - secure transfer.
5. Disposal of info.
   6 Employee training and user awareness.
6. Vendor incident response.
7. Audit rights.

Question 19

Key New Provisions in GDPR

Answer 19

(1) notification of security breaches,
(2) new requirements for processors (contractors who act on behalf of data controllers),
(3) designation of data protection officers,
(4) accountability obligations,
(5) rules for international transfers and
(6) sanctions of up to four percent of worldwide revenues.

Question 20

What types of risks should be considered when using PI ?

Answer 20

1. Legal Risks
2. Reputation Risks
3. Operational Risks
4. Investment Risks

Question 21

What do the Legal Risks stem from?

Answer 21

Failure to comply with applicable law, contractual commitments, privacy promises, and industry standards.

Question 22

What do the Reputational Risks stem from?

Answer 22

Legal enforcement and if they announce privacy policies but do not carry them out. .

Question 23

What do the Operational Risks stem from?

Answer 23

Administrative efficiency and cost effectiveness.

Question 24

What do the Investment Risks stem from?

Answer 24

The ability to receive an appropriate return on it investments in information, Information technology, etc.

Question 25

What are the 4 basic steps for Information Management?

Answer 25

1. Discover
2. Build
3. Communicate
4. Evolve

Question 26

What should practices and controls that organizations use for managing PI address?

Answer 26

1. Data Inventory
2. Data Classification
3. Documenting Data Flows
4. Determining Data Accountability

Question 27

What does Data Inventory involve?

Answer 27

An inventory of the PI (employee and customer) that the organization collects, stores, uses, or discloses. It should document data location and flow as well as evaluate how, when, and with whom the organization shares such information - and the means for data transfer used.

Question 28

What does Data Classification involve?

Answer 28

Classifying data according to its level of sensitivity. It should define the clearance of individuals who can access or handle the data, as well as the baseline level of protection that is appropriate for that data.

Question 29

What does Documenting Data Flows involve?

Answer 29

The mapping and documenting of the systems, applications, and processes handling data.

Question 30

What does Determining Data Accountability involve?

Answer 30

The responsibility to assure compliance with privacy laws and policies.

Question 31

What do Privacy Policies do?

Answer 31

They inform relevant employees about how PI must be handled, and in some cases are made public in the form of a privacy notice.

Question 32

When does one Privacy Policy make sense?

Answer 32

When an organization has a consistent set of values and practices for all its operations.

Question 33

When do multiple Privacy Policies make sense?

Answer 33

When a company that has well-defined divisions of lines of business, especially if each division uses customer data in very different ways, does not typically, share PI with other divisions and is perceived in the marketplace as a different business.

Question 34

What should a company do if it revises its Privacy Policy?

Answer 34

1. Announce the change to employees
2. Announce the change to current and former customers
3. Per the FTC, obtain express affirmative consent (opt-in) before making material retroactive changes to privacy representations

Question 35

What methods may a company communicate its Privacy Notice?

Answer 35

1. Make the notice accessible in places of business
2. Make the notice accessible online
3. Provide updates and revisions
4. Ensure that the appropriate personnel are knowledgeable about the policy.

Question 36

What is an opt-in?

Answer 36

One of two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties.

Question 37

What legal bodies require opt-ins?

Answer 37

COPPA, HIPPA, FCRA

Question 38

What is an opt-out?

Answer 38

One of two central concepts of choice. It means an individual’s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, their information will be shared with third parties.

Question 39

What is no consumer choice or no option?

Answer 39

When companies use consumer data for practices that are consistent with the context of the transaction, consistent with the company’s relationship with the consumer, or as required or specifically authorized by law.

Question 40

What are some management challenges of user preferences?

Answer 40

1. The scope of the opt-out or other user preference can vary.
2. The mechanism for providing an opt-out or other user preference can vary.
   3, Linking of a user’s interactions.
3. The time period for implementing user preferences.
4. Third party vendors often process PI on behalf of the company.

Question 41

What laws give consumers the right to access the PI held about them?

Answer 41

1. FCRA
2. HIPAA
3. Statements on fair information practices - OECD Guidelines, APEC Principles

Question 42

What precautions should be included in vendor contracts?

