Chapter 8 - Data Governance

Question 1

what umbrella term is a business function that is the set of policies, procedures and controls that an organization develops to safeguard its information while making it useful and accessible

Answer 1

Data Governance

Question 2

What two things are vital for any data governance program?

Answer 2

1) Strong Executive/Management support
2) All levels of the org must understand the important of well-governed data

Question 3

what term describes the act of devloping the POLICIES and PROCEDURES for looking after an organizations data quality, security, privacy and regulatory compliance?

Answer 3

Data Stewardship

Question 4

Which role is RESPONSIBLE for data stewardship?

Answer 4

Data Stewards

Question 5

Which role forms the link between technical and non-technical divisions within an organization and works with data owners to establish policies?

Answer 5

Data Steward

Question 6

A data owner is usually a ____ business _____ with overall ___________ for a specific data _________

Answer 6

A data owner is usually a SENIOR business LEADER with overall RESPOSIBILITY for a specific data DOMAIN

Question 7

WHAT contains data about a particular operational division?

Answer 7

data domain or data subject area

Question 8

Which two data roles work with each other to establish policies and procedures for their domain?

Answer 8

The DATA OWNER works with the DATA STEWARD to establish/define policies and procedures for their domain?

Question 9

if the data owner and data steward establish policies and procedures, which two roles work together to implement those data governance policies?

Answer 9

The SUBJECT AREA DATA STEWARD works with the DATA CUSTODIAN to IMPLEMENT the data governance policies

Question 10

Which role does the actual implementing or operation of the technical controls execute data governance policies?

Answer 10

The DATA CUSTODIAN

Question 11

which tool is used in data governance to define data categories, descriptions and disclosure implications for data?

Answer 11

The DATA CLASSIFICATION MATRIX

Question 12

what is vital to consider about the data when developing access requirements to ensure proper data stewardship?

Answer 12

data classification

Question 13

the broad classifications of data are agreed between who?

Answer 13

The Data Steward and the Data Owner

Question 14

which two roles work to develop the procedures for granting access to information?

Answer 14

The Data Steward and the Subject Area Data Steward

Question 15

a role-based access approach facilitates maintenance of __________ and improves _________. I

Answer 15

a role-based access approach facilitates maintenance of PERMISSIONS and improves CONSISTENCY.

Question 16

An org chart can help inform how you develop what in regards to data?

Answer 16

roles for role-based access

Question 17

what policy describes the access requirements data subject area and access type, including reading, creating, updating and deleting?

Answer 17

Access Control Policy

Question 18

before sharing data with an outside party, what should you establish with them?

Answer 18

A Data Use Agreement.

Question 19

Regarding sharing data with another company, what must you implement if sharing information regarding research on human subjects?

Answer 19

An Institutional Review Board

Question 20

body that reviews and approves sharing of data regarding research using human subjects.

Answer 20

institutional review board

Question 21

What is essential to understand when drafting a Data Use Agreement?

Answer 21

The Data Classification for each piece of data to shared

Question 22

The Data Usage Agreement provides details governing what 3 things about the data?

Answer 22

The Transfer
The Usage
And Disclosure Protocols

Question 23

what are the two most common locations for data-at-rest?

Answer 23

Databases and flat files

Question 24

What do Oracle and Microsoft use to encrypt data and LOG FILES?

Answer 24

TDE (Transparent Data Encryption)

Question 25

Johnny is entering data into a web-form, what should he check before he enters it?

Answer 25

Should check for a padlock icon in the browser.

Question 26

What encryption protocols should you use to encrypt the copying of data between transactional and analytical system in an ETL process?

Answer 26

SFTP or SCP (Secure Copy Protocol)

Question 27

Tilly wants load data into a training data base. She doesn’t have any test data and only has production data. She needs to ensure she doesn’t copy over sensitive information. What could she do to ensure it doesn’t get copied across?

Answer 27

She can implement Data Masking Strategy to ensure sensitive data isn’t revealed.

Question 28

Fran is sharing data with an external 3rd party. Some of the data is sensitive. She decides she will de-identify the data to prevent identification. Is this enough?

Answer 28

No. She must consider the re-identification possibilities and remove absolutely every variable that is not needed.

Question 29

What considering storage environment requirements and on a shared drive in particular, what’s the safest way to manage share drive permissions to control access to data?

Answer 29

Identifying user groups and create roles for those groups and assigning users to them.

as opposed to file based/individual permissions

Question 30

What’s the risk around using cloud-based collaboration by design like Google Docs? What should you considered as a mitigation?

