CIPM CH 2 Privacy Program Framework

Question 1

Governance

Answer 1

A process whereby Senior Management exerts strategic control over business functions through policies, objectives, delegation of authority, and monitoring.

. Management’s continuous oversight of an organization’s business processes that is intended to ensure that these processes effectively meet the organization’s business vision and objectives

Question 2

Developing the Privacy program framework

Answer 2

.. A privacy program comprises the structure and organization and all its parts
. These parts are represented by artifacts including
- privacy program Charter
- privacy policy
- privacy standards
- privacy processes
- privacy guidelines
- controls

Question 3

Privacy Charter

Answer 3

. A formal document used in some organizations to Define and describe a major business activity and or Department
. Typically will contain these elements
- program name
- program purpose
- Executive sponsorship
- roles and responsibilities
- policies
- primary business processes
- budget and other resources

Question 4

Internal privacy policy

Answer 4

. Organizations with more mature privacy and Security Programs will have detailed privacy policies that Define expected behaviors of their workers and the required characteristics of their information systems

. At a minimum, privacy and security policies will include General statements about sensitive or personal information that shall be used “for business purposes only” without further detail

Question 5

Internal privacy policy content should include

Answer 5

. Roles and responsibilities for the organization’s privacy program
. Business processes governing the use of personal information
. Language regarding the protection of personal information
. Consequences for violation of privacy policy
. Provisions for the review and audit of privacy business processes
. Description of measurements of privacy business processes
. Citations of applicable regulations and other obligations

Question 6

Roles and responsibilities for an organization’s privacy program

Answer 6

. Those who have data management responsibilities
. Those who approve and review access to personal information
. Those who review and approve new uses of personal data
. Those who receive and process subject data request
. Those who have responsibility for monitoring uses of personal data
. Those who have responsibility for responding to incidents that represent the misuse of personal information
. Those who review privacy business processes
. Those who audit Privacy business processes

Question 7

Privacy standards

Answer 7

Policies Define what is to be done, and standards Define how policies are to be done

. Standards maybe frequently affected by change, because they are closer to the technology and are concerned with the details of the implementation of the policy

. Standards need to be developed carefully so that:
- they properly reflected the intent of one or more corresponding policies
- they can be implemented
- they are unambiguous
- their direction can be automated, where large numbers of systems exist

Question 8

EU General data protection regulation

Answer 8

. Past April 2016, became effective May 2018

. Rights of data subjects
- right to access personal data
- right to recitification
- right to Erasure
- right to restrict processing
- right to be notified
- right to data portability
- right to object
- right to reject automated individual decision-making

Question 9

Data controller and data processor

Answer 9

. Gdpr defines a data controller as an organization that directs the use of personal data

. A data processor is an organization that possesses personal data as directed by a data controller

Question 10

Gdpr main privileges

Answer 10

. Rights of data subjects
. Definition of data controller and data processor
. Data protection and privacy by Design and by default
. cyber security
. breach notification
. data protection impact assessment (DPIA)
. data Protection Officer - DPO
. certification
. cross-border data transfers
. binding corporate rules
. supervisory Authority
. penalties

Question 11

HIPAA 2 rules

Answer 11

. security rule -requires that organization enact several administrative, physical, and Technical safeguards to protect ePHI

. Privacy Rule: requires organizations to protect PHI, mainly in hard copy form

Question 12

Health information technology for economic and clinical Health Act -HITECH

Answer 12

Expands HIPAA security breach notification requirements and expands the disclosures of the use of patients PHI

Question 13

Canada: Personal information protection and economic documents Act - PIPEDA

Answer 13

. Was enacted to provide assurances to European countries and consumers that their personal information present in Canadian company’s Information Systems will be safe and free from abuses

. Also give Canadians the right to know why organizations collect, use, or disclose their personal information, and the assurance at the information will not be used for any other purpose

Question 14

California consumer protection act (CCPA) and California privacy Rights Act (CPRA)

Answer 14

. Give California residents certain rights, including the following:
- knowledge of what personal information is being collected
- notifications of whether such personal information is subsequently transferred or disclosed to another party
- the ability to prohibit an organization from transferring or selling personal information
- the ability to examine the personal information held by an organization, with the right to request that the information be corrected or removed
- freedom from discrimination should individuals choose exercise their privacy rights

Question 15

Standard contractual clauses

Answer 15

International organizations are able to make use of binding corporate rules that Define International transfers and protection of data within an organization.

Question 16

Establishing legal basis for processing
Article 6.1 of the GDPR

Answer 16

.
Organizations must identify specifically, the legal basis under which they are collecting and/or processing personal information.

