CIPM - CH 1 Privacy Program Flashcards

1
Q

Privacy
Two components

A
  1. Proper collection,handling, management and use of personal information
    - implemented in the form of data governance
  2. Protection of personal information
    - implemented in the form of cybersecurity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Privacy Objectives

A
  • Avoidance of regulatory problems
  • Enhancement of customer experience
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Business case for implementing a privacy program
2 points

A
  1. consequences of failing to implement a program
  2. benefits enjoyed from implementing a program
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Business Alignment

A
  • ensures the privacy program fits with the rest of the organization
  • Needs to align with the orgs
    . Mission
    . Goals and objectives
    . Strategy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Risk Appetite

A

The level of risk that an org is willing to accept while in pursuit of its mission, strategy, and objectives, and before actions is needed to treat the risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Risk Capacity

A

The objective amount of loss that an org can tolerate without its continued existence being called into question

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Facilitator

A

The CISO is the facilitator for risk dicussions that eventually lead to risk treatment decisions

Date Privacy Officer is the facilitor of privacy discussions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Data Governance

A

Managements visibility and control over the use of information in a org

Data Governance Structure
- High-level policy and related standards defining data management practices
- Defining roles and responsibilities for data management.
- Key controls
- Assessment of key controls to ensure that they are effective.
- Methods of reporting to management the description of incident, activities and assessments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Policies and Standards

A

Data policies and standards define required behavior of personnel associated with data architecture, data management, and data usage.

Will address topics including;
. Approvals required for the acquisition of new data sources.
. Approvals required for new or changed uses of existing data sources.
. Safeguards to protect data from authorized use and access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Roles and responsibilities

A

Roles and responsibilities concerning the management of data include
. Decision for access to data and databases
. review of access rights to data and databases
. Decisions and reviews for the use of data and databases
. Ownership of individual controls
. Investigations into misuse and unauthorized access to data and databases

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Control objectives and controls

A
  • specify key desired outcomes to ensure that data governance policies will be carried out
  • areas where controls will be developed include:
    . Approval for the acquisition of new data sources
    . approval for New Uses of data
    . Monitoring of data usage
    . approvals for request of Access Data
    . reviews of access to data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Privacy governance

A
  • is a set of established activities that typically focuses on several fundamental principles and objectives
  • these Focus activities are designed to enable management to have a clear understanding of the state of the organization of privacy programs, it’s currently, it’s direct activities, and it’s alignment to the organization’s business objectives and practices
  • a goal of the Privacy program is enabling the Fulfillment of the privacy strategy, which itself will continue to align with the business, business objectives, and developing regulations
  • objective is to provide Assurance of the proper protection and use of personal information from a strategic perspective that required privacy aligned with business practices
  • is all about keeping organizations out of trouble with Regulators, outraged citizens, and the courts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Objectives of a privacy program

A

The protection and proper handling of personal information
- protection part is done by information security
- proper handling part is solely the domain of privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Strategy objectives

A
  • strategy is a plan to achieve an objective
  • objective is the desired future state of the organization is privacy and security posture and level of risk
  • objectives of a strategy may include:
    . Strategic alignment
    . Effective risk management
    . Value delivery
    . Resource optimization
    . Performance measurement
    . Assurance process integration
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Threat assessment

A
  • vulnerability assessment: help the strategist better understand the current privacy and security postures of the organization’s processes and infrastructure
  • maturity assessment: provides valuable information about the maturity of the business processes so that the strategist can better understand where the processes are orderly organized consistent measured examine and periodically improved
  • audits: internal and external audiences can the strategist quite a bit about the state of the organization’s privacy and security program
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Standards, guidelines, processes and procedures

A
  • standards: describe in detail the methods, techniques, Technologies, specifications, Brands, and configurations to be used throughout the organization
  • guidelines : typical written for personnel who need assistance on compliance with policies and standards
  • processes and procedures: speak about the level of discipline, consistency, risk tolerance and maturity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Critical data

A

Three common types of critical data
- Critical operational data
- highly sensitive data
- critical Market data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Business impact analysis

A

Identifies an organization business processes, the interdependencies between processes, the resources required for process operations, and the impact on the organization if any business process has impacted for a time for any reason

  • the presence of a BIA provides a strong indication of the organization maturity through its intention to protect its most critical processes from disaster of scenarios
19
Q

Privacy program strategic objectives

A

Fall into one of these Categories
. Improvement in data management processes
. Improvement in protective controls
. Improvement in incident visibility and response
. Reduction in Risk, including compliance risk
. Reductions in cost
. Increase resiliency of key Business Systems

20
Q

Capability maturity model (CMMI)

A

Provides a standardized method for defining practices and improving capabilities of a process
- uses five levels of maturity to describe the formality and performance of a process

21
Q

Cmmi
Level 0: Incomplete

A

A process that does not exist in entirety

22
Q

Cmmi
Local one: Initial

A

A process that is ad hoc, inconsistent, unmeasured, and unrepeatable

23
Q

Cmmi
Level 2: Managed

A

A process that is performed consistently and with the same outcome. It may or may not be well-documented

24
Q

Cmmi
Level 3: Defined

A

A process that is well-defined and well-documented and the capability is more proactive than reactive

25
Q

Cmmi
Level 4: Quantitatively Managed

A

Quantitatively manage process with one or more metrics.

