CIPM CH 2 Privacy Program Framework Flashcards

1
Q

Governance

A

A process whereby Senior Management exerts strategic control over business functions through policies, objectives, delegation of authority, and monitoring.

. Management’s continuous oversight of an organization’s business processes that is intended to ensure that these processes effectively meet the organization’s business vision and objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Developing the Privacy program framework

A

.. A privacy program comprises the structure and organization and all its parts
. These parts are represented by artifacts including
- privacy program Charter
- privacy policy
- privacy standards
- privacy processes
- privacy guidelines
- controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Privacy Charter

A

. A formal document used in some organizations to Define and describe a major business activity and or Department
. Typically will contain these elements
- program name
- program purpose
- Executive sponsorship
- roles and responsibilities
- policies
- primary business processes
- budget and other resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Internal privacy policy

A

. Organizations with more mature privacy and Security Programs will have detailed privacy policies that Define expected behaviors of their workers and the required characteristics of their information systems

. At a minimum, privacy and security policies will include General statements about sensitive or personal information that shall be used “for business purposes only” without further detail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Internal privacy policy content should include

A

. Roles and responsibilities for the organization’s privacy program
. Business processes governing the use of personal information
. Language regarding the protection of personal information
. Consequences for violation of privacy policy
. Provisions for the review and audit of privacy business processes
. Description of measurements of privacy business processes
. Citations of applicable regulations and other obligations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Roles and responsibilities for an organization’s privacy program

A

. Those who have data management responsibilities
. Those who approve and review access to personal information
. Those who review and approve new uses of personal data
. Those who receive and process subject data request
. Those who have responsibility for monitoring uses of personal data
. Those who have responsibility for responding to incidents that represent the misuse of personal information
. Those who review privacy business processes
. Those who audit Privacy business processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Privacy standards

A

Policies Define what is to be done, and standards Define how policies are to be done

. Standards maybe frequently affected by change, because they are closer to the technology and are concerned with the details of the implementation of the policy

. Standards need to be developed carefully so that:
- they properly reflected the intent of one or more corresponding policies
- they can be implemented
- they are unambiguous
- their direction can be automated, where large numbers of systems exist

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

EU General data protection regulation

A

. Past April 2016, became effective May 2018

. Rights of data subjects
- right to access personal data
- right to recitification
- right to Erasure
- right to restrict processing
- right to be notified
- right to data portability
- right to object
- right to reject automated individual decision-making

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Data controller and data processor

A

. Gdpr defines a data controller as an organization that directs the use of personal data

. A data processor is an organization that possesses personal data as directed by a data controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Gdpr main privileges

A

. Rights of data subjects
. Definition of data controller and data processor
. Data protection and privacy by Design and by default
. cyber security
. breach notification
. data protection impact assessment (DPIA)
. data Protection Officer - DPO
. certification
. cross-border data transfers
. binding corporate rules
. supervisory Authority
. penalties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

HIPAA 2 rules

A

. security rule -requires that organization enact several administrative, physical, and Technical safeguards to protect ePHI

. Privacy Rule: requires organizations to protect PHI, mainly in hard copy form

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Health information technology for economic and clinical Health Act -HITECH

A

Expands HIPAA security breach notification requirements and expands the disclosures of the use of patients PHI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Canada: Personal information protection and economic documents Act - PIPEDA

A

. Was enacted to provide assurances to European countries and consumers that their personal information present in Canadian company’s Information Systems will be safe and free from abuses

. Also give Canadians the right to know why organizations collect, use, or disclose their personal information, and the assurance at the information will not be used for any other purpose

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

California consumer protection act (CCPA) and California privacy Rights Act (CPRA)

A

. Give California residents certain rights, including the following:
- knowledge of what personal information is being collected
- notifications of whether such personal information is subsequently transferred or disclosed to another party
- the ability to prohibit an organization from transferring or selling personal information
- the ability to examine the personal information held by an organization, with the right to request that the information be corrected or removed
- freedom from discrimination should individuals choose exercise their privacy rights

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Standard contractual clauses

A

International organizations are able to make use of binding corporate rules that Define International transfers and protection of data within an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Establishing legal basis for processing
Article 6.1 of the GDPR

A

.
Organizations must identify specifically, the legal basis under which they are collecting and/or processing personal information.