Answer 42

1. Confidentiality provision
2. No further use of shared information.
3. Use of subcontractors.
4. Requirement to notify and to disclose breach
5. Information security provisions

Question 43

What vender due diligence standards should a company consider using?

Answer 43

1. Reputation.
2. Financial Condition and insurance
3. Information Security Controls
4. Point of Transfer
5. Disposal of information
6. Employee Training and User Awareness
7. Vendor incident response

Question 44

Which of the following are the three stages for implementing and managing information systems?

A. selection
B. control
C. Compliance
D. Evaluation

Answer 44

A
B
D

Question 45

Regarding controls on the information, what should organizations focus on?

Answer 45

• Information security

* Information quality

Question 46

Regarding controls on the information, what should organizations do with respect to information security?

Answer 46

Organizations should use reasonable administrative, technical and physical safeguards to protect personal information against unauthorized access, use, disclosure, modification and destruction.

Question 47

Regarding controls on the information, what should organizations do with respect to information quality?

Answer 47

Organizations should maintain accurate, complete and relevant personal information for the purposes identified in the notice.

Question 48

Organizations should address the life cycle of information, including what elements?

Answer 48

Collection
Use and retention
Disclosure.

Question 49

Building a privacy strategy may mean changing the ______ and ______ of an entire organization.

Answer 49

mindse

perspective

Question 50

________ in an organization has a role to play in protecting the personal information an organization collects, uses and discloses.

Answer 50

Everyone

Question 51

Management needs to :

Answer 51

approve funding to resource and equip the privacy team,fund important privacy-enhancing resources and technologies,support privacy initiatives such as training and awareness, andhold employees accountable for following privacy policies and procedures.

Question 52

Sales personnel must:

Answer 52

secure business contact data and respect the choices of these individuals.

Question 53

Developers and engineers must

Answer 53

1) incorporate effective security controls,
2) build safe websites, and
3) create solutions that require the collection or use of only the data necessary to accomplish the purpose.

Question 54

An organization experienced a breach of credit card data, how should it respond?

Answer 54

notify affected card brands immediately. They are required to notify all affected credit card brands

Question 55

An organization experienced a breach of credit card data, how should it respond?

Answer 55

Notify affected credit card brands immediately (it’s a requirement)

Question 56

When should executives be made aware of changes in applicable cybersecurity laws?

Answer 56

during a routine monthly risk update

Question 57

The classification of an incident is an indication of what 3 things?

Answer 57

data, application or system involved (incident classification can also be tied to the location)

Question 58

A CISO noticed that dwell time metrics aren’t improving, what should be done?

Answer 58

improve incident detection capabilities

Question 59

Does an executive level security council include allocating security budgets to business units?

Answer 59

no.

It’s a good way to get executives talking about cyber risk and business risk, and making risk decisions

Question 60

In a quantitative risk analysis, how is risk expressed in terms of the partial loss of functionality of an asset?

Answer 60

Exposure Factor (EF)

Question 61

A risk assessment of an organization’s SDLC might compel the organization to do what?

Answer 61

Introduce secure coding standards

not update coding standards, because that may not address security specifically

Question 62

What elements should be included in a business case document template?

Answer 62

Current State
Desired End State
Requirements
Approach
Plan

Question 63

A basic security incident response has how many steps, and what are they?

Answer 63

8

detect
initiate
evaluate
eradicate
recovery
remediate
closure
review

Question 64

True or False?

In addition to documenting roles and responsibilities, an incident response program should include detailed procedures for responding to common incidents

Answer 64

True

Question 65

What activity helps ensure a security program is aligned with a security strategy?

Answer 65

Periodic Management Review

Question 66

What is the best indicator of effectiveness?

Answer 66

The trend line for the number of critical and high vulnerabilities found in application penetration tests

Question 67

How does the percentage of effective controls show value (how is it a value delivery metric?)

Answer 67

By illustrating how well the security program is ensuring control effectiveness

Question 68

Who is included in a directory of parties to notify in an emergency?

Answer 68

regulators
offsite media storage companies 
contract personnel services
suppliers
law enforcement
insurance company agents

Question 69

What is the problem with the following control statement, “Endpoints are protected from malware with McAfee Antivirus”

Answer 69

It’s overly specific.

