CHAPTER 2: The Role of IT Privacy

Question 1

What is privacy notice

Answer 1

an external instrument that informs consumers, suppliers, business partners and individuals about the organization’s information privacy practices, values and commitments.

Question 2

what is privacy policies

Answer 2

internal statements designed to communicate best privacy practices and what information handling guidelines to follow, and when, for those within an organization.

Question 3

What are the legal and industry requirements regarding privacy notices that organizations should be aware of

Answer 3

o privacy policies: internal statements designed to communicate best privacy practices and what information handling guidelines to follow, and when, for those within an organization.
o Security policies: Adequate privacy protection of personal information is contingent on the quality of an internal security policy.

Question 4

What is the purpose of security policies

Answer 4

prevents unauthorized or unnecessary access to corporate data or resources, including intellectual property, financial data and personal information.

Question 5

what are the ways that measures are put in place to secure data.

Answer 5

o data schema: A data schema is used to separate customer information. It formulates all the constraints to be applied on the data, defines its entities and the relationships among them.
o data retention: A data schema is used to separate customer information. It formulates all the constraints to be applied on the data, defines its entities and the relationships among them.
o Data retention: Laws and regulations may require data to be stored for a specific amount of time.
o data deletion: When data is no longer needed, remove data and any derivatives from the system, ensuring that recovery methods are also removed

Question 6

What is the purpose of data inventory in privacy IT

Answer 6

o Keeping an inventory of data, helps to protect privacy adequately. This means knowing what data is collected, how it is handled, where it is stored, and how it is classified.
o Analyzing and interpreting data so that it can be classified and organized into information categories is an essential step.

Question 7

what are the categories of data inventory (type of assets)

Answer 7

o information assets: Customer and employee data as well as backup copies of data stored either on-site or off-site
o physical assets: Servers, workstations, laptops, portable storage devices, backup media, paper files
o intellectual property: software code, trade secrets

Question 8

What are the 4 types of data classification in privacy IT

Answer 8

o Confidential: Information that should remain secure and private: customer information, employee Social Security numbers, payment account information
o Internal use: Business information intended for internal use only: company contact directories, business plans, sales forecasts, proprietary software codes
o Public: Information that can be safely shared with the public: physical address, marketing materials, customer service information

Question 9

What is the purpose of contracts and agreements in organizations

Answer 9

o When collected data is shared with third-party vendors, it should be handled in accordance with the commitments made to the data subject and data owner regardless of where their personal information is located or how it is used.
o Third-party contracts should be detailed with clear expectations of how data is to be managed while in their possession as well as the roles and responsibilities of vendors.

Question 10

What is privacy impact assessment (PIA)

Answer 10

o A privacy impact assessment (PIA) is an analysis of how personal information is handled throughout the data life cycle within an organization.
o A PIA ensures that organizations apply legal, regulatory and policy requirements regarding privacy, assesses privacy risks, and methods of risk mitigation

Question 11

What are the examples of architecture in information security

Answer 11

 Client-server architecture: the client refers to a program that runs on a local computer, while the server is a program that runs on a remote computer. This architecture allows storing data on the client side for the purpose of completing a transaction.
 Service-oriented architecture: decouples services from the large-scale servers. It allows designers to replicate services across multiple machines
 Plug-in-based architecture: Plug-in based architecture extends a user’s experience with a website via the use of an app platform, usually owned by a third party

Question 12

What is the comprehensive organizational design in privacy IT

Answer 12

enterprise architecture

Question 13

What is privacy incidents

Answer 13

any event that can affect the confidentiality, integrity or availability of the data
o When personally identifiable information is involved, then it is a privacy incident
o all data incidents are personal data incidents

Question 14

List the elements of an effective incident response plan

Answer 14

 Discovery: Actively monitoring system activity or suspicious changes to system activity is essential in detecting an incident that could lead to a breach.
 Containment: A response plan should contain guidance on how to terminate an ongoing incident while preserving any evidence of the affected data and origin of the incident. Containment is key to stopping the threat before more damage is done. Do not wipe system logs. Remove and preserve affected systems from the network
 Analyze and notify: For data breaches and other types of privacy incidents, notification laws vary among jurisdictions. To be prepared, an organization should know what their notification obligations are in such an event
 Repercussions: Fines, lawsuits and nonmonetary repercussions often follow privacy incidents or breaches.
 Prevention: Privacy incidents can be used as a learning tool to address holes in security and privacy procedures, review privacy policies to identify weaknesses and train employees as needed.
 Third parties: Personal information in the hands of a third party, still falls under the responsibility of the organization in the event of a breach, including provisions that describe the expectations and obligations of the vendor should an incident occur.

