CIPM - CH 1 Privacy Program

Question 1

Privacy
Two components

Answer 1

1. Proper collection,handling, management and use of personal information
   - implemented in the form of data governance
2. Protection of personal information
   - implemented in the form of cybersecurity

Question 2

Privacy Objectives

Answer 2

• Avoidance of regulatory problems
• Enhancement of customer experience

Question 3

Business case for implementing a privacy program
2 points

Answer 3

1. consequences of failing to implement a program
2. benefits enjoyed from implementing a program

Question 4

Business Alignment

Answer 4

• ensures the privacy program fits with the rest of the organization
• Needs to align with the orgs
  . Mission
  . Goals and objectives
  . Strategy

Question 5

Risk Appetite

Answer 5

The level of risk that an org is willing to accept while in pursuit of its mission, strategy, and objectives, and before actions is needed to treat the risk

Question 6

Risk Capacity

Answer 6

The objective amount of loss that an org can tolerate without its continued existence being called into question

Question 7

Facilitator

Answer 7

The CISO is the facilitator for risk dicussions that eventually lead to risk treatment decisions

Date Privacy Officer is the facilitor of privacy discussions

Question 8

Data Governance

Answer 8

Managements visibility and control over the use of information in a org

Data Governance Structure
- High-level policy and related standards defining data management practices
- Defining roles and responsibilities for data management.
- Key controls
- Assessment of key controls to ensure that they are effective.
- Methods of reporting to management the description of incident, activities and assessments.

Question 9

Policies and Standards

Answer 9

Data policies and standards define required behavior of personnel associated with data architecture, data management, and data usage.

Will address topics including;
. Approvals required for the acquisition of new data sources.
. Approvals required for new or changed uses of existing data sources.
. Safeguards to protect data from authorized use and access.

Question 10

Roles and responsibilities

Answer 10

Roles and responsibilities concerning the management of data include
. Decision for access to data and databases
. review of access rights to data and databases
. Decisions and reviews for the use of data and databases
. Ownership of individual controls
. Investigations into misuse and unauthorized access to data and databases

Question 11

Control objectives and controls

Answer 11

• specify key desired outcomes to ensure that data governance policies will be carried out
• areas where controls will be developed include:
  . Approval for the acquisition of new data sources
  . approval for New Uses of data
  . Monitoring of data usage
  . approvals for request of Access Data
  . reviews of access to data

Question 12

Privacy governance

Answer 12

• is a set of established activities that typically focuses on several fundamental principles and objectives
• these Focus activities are designed to enable management to have a clear understanding of the state of the organization of privacy programs, it’s currently, it’s direct activities, and it’s alignment to the organization’s business objectives and practices
• a goal of the Privacy program is enabling the Fulfillment of the privacy strategy, which itself will continue to align with the business, business objectives, and developing regulations
• objective is to provide Assurance of the proper protection and use of personal information from a strategic perspective that required privacy aligned with business practices
• is all about keeping organizations out of trouble with Regulators, outraged citizens, and the courts

Question 13

Objectives of a privacy program

Answer 13

The protection and proper handling of personal information
- protection part is done by information security
- proper handling part is solely the domain of privacy

Question 14

Strategy objectives

Answer 14

• strategy is a plan to achieve an objective
• objective is the desired future state of the organization is privacy and security posture and level of risk
• objectives of a strategy may include:
  . Strategic alignment
  . Effective risk management
  . Value delivery
  . Resource optimization
  . Performance measurement
  . Assurance process integration

Question 15

Threat assessment

Answer 15

• vulnerability assessment: help the strategist better understand the current privacy and security postures of the organization’s processes and infrastructure
• maturity assessment: provides valuable information about the maturity of the business processes so that the strategist can better understand where the processes are orderly organized consistent measured examine and periodically improved
• audits: internal and external audiences can the strategist quite a bit about the state of the organization’s privacy and security program

Question 16

Standards, guidelines, processes and procedures

Answer 16

• standards: describe in detail the methods, techniques, Technologies, specifications, Brands, and configurations to be used throughout the organization
• guidelines : typical written for personnel who need assistance on compliance with policies and standards
• processes and procedures: speak about the level of discipline, consistency, risk tolerance and maturity

Question 17

Critical data

Answer 17

Three common types of critical data
- Critical operational data
- highly sensitive data
- critical Market data

Question 18

Business impact analysis

Answer 18

Identifies an organization business processes, the interdependencies between processes, the resources required for process operations, and the impact on the organization if any business process has impacted for a time for any reason

• the presence of a BIA provides a strong indication of the organization maturity through its intention to protect its most critical processes from disaster of scenarios

Question 19

Privacy program strategic objectives

Answer 19

Fall into one of these Categories
. Improvement in data management processes
. Improvement in protective controls
. Improvement in incident visibility and response
. Reduction in Risk, including compliance risk
. Reductions in cost
. Increase resiliency of key Business Systems

Question 20

Capability maturity model (CMMI)

Answer 20

Provides a standardized method for defining practices and improving capabilities of a process
- uses five levels of maturity to describe the formality and performance of a process

Question 21

Cmmi
Level 0: Incomplete

Answer 21

A process that does not exist in entirety

Question 22

Cmmi
Local one: Initial

Answer 22

A process that is ad hoc, inconsistent, unmeasured, and unrepeatable

Question 23

Cmmi
Level 2: Managed

Answer 23

A process that is performed consistently and with the same outcome. It may or may not be well-documented

Question 24

Cmmi
Level 3: Defined

Answer 24

A process that is well-defined and well-documented and the capability is more proactive than reactive

Question 25

Cmmi
Level 4: Quantitatively Managed

Answer 25

Quantitatively manage process with one or more metrics.