If they switched to Symantec, they would technically be out of compliance

Note that it is also unambiguous, but that’s not the best answer.

Question 70

How will a security manager determine the actions needed to achieve the desired end state for a new security program?

Answer 70

Perform a gap analysis

That will help understand the present state and the actions needed to move from the present to the desired state

Question 71

How can a CISO best understand the organization’s risk tolerance?

Answer 71

Interview board members and senior executives.

Examining the risk ledger or other artifacts or capabilities may not accurately reflect the organization’s current risk tolerance.

Question 72

A control’s effectiveness can be tested with a review. True or False?

Answer 72

False.

A self-assessment, internal or external audit are all ok but a review is less rigorous

Question 73

What does this describe?

A document describing the need for a mobile device management program that describes required resources, benefits, and a high-level plan

Answer 73

Business case

not a proposal

Question 74

If an organization has a nonstandard IT governance framework, should the security governance framework be built to resemble it?

Answer 74

Yes

An organization’s security governance framework should be similar to other frameworks, especially that of IT

(don’t build it around industry standards)

Question 75

If an auditor examines a business activity for which there is no control and scores the control as ineffective, what’s the best response?

Answer 75

To treat the activity as though a control should exist - develop a control and ensure it’s effective

Question 76

Can organizations ever opt out of PCI DSS controls?

Answer 76

no

Question 77

Compare leading vs trailing indicators

Answer 77

1) trailing indicators show past events

2) leading indicators show future risks

Question 78

Is it common to require project managers to earn security certifications?

Answer 78

no

Security related improvements to project management would not include getting the PM certified in security

Question 79

Is a control self-assessment the most effective way to determine compliance with internal policies?

Answer 79

yes

Question 80

What does a qualified opinion mean?

Answer 80

That the audit has failed in one or more of its high-level control objectives. This is cause for concern and further inquiry

Question 81

What’s the next step after a security policy has been reviewed and update?

Answer 81

Publish it and inform workers where to find it

not require them to sign it
not include changes in security awareness training
not simply publishing it

Question 82

What’s the purpose of a security addendum in a legal contract?

Answer 82

To specific security-related terms and conditions

Question 83

document marking

Answer 83

“Restricted. For Limited Distribution”

Question 84

procedure

Answer 84

1) describes step by step instructions to perform a task

2) it can be part of a process

Question 85

What information will an external pen tester need to plan a pen test of an organization’s externally facing applications?

Answer 85

URL’s (not IP ranges)
time of day to test
emergency contact information

Question 86

An auditor examines an activity for which no control exists and scores it as ineffective. What is the best response?

Answer 86

Develop a written control and ensure it’s effective

not perform a risk analysis to determine if a control should be developed

Question 87

A developer informs the CISO that the organization is out of compliance with PCI-DSS. How should the CISO proceed?

Answer 87

Create an entry in the risk ledger and look into the matter.

not conduct an investigation, it’s good but not the best initial reaction

Question 88

Document that describes the need for a business capability, including costs and benefits is a what?

Answer 88

business case

Question 89

file integrity monitoring

Answer 89

Periodically scan file systems and report on any changes that occur.

Changes may be due to maintenance but also indicate compromise

Question 90

file activity monitoring

Answer 90

Monitor directories and files to detect unusual activities that may indicate compromise.

do not use this for help with making sure servers are consistently configured

Question 91

RACI Chart

Answer 91

Responsible
Accountable
Consulted
Informed

Assigns levels of responsibility to individuals and groups.

Helps personnel determine roles for various business activities

Question 92

How often should incident escalation procedures be updated?

Answer 92

Once per year, or when executive personnel changes

Question 93

If a risk register has grown too large, what is the best remedy?

Answer 93

Implement a GRC (Governance, Risk, Compliance) platform with management module.

Automating through a risk management module in a GRC platform is best.

Question 94

After a security policy has been reviewed and updated, what are the next steps?

Answer 94

Publish and inform workers

Question 95

What’s the best way to introduce security into the hiring process?

Answer 95

perform background checks, use NDA’s, verify licenses and certifications, verify prior employment

Not require candidates to complete security awareness training

Question 96

What’s special about leading indicators?

