CIPM - CH 1 Privacy Program Flashcards
Privacy
Two components
- Proper collection,handling, management and use of personal information
- implemented in the form of data governance - Protection of personal information
- implemented in the form of cybersecurity
Privacy Objectives
- Avoidance of regulatory problems
- Enhancement of customer experience
Business case for implementing a privacy program
2 points
- consequences of failing to implement a program
- benefits enjoyed from implementing a program
Business Alignment
- ensures the privacy program fits with the rest of the organization
- Needs to align with the orgs
. Mission
. Goals and objectives
. Strategy
Risk Appetite
The level of risk that an org is willing to accept while in pursuit of its mission, strategy, and objectives, and before actions is needed to treat the risk
Risk Capacity
The objective amount of loss that an org can tolerate without its continued existence being called into question
Facilitator
The CISO is the facilitator for risk dicussions that eventually lead to risk treatment decisions
Date Privacy Officer is the facilitor of privacy discussions
Data Governance
Managements visibility and control over the use of information in a org
Data Governance Structure
- High-level policy and related standards defining data management practices
- Defining roles and responsibilities for data management.
- Key controls
- Assessment of key controls to ensure that they are effective.
- Methods of reporting to management the description of incident, activities and assessments.
Policies and Standards
Data policies and standards define required behavior of personnel associated with data architecture, data management, and data usage.
Will address topics including;
. Approvals required for the acquisition of new data sources.
. Approvals required for new or changed uses of existing data sources.
. Safeguards to protect data from authorized use and access.
Roles and responsibilities
Roles and responsibilities concerning the management of data include
. Decision for access to data and databases
. review of access rights to data and databases
. Decisions and reviews for the use of data and databases
. Ownership of individual controls
. Investigations into misuse and unauthorized access to data and databases
Control objectives and controls
- specify key desired outcomes to ensure that data governance policies will be carried out
- areas where controls will be developed include:
. Approval for the acquisition of new data sources
. approval for New Uses of data
. Monitoring of data usage
. approvals for request of Access Data
. reviews of access to data
Privacy governance
- is a set of established activities that typically focuses on several fundamental principles and objectives
- these Focus activities are designed to enable management to have a clear understanding of the state of the organization of privacy programs, it’s currently, it’s direct activities, and it’s alignment to the organization’s business objectives and practices
- a goal of the Privacy program is enabling the Fulfillment of the privacy strategy, which itself will continue to align with the business, business objectives, and developing regulations
- objective is to provide Assurance of the proper protection and use of personal information from a strategic perspective that required privacy aligned with business practices
- is all about keeping organizations out of trouble with Regulators, outraged citizens, and the courts
Objectives of a privacy program
The protection and proper handling of personal information
- protection part is done by information security
- proper handling part is solely the domain of privacy
Strategy objectives
- strategy is a plan to achieve an objective
- objective is the desired future state of the organization is privacy and security posture and level of risk
- objectives of a strategy may include:
. Strategic alignment
. Effective risk management
. Value delivery
. Resource optimization
. Performance measurement
. Assurance process integration
Threat assessment
- vulnerability assessment: help the strategist better understand the current privacy and security postures of the organization’s processes and infrastructure
- maturity assessment: provides valuable information about the maturity of the business processes so that the strategist can better understand where the processes are orderly organized consistent measured examine and periodically improved
- audits: internal and external audiences can the strategist quite a bit about the state of the organization’s privacy and security program
Standards, guidelines, processes and procedures
- standards: describe in detail the methods, techniques, Technologies, specifications, Brands, and configurations to be used throughout the organization
- guidelines : typical written for personnel who need assistance on compliance with policies and standards
- processes and procedures: speak about the level of discipline, consistency, risk tolerance and maturity
Critical data
Three common types of critical data
- Critical operational data
- highly sensitive data
- critical Market data