It must be lawful for the organization to collect and use data subjects personal information and the organization must be able to say specifically how it is lawful

Five possible Avenues of legal basis:
- processing is necessary for the performance of a contract to which the data subject is a party or an order to take steps at the request of the data of subject prior to entering into a contract
- Processing is necessary for compliance with a legal obligation to which the controller is a subject
- processing is necessary in order to protect the vital interests of the data subjects or of another natural person
- process is necessary for the performance of tests carried out in the public interest or an exercise of official authority vested in the controller
- processing is necessary for the purposes of legitimate interest pursued by the controller or by third-party

Question 17

Controls

Answer 17

. Statements that Define required outcomes

. Are often implemented through policies, procedures, mechanisms, systems, and other measures designed to reduce risk

• are used for two primary purposes in an organization
  . To ensure desired outcomes
  . To avoid unwanted outcomes

Question 18

Control objectives

Answer 18

Statement of desired States or outcomes from business operations to mitigate risk

. Are the foundation for one or more controls

. For each control one or more control activities will exist to ensure the realization of the objective

Question 19

Control framework

Answer 19

Industry-standard control Frameworks have been used in thousands of companies and they are regularly updated to reflect changing business practices, emerging threats, and new technologies

• select a control framework based on industry alignment and then Institute a risk management process for developing additional controls based on the results of the risk assessment
• you may find that a specific control area is not applicable. In those cases document both the business and Technical reason why the organization chose not to use the control area

Question 20

Risk assessment

Answer 20

Before a control can be designed, the privacy or security manager needs to have some idea of the nature of risk that the control is intended to address.

-New risk may be identified during the risk assessment that lead to the creation of additional controls

Question 21

Control design

Answer 21

• an early step in control use is its designed
• proper control design will potentially require one or more of the following:
  . New or changed policies
  . New or change business process documents
  . New or change Information Systems
  . New or change business records

Question 22

Data inventory

Answer 22

For your privacy program to be effective, organizations must have a complete and accurate inventory of all personal information it has collected.

• for that inventory to remain current three activities need to be included in a business-as-usual processes
  . Change management processes must require updates to data inventory
  . Business processes that interact with personal information must be documented
  . Periodic reviews of data inventory must be performed to confirm his accuracy
• periodic data inventory reviews should not only catalog existing instances of sensitive personal information, they must also determine in each instance whether the data should exist where it is found
• data management policy must determine whether each instance should exist, and whether the protective controls are adequate

Question 23

Data classification levels

Answer 23

Data classification is a formal and intentional way for an organization to define the level of importance or sensitivity of information

-Typical data classification levels
. Registered
. Restricted
. Confidential
. Public

Question 24

Data handling standards

Answer 24

Data classification policies go further to define acceptable handling procedures for data of various levels of classification and in numerous types of situations

• provide real-world guidance that workers can easily follow and use

. Should clearly State what is expected of personnel when handling sensitive data

. Usually take the form of a matrix with various levels of classification in columns and different data handling instructions as rules

Question 25

Data loss prevention automation

Answer 25

Static DLP scan static data stores to identify files containing data matching specific patterns

. A careful analysis of the results of the initial DLP Scan should be undertaken to determine the following:
- age of files containing PII found in file stores
- the extent to which files containing PII are still being deposited in all stores
- the access rights of files containing PII
- which users actively access the files
- whether the current use is following sanctioned policies, procedures, and practices

Question 26

. Data tagging

Answer 26

A process where files can be marked in some way

. Tagging can take on several forms including:
- metadata tagging: Files can be updated to include special coded tags that will be recognized by DLP tooling
- watermarking: visible invisible watermarks can be added to the files
- marking: a human-readable word or phrase can be added to the header, or other location in a data file

Question 27

Dynamic DLP

Answer 27

.Represent a variety of Technologies used to detect and even intervene in the transfer of PII or other sensitive information

. These tools can be configured to identify the specific sensitivity of data files in motion by reading the content to determine whether they contain PII or other system information, or they can be configured to look for previously applied tags

. Can be used as a detective control, a preventative control, or both

. Organizations should develop a Playbook of response procedures when in users encounter a DLP system blocking their intended action

Question 28

Data use governance

Answer 28

Organizations need to include governance structures to provide visibility and control on the topic of data usage
.
- such a structure would include the following:
. Internal policies stating permitted use of personal information
. Establishment of controls to ensure these outcomes
. Monitoring of these controls to verify the effectiveness
. Corrective actions to remedy all deviations
. Matrix that ensure all of the foregoing

Question 29

Data minimization

Answer 29

The practice of collecting and retaining only those specified data elements necessary to perform agreed-upon functions

• Dimensions include:
  . Collect only required data items
  . Collect only required records
  . Retain only as long as needed
  . Psuedonymize or anonymize as soon as possible
  . Reduce accessibility

Question 30

Psuedonymization

Answer 30

. Is the substitution of data and sensitive data fields with alternate data to de-identify data records with specific persons

.Processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without use of additional information, provided this that additional information is kept separately and is subject to Technical and organization measures to ensure the personal data are not attributed to an identified or identifiable natural person

. Substitution techniques permit software to function correctly while substitution and eliminates the association of the record from the actual person

Example: Perter Gregory becomes Quem Rebnurvo

Question 31

Anonymization

Answer 31

Is the process of irreversibly altering or removing sensitive data from records so that an individual can no longer be identified directly or indirectly

. Process by which personal data is irreversibly altered in such a way that a data subject can no longer be identified directly or indirectly, either by the data controller alone or in collaborations with any other party

Example: Peter Gregory becomes (blank)

Question 32

Data and usage diagrams

Answer 32

An essential aspect of data inventory is the knowledge of two additional data characteristics

.Data flow
.Data usage

Understanding data flow requires a deeper study of the information systems where data resides to understand how data arrives in the system and where data is sent from the system

Question 33

Data aggregation

Answer 33

. the practice of combining databases to enrich available data

. Data sprawl: to receive additional data fields that are not needed but are retained, resulting in the organization having more details about its customers and Prospects than it really wants or needs

Question 34

Implement the Privacy program framework

Answer 34

. Opening move is the creation of the Privacy program Charter (or internal privacy policy - whichever defines the Privacy program with objectives, roles and responsibilities, and so on) that has been completed and ratified by executives.

Question 35

Privacy operation

Answer 35

..A privacy operation consists of the activities that ensure that the collection and use of personal information comply with privacy policies and applicable regulations

. The Privacy office functions as a catalyst to ensure that the intake, processing, and disposal of personal information throughout the organization is done properly - according to the organization’s privacy policy, which should align with applicable Privacy Law as well as other contractual and legal obligations

Question 36

Identifying privacy requirements

Answer 36

before the privacy officer can begin enforcing privacy related activities in the organization, it must first identify and document requirements that define the specifics regarding the collection, protection, and use of personal information

Question 37

Collecting consent

Answer 37

. Consent is a distinct action taken by a data subject to Grant an organization permission to collect and or process his or her personal information

. It is obligatory for organizations to record the specific date, time, stipulation, and circumstances in which that consent was collected. It is important for organizations to be quite specific with regard to this collection

. ways in which consent is given and obtained include the following:
- at the time of data collection
- prior to data collection
- obtained through a third party

Question 38

Privacy program metrics

Answer 38

. Metrics are a means to which management can measure key processes and determine whether their strategies are working.

. Privacy metrics are often used to observe technical privacy controls and processes to determine whether they are operating correctly

. This helps management better understand the impact of past decisions and help Drive future decisions

Examples:
- number of personal information records received
- number of personal information records accessed
- number of privacy impact assessments performed, and their results

Privacy metrics are sometimes categorized as follows:
- key risk indicators
- key goal indicators
- key performance indicators

.Effective metrics should be measurable. A common way is to use the SMART method
. Specific
. Measurable
. Attainable
. Relevant
. Timely

Question 39

Risk management metrics

Answer 39

. The best indicator of a successful Risk Management program would be improving Trends in metrics involving the following:

• number of privacy impact assessments performed and their results
• reduction in the number of privacy security incidents
• reduction in the impact of privacy and security incidents
• reduction in time to remediate vulnerabilities
• reduction in the number of new unmitigated risk

Question 40

Data subject engagement metrics

Answer 40

. Metrics concerning the various forms of data subject engagement help the organization understand the extent to which personal information is being collected, as well as communication of the various sorts from data subjects

. Some of the metrics that may be reported include:
- number of data collections
- number of opt-in and opt-out
- number of data service request, Broken Out by inquiries, request for collection, and requests for deletion
- amount of time spent processing data request

Question 41

Data governance metrics

Answer 41

. Enable company management to understand whether the measurement of data, including personal information is processed as expected

. Examples of data governance metrics include
- data retention activities, including purges and exceptions found
- data usage activities, including approval for New Uses and policy violations
- changes in activities regarding data sent to and received from other organizations
- coverage of automated tools, and where the blind spots May be
- changes in data inventory
- changes in the number and types of data collection and data input and output points

Question 42

Web tracking

Answer 42

. Refers to General practices associated with measuring and observing users who visit websites

. Website operators track individual users’ sessions on their sites for three primary reasons:
- session Integrity: the nature and design of Internet protocols and multi-user applications require they each user session be uniquely identified
- usage statistics
- advertising tracking

Question 43

Tracking in the workplace

Answer 43

. Organizations undertaking such tracking and recording often include notices on these devices and in company policy, stating that such measures are taken in the name of data protection, and that any personal use of these devices, or networks, is subject to these practices, resulting in ‘no expectation of privacy “