Answer 96

they’re potential indicators of future attacks / events

ie a percentage of critical servers that are not patched in 30 days

Question 97

An auditor examines a business activity for which no written control exists and scores it as ineffective. What’s the best response?

Answer 97

Develop a written control and ensure it is effective. Generally, if an auditor examines a business activity as though a control exists, but does not, the organization should formally develop the control.

Not - perform risk analysis to determine whether a control should be developed

Question 98

Process (Process Document)

Answer 98

Document that describes the overall activities to take place on a particular activity

Question 99

Process (Process Document)

Answer 99

Document that describes the overall activities to take place on a particular activity

Describes all of the actions to take place regarding vulnerability management

Question 100

The most complete business case for security solutions is one that…

Answer 100

includes appropriate justification

Question 101

Which is the most effective technique to determine compliance with internal policies?

control self-assessment
vulnerability assessment
risk assessment
threat assessment

Answer 101

control self-assessment

Question 102

one disadvantage of preventive controls compared to detective controls?

preventive take longer to certify
preventive requires more training
detective are easier to implement
preventive sometimes prevent desired outcomes

Answer 102

preventive controls sometimes prevent desired outcomes.

for example, blocking legitimate email as spam, or an IPS that prevents legitimate downloads

Question 103

business record consisting of identified security issues is a?

risk assessment
risk ledger
vulnerability assessment
penetration test

Answer 103

Risk Ledger

not a risk assessment because that only identifies some but not all issues

Question 104

In designing and administering a privacy program, an organization should consider and balance four types of risks.

Answer 104

1) Legal risks.
2) Reputational risks.
3) Operational risks.
4) Investment Risks

Question 105

Investment risks.

Answer 105

The organization must be able to receive an appropriate return on its investments in information, information technology and information-processing programs in light of evolving privacy regulations, enforcement and expectations.”

Question 106

Operational risks.

Answer 106

The organization must ensure that its privacy program is administratively efficient. If a privacy program is too heavy-handed, it may interfere with relationships and inhibit uses of PI that benefit the organization and its customers, such as for personalization or risk management.

Question 107

Reputational risks

Answer 107

The organization can face reputational harm if it announces privacy policies but does not carry them out; 9 it may also face enforcement actions—particularly from the Federal Trade Commission (FTC). An organization should seek to protect its reputation as a trusted institution with respected brands.

Question 108

Legal risks.

Answer 108

The organization must comply with applicable state, federal and international laws regarding its use of information or potentially face litigation or regulatory sanctions such as consent decrees, which may last for many years. The company must also comply with its contractual commitments, privacy promises and commitments to follow industry standards, such as the Payment Card Institute Data Security Standard (PCI DSS).

Question 109

Decades of opinion surveys show that people can be categorized in three groups:

Answer 109

1) the “privacy fundamentalists” (people with a strong desire to protect privacy), 2) the “privacy unconcerned” (people with low worries about privacy), and
3) the “privacy pragmatists” (people whose concern about privacy varies with context and who are willing to give up some privacy in exchange for benefits).

Question 110

True/ False

In most organizations, information management requires a combination of skills, including legal, marketing, sales, human resources, public and government relations, and information technology. In large organizations, privacy professionals may be part of a team that draws on a mix of these skill sets.”

Answer 110

True

Question 111

Privacy professionals help their organizations by:

Answer 111

a) manage a range of risks that can arise from processing personal information, and do so in a manner consistent with meeting the organization’s growth, profitability and other goals.
b) to identify areas where compliance is difficult in practice, and design policies to close gaps between stated policies and actual operations.”

Question 112

True/ False

One role for privacy professionals is to alert their organizations to these often-divergent perspectives.

Answer 112

True

Question 113

It is now increasingly common for companies to develop an information management program that seeks

Answer 113

a holistic approach to the risks and benefits of processing PI.

Question 114

The program, in turn, helps create policies and practices for important parts of the organization’s activities. Common activities for such policies include:

Answer 114

1) maintaining preference lists for direct marketing,
2) developing appropriate security for human resources data,
3) executing proper contracts to authorize international data flows and
4) publishing online privacy notices when data is collected.”