Question 26

Cmmi
Level 5: Optimizing

Answer 26

A measured processes is under continuous Improvement

Question 27

Roadmap development

Answer 27

• a plan
• steps required by an organization to undertake and accomplish a long-term complex, and strategic objective
• often thought of as a series of projects to achieve the objective

Question 28

Business case

Answer 28

A written statement that describes the initiative and describes his business benefits.

Should include the following characteristics
.Alignment with the organization
. Aligned with regulations
. Statements in business terms

Typical elements include:
. Problem statement
. current state
. Desired State
. Success criteria
. Requirements
. Approach
. Plan

Question 29

Roles

Answer 29

Description of normal activities that employees are obliged to perform as part of their employment

Question 30

Responsibility

Answer 30

Statement of the outcomes that a person is expected to support

Question 31

RACI charts

Answer 31

Responsible - Accountable - Consulted -Informed
- denotes key responsibilities and business processes, projects, tasks, and other activities
- assigns level of responsibility to individuals and groups
- helps personnel determine rules for various business activities

-Responsible - the person or group that performs the actual work or tasks
-Accountable - person who is ultimately answerable for the complete, accurate and timely execution of the work
- Consulted - one or more people or group who are consulted for their opinions expertise, or insight
-Informed- one or more people or group who are informed by those in other roles

Question 32

Board of directors

Answer 32

• usually defined by the Constitution, bylaws, or external regulations
• in many cases have fiduciary duty
• generally expected to require that the CEO and other Executives Implement a corporate governance function to ensure that executive management has an appropriate level of visibility and control over the operations of the organization

Question 33

Executive management

Answer 33

• responsible for carrying out the directives issued by the board of directors
• ensures that the organization has sufficient resources available to implement privacy and Security Programs and to develop and maintain controls to protect critical access and personal information
• should be involved in three key areas
  . Ratification and enforcement of corporate privacy and security policies
  . Leadership by example
  . Ultimate responsibility

Question 34

Privacy and security steering committees

Answer 34

May have a variety of responsibilities including:
- risk treatment deliberation and recommendation
- prioritization, discussion, and coordination of it, privacy and security projects
- review of recent risk assessments
- discussion of new laws, regulations, and requirements
- review of recent privacy and security incidents

Question 35

Business process and Business Systems owners

Answer 35

Responsibilities include the following
- Grant access
- access revocation
- access reviews
- subject inquiries and requests
- configuration
- function definition
- process definition
- physical location

Question 36

Custodial responsibilities

Answer 36

• acts a proxy for systems owners and makes access grants and other decisions on their behalf

Question 37

Privacy by Design

Answer 37

• involves proactively inserting privacy as a default capability into the design and operation of it systems, Network infrastructure and business practices
• explicitly stated in GDPR Article 25 “Data Protection by Design and By Default”
• principal should be included in every organizations privacy policy

Question 38

Chief privacy officer is role

Answer 38

Safeguarding personal information and ensure that the organization is not misuse the person information at its disposal

Question 39

Chief Information Security Officer role

Answer 39

Develop business Alliance Security strategies that support present and future business initiatives and will be responsible for the development and operation of the organization’s information risk program, and the development and implementation of security policies, security incident response, and perhaps some operational security function

Question 40

Data management role

Answer 40

Responsible for developing and implementing database design and for maintaining databases

• data manager: responsible for data architecture and data management in a large organization
• data architect: develops logical and physical designs of data models for applications
• Big Data architect: develops data models and data analytics for large complex data sets
• database administrator: builds and maintains databases designed by the database Architects or those databases are included as part of the purchase applications
• data analyst: performs texts that are junior to the DBA carrying out routine data maintenance and monitoring task
• data scientist: applies scientific models, builds processes and implements systems to extract knowledge or Insight from data

Question 41

Security operations

Answer 41

• responsible for Designing, building and monitoring security systems and security controls to ensure the confidentiality integrity and availability of Information Systems
• security architect: Design security controls and systems
• security engineer: designs builds and maintains security services and systems that are designed by the security architect
• security analyst: exam has logs from firewalls ids and audit logs from systems and applications

Question 42

Privacy audit

Answer 42

Responsible for examining processes designs and for verifying the effectiveness of privacy policies and controls

• Privacy audit manager: responsible for audit operations and scheduling and managing audits
• privacy auditor: performs internal audits for privacy controls to ensure that they are being operated properly

Question 43

Security audit

Answer 43

Responsible for examining process design and for verifying the effectiveness of security controls

• security audit manager: responsible for audit operations and scheduling and managing audits
• security auditor performs internal audits of it controls to ensure that they are operating properly