Answer 30

The ability to share documents resides with the individual who created the documents that are collaborated on. You need to ensure there is suitable administrative controls to combat this.

Question 31

When storing data in the cloud, how can you minimize the risk that only authorized people have access to your data (and not the cloud provider!)?

Answer 31

By use of a customer-managed encryption key.

Question 32

Regarding data retention. Bob fires Alice for poor performance. How long is he legally obliged to store her employment data for?

Answer 32

1 year from termination date

Question 33

Regarding data retention, how long are US companies legally obliged to store tax data?

Answer 33

7 years

Question 34

What requirements define how to collect, process, use, store, retain and remove data?

Answer 34

Use Requirements

Question 35

Regarding data retention, apart from legal obligations of retaining data, what other reason would you store data?

Answer 35

You’d store data if it had a particular organizational significant and then use that for statistical trending

Question 36

Which policy describes acceptable locations for storing proprietary information, what do to when data loss occurs, and methods of disposal?

Answer 36

Acceptable Use Policy

Question 37

Freya has recently joined a company and needs to understand what her responsibilities are around accessing and using data. Which policy or document should she be familiar with?

Answer 37

The Acceptable Use Policy

Question 38

which other document would you typically need when crafting an acceptable use policy? Why?

Answer 38

The Data Classification Matrix
So you can describe what how the data in each classification should be handled

Question 39

You’re creating entity relationship diagrams. Thinking about good data governance, what should you ensure?

Answer 39

That foreign keys are used to implement data constraints

Question 40

Clive is conducting a review of data governance. What diagrams should he check in relation to database design? What should he check for?

Answer 40

Entity Relationship Diagrams

He should check for (duplicate data) record linkage and create a linking table to associate the duplicate data to a master record

Question 41

Which 3 standards mentioned in the book simplyify, and help guide you on data classification process?

Answer 41

NIST definitions of Personally Identifiable Information

Protected Health Information defined under HIPAA

Card Holder Data and Sensitive Authentication Data under PCI

Question 42

Associated the following data elements with either linked or linkable PII

passport number
state
gender
full name
email address
login credentials and passwords
race

Answer 42

passport number - linked
state - linkable
gender - linkable
full name - linked
email address - linked
login credentials and passwords - linked
race - linkable

Question 43

How many data elements does HIPAA define as PHI?

Answer 43

18

Question 44

Regarding PHI, the first 3 digits of a zip code are not considered PHI, but when would this change?

Answer 44

If the city in which the zip code applies contains fewer than 20,000 people, it becomes PHI

Question 45

Describe the two provisions in HIPAA for when you need to share patient data without their consent

Answer 45

Expert Determination

Safe Harbour

Question 46

Regarding PHI, what is the name of the guidance that HIPAA describes on how digital records of patient data should be handled?

Answer 46

The Security Rule

Question 47

The PHI provisions in HIPAA only apply to what? And what are they?

Answer 47

They only apply to COVERED ENTITIES
Covered entities are:
most medical facilities

Question 48

What are the implications for a health insurance company if any of the below are processed electronically?

Payment and remittance
Claims Status
Enrollment
Referrals
Premium payment

Answer 48

They are all e-HPI. The company becomes a COVERED ENTITY and need to implement the Security Rule which applies to e-HPI

Question 49

Medical companies that process patient data may need to work with business partners, for instance to store data. What must they ensure and how is this done?

Answer 49

They must ensure that the provisions set out in HIPAA extend to the business partner. This is done by arranging a Business Associate Agreement.

Question 50

What does a Business Associate Agreement do?

Answer 50

It ensures that any business partner of a company that handles PHI also must abide by HIPAA standard.

Question 51

which three data elements about an individual are not considered PHI by HIPAA?

Answer 51

Employment records
Student educations covered by FERPA
Deidentified data

Question 52

If you’re a data analyst working in a healthcare environment, which two rules do you need to be aware of? What do they define?

Answer 52

The Security Rule - defines how e-PHI data should be handled
The Privacy Rule - defines how patient privacy (all other PHI data) should be protected

Question 53

Joni is an analysis working for a medical company and is handling PHI. She’s unsure about the rules. Who should she work with to ensure she isn’t breaking any rules?

Answer 53

the legal department of the company who specialise in privacy

Question 54

What are the two primary categories of data according to PCI DSS?