It must be lawful for the organization to collect and use data subjects personal information and the organization must be able to say specifically how it is lawful

Five possible Avenues of legal basis:
- processing is necessary for the performance of a contract to which the data subject is a party or an order to take steps at the request of the data of subject prior to entering into a contract
- Processing is necessary for compliance with a legal obligation to which the controller is a subject
- processing is necessary in order to protect the vital interests of the data subjects or of another natural person
- process is necessary for the performance of tests carried out in the public interest or an exercise of official authority vested in the controller
- processing is necessary for the purposes of legitimate interest pursued by the controller or by third-party

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Controls

A

. Statements that Define required outcomes

. Are often implemented through policies, procedures, mechanisms, systems, and other measures designed to reduce risk

  • are used for two primary purposes in an organization
    . To ensure desired outcomes
    . To avoid unwanted outcomes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Control objectives

A

Statement of desired States or outcomes from business operations to mitigate risk

. Are the foundation for one or more controls

. For each control one or more control activities will exist to ensure the realization of the objective

19
Q

Control framework

A

Industry-standard control Frameworks have been used in thousands of companies and they are regularly updated to reflect changing business practices, emerging threats, and new technologies

  • select a control framework based on industry alignment and then Institute a risk management process for developing additional controls based on the results of the risk assessment
  • you may find that a specific control area is not applicable. In those cases document both the business and Technical reason why the organization chose not to use the control area
20
Q

Risk assessment

A

Before a control can be designed, the privacy or security manager needs to have some idea of the nature of risk that the control is intended to address.

-New risk may be identified during the risk assessment that lead to the creation of additional controls

21
Q

Control design

A
  • an early step in control use is its designed
  • proper control design will potentially require one or more of the following:
    . New or changed policies
    . New or change business process documents
    . New or change Information Systems
    . New or change business records
22
Q

Data inventory

A

For your privacy program to be effective, organizations must have a complete and accurate inventory of all personal information it has collected.

  • for that inventory to remain current three activities need to be included in a business-as-usual processes
    . Change management processes must require updates to data inventory
    . Business processes that interact with personal information must be documented
    . Periodic reviews of data inventory must be performed to confirm his accuracy
  • periodic data inventory reviews should not only catalog existing instances of sensitive personal information, they must also determine in each instance whether the data should exist where it is found
  • data management policy must determine whether each instance should exist, and whether the protective controls are adequate
23
Q

Data classification levels

A

Data classification is a formal and intentional way for an organization to define the level of importance or sensitivity of information

-Typical data classification levels
. Registered
. Restricted
. Confidential
. Public

24
Q

Data handling standards

A

Data classification policies go further to define acceptable handling procedures for data of various levels of classification and in numerous types of situations

  • provide real-world guidance that workers can easily follow and use

. Should clearly State what is expected of personnel when handling sensitive data

. Usually take the form of a matrix with various levels of classification in columns and different data handling instructions as rules

25
Q

Data loss prevention automation

A

Static DLP scan static data stores to identify files containing data matching specific patterns

. A careful analysis of the results of the initial DLP Scan should be undertaken to determine the following:
- age of files containing PII found in file stores
- the extent to which files containing PII are still being deposited in all stores
- the access rights of files containing PII
- which users actively access the files
- whether the current use is following sanctioned policies, procedures, and practices

26
Q

. Data tagging

A

A process where files can be marked in some way

. Tagging can take on several forms including:
- metadata tagging: Files can be updated to include special coded tags that will be recognized by DLP tooling
- watermarking: visible invisible watermarks can be added to the files
- marking: a human-readable word or phrase can be added to the header, or other location in a data file

27
Q

Dynamic DLP

A

.Represent a variety of Technologies used to detect and even intervene in the transfer of PII or other sensitive information

. These tools can be configured to identify the specific sensitivity of data files in motion by reading the content to determine whether they contain PII or other system information, or they can be configured to look for previously applied tags

. Can be used as a detective control, a preventative control, or both

. Organizations should develop a Playbook of response procedures when in users encounter a DLP system blocking their intended action

28
Q

Data use governance

A

Organizations need to include governance structures to provide visibility and control on the topic of data usage
.
- such a structure would include the following:
. Internal policies stating permitted use of personal information
. Establishment of controls to ensure these outcomes
. Monitoring of these controls to verify the effectiveness
. Corrective actions to remedy all deviations
. Matrix that ensure all of the foregoing

29
Q

Data minimization

A

The practice of collecting and retaining only those specified data elements necessary to perform agreed-upon functions

  • Dimensions include:
    . Collect only required data items
    . Collect only required records
    . Retain only as long as needed
    . Psuedonymize or anonymize as soon as possible
    . Reduce accessibility
30
Q

Psuedonymization

A

. Is the substitution of data and sensitive data fields with alternate data to de-identify data records with specific persons

.Processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without use of additional information, provided this that additional information is kept separately and is subject to Technical and organization measures to ensure the personal data are not attributed to an identified or identifiable natural person

. Substitution techniques permit software to function correctly while substitution and eliminates the association of the record from the actual person

Example: Perter Gregory becomes Quem Rebnurvo

31
Q

Anonymization

A

Is the process of irreversibly altering or removing sensitive data from records so that an individual can no longer be identified directly or indirectly

. Process by which personal data is irreversibly altered in such a way that a data subject can no longer be identified directly or indirectly, either by the data controller alone or in collaborations with any other party

Example: Peter Gregory becomes (blank)

32
Q

Data and usage diagrams

A

An essential aspect of data inventory is the knowledge of two additional data characteristics

.Data flow
.Data usage

Understanding data flow requires a deeper study of the information systems where data resides to understand how data arrives in the system and where data is sent from the system

33
Q

Data aggregation

A

. the practice of combining databases to enrich available data

. Data sprawl: to receive additional data fields that are not needed but are retained, resulting in the organization having more details about its customers and Prospects than it really wants or needs

34
Q

Implement the Privacy program framework

A

. Opening move is the creation of the Privacy program Charter (or internal privacy policy - whichever defines the Privacy program with objectives, roles and responsibilities, and so on) that has been completed and ratified by executives.

35
Q

Privacy operation

A

..A privacy operation consists of the activities that ensure that the collection and use of personal information comply with privacy policies and applicable regulations

. The Privacy office functions as a catalyst to ensure that the intake, processing, and disposal of personal information throughout the organization is done properly - according to the organization’s privacy policy, which should align with applicable Privacy Law as well as other contractual and legal obligations

36
Q

Identifying privacy requirements

A

before the privacy officer can begin enforcing privacy related activities in the organization, it must first identify and document requirements that define the specifics regarding the collection, protection, and use of personal information

37
Q

Collecting consent

A

. Consent is a distinct action taken by a data subject to Grant an organization permission to collect and or process his or her personal information

. It is obligatory for organizations to record the specific date, time, stipulation, and circumstances in which that consent was collected. It is important for organizations to be quite specific with regard to this collection

. ways in which consent is given and obtained include the following:
- at the time of data collection
- prior to data collection
- obtained through a third party

38
Q

Privacy program metrics

A

. Metrics are a means to which management can measure key processes and determine whether their strategies are working.

. Privacy metrics are often used to observe technical privacy controls and processes to determine whether they are operating correctly

. This helps management better understand the impact of past decisions and help Drive future decisions

Examples:
- number of personal information records received
- number of personal information records accessed
- number of privacy impact assessments performed, and their results

Privacy metrics are sometimes categorized as follows:
- key risk indicators
- key goal indicators
- key performance indicators

.Effective metrics should be measurable. A common way is to use the SMART method
. Specific
. Measurable
. Attainable
. Relevant
. Timely

39
Q

Risk management metrics

A

. The best indicator of a successful Risk Management program would be improving Trends in metrics involving the following:

  • number of privacy impact assessments performed and their results
  • reduction in the number of privacy security incidents
  • reduction in the impact of privacy and security incidents
  • reduction in time to remediate vulnerabilities
  • reduction in the number of new unmitigated risk
40
Q

Data subject engagement metrics

A

. Metrics concerning the various forms of data subject engagement help the organization understand the extent to which personal information is being collected, as well as communication of the various sorts from data subjects

. Some of the metrics that may be reported include:
- number of data collections
- number of opt-in and opt-out
- number of data service request, Broken Out by inquiries, request for collection, and requests for deletion
- amount of time spent processing data request

41
Q

Data governance metrics

A

. Enable company management to understand whether the measurement of data, including personal information is processed as expected

. Examples of data governance metrics include
- data retention activities, including purges and exceptions found
- data usage activities, including approval for New Uses and policy violations
- changes in activities regarding data sent to and received from other organizations
- coverage of automated tools, and where the blind spots May be
- changes in data inventory
- changes in the number and types of data collection and data input and output points

42
Q

Web tracking

A

. Refers to General practices associated with measuring and observing users who visit websites

. Website operators track individual users’ sessions on their sites for three primary reasons:
- session Integrity: the nature and design of Internet protocols and multi-user applications require they each user session be uniquely identified
- usage statistics
- advertising tracking

43
Q

Tracking in the workplace

A

. Organizations undertaking such tracking and recording often include notices on these devices and in company policy, stating that such measures are taken in the name of data protection, and that any personal use of these devices, or networks, is subject to these practices, resulting in ‘no expectation of privacy “