26
Q

Cmmi
Level 5: Optimizing

A

A measured processes is under continuous Improvement

27
Q

Roadmap development

A
  • a plan
  • steps required by an organization to undertake and accomplish a long-term complex, and strategic objective
  • often thought of as a series of projects to achieve the objective
28
Q

Business case

A

A written statement that describes the initiative and describes his business benefits.

Should include the following characteristics
.Alignment with the organization
. Aligned with regulations
. Statements in business terms

Typical elements include:
. Problem statement
. current state
. Desired State
. Success criteria
. Requirements
. Approach
. Plan

29
Q

Roles

A

Description of normal activities that employees are obliged to perform as part of their employment

30
Q

Responsibility

A

Statement of the outcomes that a person is expected to support

31
Q

RACI charts

A

Responsible - Accountable - Consulted -Informed
- denotes key responsibilities and business processes, projects, tasks, and other activities
- assigns level of responsibility to individuals and groups
- helps personnel determine rules for various business activities

-Responsible - the person or group that performs the actual work or tasks
-Accountable - person who is ultimately answerable for the complete, accurate and timely execution of the work
- Consulted - one or more people or group who are consulted for their opinions expertise, or insight
-Informed- one or more people or group who are informed by those in other roles

32
Q

Board of directors

A
  • usually defined by the Constitution, bylaws, or external regulations
  • in many cases have fiduciary duty
  • generally expected to require that the CEO and other Executives Implement a corporate governance function to ensure that executive management has an appropriate level of visibility and control over the operations of the organization
33
Q

Executive management

A
  • responsible for carrying out the directives issued by the board of directors
  • ensures that the organization has sufficient resources available to implement privacy and Security Programs and to develop and maintain controls to protect critical access and personal information
  • should be involved in three key areas
    . Ratification and enforcement of corporate privacy and security policies
    . Leadership by example
    . Ultimate responsibility
34
Q

Privacy and security steering committees

A

May have a variety of responsibilities including:
- risk treatment deliberation and recommendation
- prioritization, discussion, and coordination of it, privacy and security projects
- review of recent risk assessments
- discussion of new laws, regulations, and requirements
- review of recent privacy and security incidents

35
Q

Business process and Business Systems owners

A

Responsibilities include the following
- Grant access
- access revocation
- access reviews
- subject inquiries and requests
- configuration
- function definition
- process definition
- physical location

36
Q

Custodial responsibilities

A
  • acts a proxy for systems owners and makes access grants and other decisions on their behalf
37
Q

Privacy by Design

A
  • involves proactively inserting privacy as a default capability into the design and operation of it systems, Network infrastructure and business practices
  • explicitly stated in GDPR Article 25 “Data Protection by Design and By Default”
  • principal should be included in every organizations privacy policy
38
Q

Chief privacy officer is role

A

Safeguarding personal information and ensure that the organization is not misuse the person information at its disposal

39
Q

Chief Information Security Officer role

A

Develop business Alliance Security strategies that support present and future business initiatives and will be responsible for the development and operation of the organization’s information risk program, and the development and implementation of security policies, security incident response, and perhaps some operational security function

40
Q

Data management role

A

Responsible for developing and implementing database design and for maintaining databases

  • data manager: responsible for data architecture and data management in a large organization
  • data architect: develops logical and physical designs of data models for applications
  • Big Data architect: develops data models and data analytics for large complex data sets
  • database administrator: builds and maintains databases designed by the database Architects or those databases are included as part of the purchase applications
  • data analyst: performs texts that are junior to the DBA carrying out routine data maintenance and monitoring task
  • data scientist: applies scientific models, builds processes and implements systems to extract knowledge or Insight from data
41
Q

Security operations

A
  • responsible for Designing, building and monitoring security systems and security controls to ensure the confidentiality integrity and availability of Information Systems
  • security architect: Design security controls and systems
  • security engineer: designs builds and maintains security services and systems that are designed by the security architect
  • security analyst: exam has logs from firewalls ids and audit logs from systems and applications
42
Q

Privacy audit

A

Responsible for examining processes designs and for verifying the effectiveness of privacy policies and controls

  • Privacy audit manager: responsible for audit operations and scheduling and managing audits
  • privacy auditor: performs internal audits for privacy controls to ensure that they are being operated properly
43
Q

Security audit

A

Responsible for examining process design and for verifying the effectiveness of security controls

  • security audit manager: responsible for audit operations and scheduling and managing audits
  • security auditor performs internal audits of it controls to ensure that they are operating properly