Answer 54

CHD (Cardholder Data)
SAD (Sensitive Authentication Data)

Question 55

Of the below elements of card data, match the element (cardholder data or sensitive authentication data) to the card data category

cardholder name
PIN
complete track data
account number
expiration
CCV
service code

Answer 55

cardholder name - cardholder data
PIN - sensitive authentication data
complete track data - sensitive authentication data
account number - cardholder data
expiration - cardholder data
CCV - sensitive authentication data
service code - cardholder data

Question 56

when thinking through regulatory and legal compliance data governance, what 4 categories around this must you consider about the jurisdiction within which your company operates?

Answer 56

Criminal Law
Civil Law
Administrative Law
Regulations

Question 57

1. VERIFY
2. STOP
3. ASSESS (impact)
4. NOTIFY (parties)
5. CORRECT
6. REVIEW

What are these steps for?

Answer 57

Steps that need to be taken following a data breach

Question 58

If a breach notification is triggered in the United states for PHI, what’s the rule called and who does list notification requirements for?

Answer 58

It’s called the Breach Notification Rule.

Question 59

In the European Union, how long is the breach time notification specified by GDPR?

Answer 59

72 hours.

Question 60

What is the name of the discipline who’s goal it is to ensure there’s only a single source of truth for SHARED data assets in an organization?

Answer 60

Master Data Management

Question 61

which document that contains information about data structures is essential for MDM to work effectively?

Answer 61

Data Dictionary

Question 62

What are all these drivers for?

The need to have consistent information
Need to streamline data access
Reducing compliance costs
Reducing complexity in Mergers and acquisitions

Answer 62

MDM adoption

Question 63

What are the two key MDM processes mentioned in the book?

Answer 63

Translation process (to map external data to your internal structure)

Maintaining a data dictionary

Question 64

one of the drivers for MDM is streamlining data access. What was one method mentioned in the book?

Answer 64

The implementation of APIs to access single source of data

Question 65

why does a role-based access control approach make auditing of permissions easier?

Answer 65

Auditors can focus on role assignments instead of individial user permissions

Question 66

term used to describe when you duplicate data in multiple systems

Answer 66

Record Linkage

Question 67

TAble maintained by the MDM system that maps records from multiple systems to a master ID?

Answer 67

Record Linkage Table

Question 68

type of data that balances utility and privacy when handling PII and allows aggragation of data without compromising individual privacy

Answer 68

Linkable data

Question 69

One of two provision in HIPAA when you need to share patient data:

involves use of statistical/scientific methods to minimize risk of identifying an individual

Answer 69

Expert Determination

Question 70

One of two provision in HIPAA when you need to share patient data:

involves de-identifying a data set by removing any PHI data elements.

Answer 70

SAFE HARBOUR

Question 71

Document that defines an individual’s responsibilities when accessing, using, sharing and removing data

Answer 71

Acceptable Usage Policy

Question 72

CCV
Complete Track Data
PIN

Types of data in PCI - DSS

Answer 72

Sensitive Authentication Data

Question 73

Which regulatory notification regarding data privacy states requirements for the below people to follow?

individuals
the media
the Secretary of Health
and Human Services

Answer 73

HIPPA’s Breach Notification Rule

Question 75

Storage costs is one aspected of determining what?

Answer 75

What data should be stored

certmaster q. I disagree, It should the org value of the data

Question 76

type of object - permissions are specific to users in that group regardless of the role

Answer 76

User Group

Question 77

aggregated data by group, is a technique used to de-identify data.

Answer 77

BANDING

Question 79

Agreement - defines the conditions under which an entity (such as a person or supplier) cannot disclose information to outside parties.

cm

Answer 79

Non-disclosure agreement

Question 80

involves hiding that type of field by showing something else in its place, like an asterisk.

Answer 80

MASKING

Question 81

what should a data scientist pay attention to as data passes through the data life cycle?

CM

Answer 81

Accountability

Accountability means these policies are being followed, and there are accountability measures in place to ensure the policies are followed.

Question 82

KPI percentage target for critical data

cm

Answer 82

95%

Question 83

KPI percentage for data that is important but not critical

cm

Answer 83

80%

Question 84

KPI percentage for non-critical data

cm

Answer 84

70%

Question 85

MDM data management helps ??? data from multiple systems

cm

Answer 85

Consolidate

Question 86

Anotehr word for linking data sets together

cm

Answer 86

Consolidation

Question 87

Regarding projects, refining business questions is important to avoid what?

Answer 87

Scope Creep

Question 88

defines how to accomplish the desired state through the development of a project

Answer 88

Scoping

scope includes measurable tasks

Question 89

report for Occupational Safety and Health Administration (OSHA) standards.

What type of report is this? Select all that apply
Compliance
Safety
Health
Finance

Answer 89

Compliance

Safety