Question 15

What are the two systems development life cycle

Answer 15

Securely provision ,operate and maintain,) Protect and defend, and Protect and defend

Question 16

What is securely provision in systems development life cycle

Answer 16

This phase encompasses the tasks focused on software development.
4 phases of systems development.
 Planning: Ensures that all security and regulatory and legal privacy requirements are considered.
 Design: Chooses the architecture design of the system based on the technology required to meet security and privacy mandates.
 Technology research and development: Explores alternatives if existing solutions do not meet those needs.
 Testing and evaluation: Ensures that each component of a system meets its requirements.
 Risk management: Identifies, documents and manages any risks related to the software quality, compliance with regulations, or security and privacy issues that present themselves within the system

Question 17

what is operate and maintain in systems development life cycle

Answer 17

Ensuring that the system is installed and configured correctly initially and throughout its use, is necessary to meet security and privacy goals.

Question 18

what is protect and defend in systems development life cycle

Answer 18

Actively protecting the system via vulnerability assessments and management tools address potential threats and vulnerabilities to a system. A cyber defense infrastructure support also protects frameworks and may include firewalls and system monitoring, as well as having incident response plans in place

Question 19

what is investigate in systems development life cycle

Answer 19

In the event of a system compromise through an attack, a complete investigation is necessary. This allows for the discovery of: any specific data that was compromised, the method of compromise and may identify who may have perpetrated the attack.

Question 20

what is privacy responsibilities

Answer 20

o Data management begins with the business model and value stream. Most privacy-related solutions are hardcoded to the business process, including data models. The technological process is a tool to support that process and support the privacy objectives within the organization and the technology ecosystem.
o privacy technologists ensure that computers, networks, applications, websites, databases and security are maintained to protect data privacy according to company policy, regulatory requirements and industry standards

Question 21

How then do privacy technologists design

programs that are both flexible and innovative?

Answer 21

Privacy technologists should work closely with the organization’s legal team. This will help to
identify the core requirements of various privacy laws and any potential risks that may impact
the objectives and obligations of an organization

Question 22

How is the effectiveness of a privacy policy assessed

Answer 22

through the structure of the compliance program, as it establishes the key objectives and associated internal controls to evaluate the health of the overall program. This in turn can evaluate how controls are enforced since organizations have a better understanding of where personal data is, and how and when it is used. This understanding leads to improvements in privacy
governance, allowing for a more tangible risk evaluation and sufficient technological solutions
to safeguard against privacy harms
–Common compliance terminology engages privacy technologists and other stakeholders, and is
valuable in creating a governance program and implementing the necessary privacy policies of
any organization, particularly with differing privacy standards and regulations among
jurisdictions.

Question 23

what is the different between security and privacy in technology

Answer 23

Security is about protecting data against unauthorized access and malicious action, where privacy is about enforcing the appropriate use of the data within a secure environment. It addresses all ways that data is handled, including collection, use, sharing,
maintenance and retention.

Question 24

What is the similarity between security and privacy in technology

Answer 24

both rely on similar controls and technological capabilities.

Question 25

List the Technology frameworks

Answer 25

• ITIL, Information Technology Infrastructure Library

- COBIT, Control Objectives for Information and Related Technology p

Question 26

What is the ITIL technology framework

Answer 26

Governed and owned by AXELOS. Provides an overall measurable view of a technology system, service and functionality. ITIL reports on services provided by the
technology system and helps organizations use technology to support change and growth. It has a limited view of risk management

Question 27

What is the COBIT technology framework

Answer 27

A more comprehensive program that helps with management of a technology system which allows for technology governance. Technology governance focuses on the systems, application and support personnel that manage data within a company