CIPM - CH 1 Privacy Program Flashcards
Privacy
Two components
- Proper collection,handling, management and use of personal information
- implemented in the form of data governance - Protection of personal information
- implemented in the form of cybersecurity
Privacy Objectives
- Avoidance of regulatory problems
- Enhancement of customer experience
Business case for implementing a privacy program
2 points
- consequences of failing to implement a program
- benefits enjoyed from implementing a program
Business Alignment
- ensures the privacy program fits with the rest of the organization
- Needs to align with the orgs
. Mission
. Goals and objectives
. Strategy
Risk Appetite
The level of risk that an org is willing to accept while in pursuit of its mission, strategy, and objectives, and before actions is needed to treat the risk
Risk Capacity
The objective amount of loss that an org can tolerate without its continued existence being called into question
Facilitator
The CISO is the facilitator for risk dicussions that eventually lead to risk treatment decisions
Date Privacy Officer is the facilitor of privacy discussions
Data Governance
Managements visibility and control over the use of information in a org
Data Governance Structure
- High-level policy and related standards defining data management practices
- Defining roles and responsibilities for data management.
- Key controls
- Assessment of key controls to ensure that they are effective.
- Methods of reporting to management the description of incident, activities and assessments.
Policies and Standards
Data policies and standards define required behavior of personnel associated with data architecture, data management, and data usage.
Will address topics including;
. Approvals required for the acquisition of new data sources.
. Approvals required for new or changed uses of existing data sources.
. Safeguards to protect data from authorized use and access.
Roles and responsibilities
Roles and responsibilities concerning the management of data include
. Decision for access to data and databases
. review of access rights to data and databases
. Decisions and reviews for the use of data and databases
. Ownership of individual controls
. Investigations into misuse and unauthorized access to data and databases
Control objectives and controls
- specify key desired outcomes to ensure that data governance policies will be carried out
- areas where controls will be developed include:
. Approval for the acquisition of new data sources
. approval for New Uses of data
. Monitoring of data usage
. approvals for request of Access Data
. reviews of access to data
Privacy governance
- is a set of established activities that typically focuses on several fundamental principles and objectives
- these Focus activities are designed to enable management to have a clear understanding of the state of the organization of privacy programs, it’s currently, it’s direct activities, and it’s alignment to the organization’s business objectives and practices
- a goal of the Privacy program is enabling the Fulfillment of the privacy strategy, which itself will continue to align with the business, business objectives, and developing regulations
- objective is to provide Assurance of the proper protection and use of personal information from a strategic perspective that required privacy aligned with business practices
- is all about keeping organizations out of trouble with Regulators, outraged citizens, and the courts
Objectives of a privacy program
The protection and proper handling of personal information
- protection part is done by information security
- proper handling part is solely the domain of privacy
Strategy objectives
- strategy is a plan to achieve an objective
- objective is the desired future state of the organization is privacy and security posture and level of risk
- objectives of a strategy may include:
. Strategic alignment
. Effective risk management
. Value delivery
. Resource optimization
. Performance measurement
. Assurance process integration
Threat assessment
- vulnerability assessment: help the strategist better understand the current privacy and security postures of the organization’s processes and infrastructure
- maturity assessment: provides valuable information about the maturity of the business processes so that the strategist can better understand where the processes are orderly organized consistent measured examine and periodically improved
- audits: internal and external audiences can the strategist quite a bit about the state of the organization’s privacy and security program
Standards, guidelines, processes and procedures
- standards: describe in detail the methods, techniques, Technologies, specifications, Brands, and configurations to be used throughout the organization
- guidelines : typical written for personnel who need assistance on compliance with policies and standards
- processes and procedures: speak about the level of discipline, consistency, risk tolerance and maturity
Critical data
Three common types of critical data
- Critical operational data
- highly sensitive data
- critical Market data
Business impact analysis
Identifies an organization business processes, the interdependencies between processes, the resources required for process operations, and the impact on the organization if any business process has impacted for a time for any reason
- the presence of a BIA provides a strong indication of the organization maturity through its intention to protect its most critical processes from disaster of scenarios
Privacy program strategic objectives
Fall into one of these Categories
. Improvement in data management processes
. Improvement in protective controls
. Improvement in incident visibility and response
. Reduction in Risk, including compliance risk
. Reductions in cost
. Increase resiliency of key Business Systems
Capability maturity model (CMMI)
Provides a standardized method for defining practices and improving capabilities of a process
- uses five levels of maturity to describe the formality and performance of a process
Cmmi
Level 0: Incomplete
A process that does not exist in entirety
Cmmi
Local one: Initial
A process that is ad hoc, inconsistent, unmeasured, and unrepeatable
Cmmi
Level 2: Managed
A process that is performed consistently and with the same outcome. It may or may not be well-documented
Cmmi
Level 3: Defined
A process that is well-defined and well-documented and the capability is more proactive than reactive
Cmmi
Level 4: Quantitatively Managed
Quantitatively manage process with one or more metrics.
Cmmi
Level 5: Optimizing
A measured processes is under continuous Improvement
Roadmap development
- a plan
- steps required by an organization to undertake and accomplish a long-term complex, and strategic objective
- often thought of as a series of projects to achieve the objective
Business case
A written statement that describes the initiative and describes his business benefits.
Should include the following characteristics
.Alignment with the organization
. Aligned with regulations
. Statements in business terms
Typical elements include:
. Problem statement
. current state
. Desired State
. Success criteria
. Requirements
. Approach
. Plan
Roles
Description of normal activities that employees are obliged to perform as part of their employment
Responsibility
Statement of the outcomes that a person is expected to support
RACI charts
Responsible - Accountable - Consulted -Informed
- denotes key responsibilities and business processes, projects, tasks, and other activities
- assigns level of responsibility to individuals and groups
- helps personnel determine rules for various business activities
-Responsible - the person or group that performs the actual work or tasks
-Accountable - person who is ultimately answerable for the complete, accurate and timely execution of the work
- Consulted - one or more people or group who are consulted for their opinions expertise, or insight
-Informed- one or more people or group who are informed by those in other roles
Board of directors
- usually defined by the Constitution, bylaws, or external regulations
- in many cases have fiduciary duty
- generally expected to require that the CEO and other Executives Implement a corporate governance function to ensure that executive management has an appropriate level of visibility and control over the operations of the organization
Executive management
- responsible for carrying out the directives issued by the board of directors
- ensures that the organization has sufficient resources available to implement privacy and Security Programs and to develop and maintain controls to protect critical access and personal information
- should be involved in three key areas
. Ratification and enforcement of corporate privacy and security policies
. Leadership by example
. Ultimate responsibility
Privacy and security steering committees
May have a variety of responsibilities including:
- risk treatment deliberation and recommendation
- prioritization, discussion, and coordination of it, privacy and security projects
- review of recent risk assessments
- discussion of new laws, regulations, and requirements
- review of recent privacy and security incidents
Business process and Business Systems owners
Responsibilities include the following
- Grant access
- access revocation
- access reviews
- subject inquiries and requests
- configuration
- function definition
- process definition
- physical location
Custodial responsibilities
- acts a proxy for systems owners and makes access grants and other decisions on their behalf
Privacy by Design
- involves proactively inserting privacy as a default capability into the design and operation of it systems, Network infrastructure and business practices
- explicitly stated in GDPR Article 25 “Data Protection by Design and By Default”
- principal should be included in every organizations privacy policy
Chief privacy officer is role
Safeguarding personal information and ensure that the organization is not misuse the person information at its disposal
Chief Information Security Officer role
Develop business Alliance Security strategies that support present and future business initiatives and will be responsible for the development and operation of the organization’s information risk program, and the development and implementation of security policies, security incident response, and perhaps some operational security function
Data management role
Responsible for developing and implementing database design and for maintaining databases
- data manager: responsible for data architecture and data management in a large organization
- data architect: develops logical and physical designs of data models for applications
- Big Data architect: develops data models and data analytics for large complex data sets
- database administrator: builds and maintains databases designed by the database Architects or those databases are included as part of the purchase applications
- data analyst: performs texts that are junior to the DBA carrying out routine data maintenance and monitoring task
- data scientist: applies scientific models, builds processes and implements systems to extract knowledge or Insight from data
Security operations
- responsible for Designing, building and monitoring security systems and security controls to ensure the confidentiality integrity and availability of Information Systems
- security architect: Design security controls and systems
- security engineer: designs builds and maintains security services and systems that are designed by the security architect
- security analyst: exam has logs from firewalls ids and audit logs from systems and applications
Privacy audit
Responsible for examining processes designs and for verifying the effectiveness of privacy policies and controls
- Privacy audit manager: responsible for audit operations and scheduling and managing audits
- privacy auditor: performs internal audits for privacy controls to ensure that they are being operated properly
Security audit
Responsible for examining process design and for verifying the effectiveness of security controls
- security audit manager: responsible for audit operations and scheduling and managing audits
- security auditor performs internal audits of it controls to ensure that they are operating properly
