CIPM CH 3 Assess Flashcards
Baseline
. Documenting the current state of a program so that a later analysis of a future state will highlight the progress made
. Baseline assessment of privacy programs helps privacy leaders understand the initial state of an organization’s privacy program so that progress can be more easily measured overtime
. Will result in an important business record that will help privacy leaders in management understand the progress that has been made since the Baseline was created
Process maturity
. Organization must include the concept of process maturity as an important measurement tool
. Maturity is a measure of how an organization’s process is, whether it is performed consistently, whether it is documented, whether it is measured, and whether measurements are examined from time to time to make improvements in the process
. A program Baseline can be used as a basis for a compliance Gap analysis between the organization’s current state and the requirements in applicable privacy regulations industry practices, and customer and societal expectations
Baselining program elements
. The following functions should be examined and documented when baselining in organizations privacy program
- education and awareness
- monitoring Regulatory developments and incorporating change
- internal compliance to policy
- date of management practices
- risk management and risk assessments
- incident response and Remediation
- audits
- Staff competence and capability
- it service management
- business continuity and Disaster Recovery planning
- program metrics and Reporting
Third-party risk management (TPRM)
. Refers to activities used to discover and manage risk associated with external organizations performing operational functions for an organization
. Involves the extension of techniques used to identify and treat privacy and security risk within an organization
. The same risk present in third-party services are present within an organization’s processing environment
. It is vital that an organization clearly understand its specific responsibilities for each third-party relationship, so that no responsibilities that may introduce risk to the organization or overlooked or neglected
. Third-party service providers generally play little or no role in data handling aspect of privacy
TPRM- privacy regulation requirement
. GDPR - organizations that use third-party service providers are often considered controllers, which are entities that determine the purposes and the means of processing of personal data and that can handle directing third parties to process personal data on their behalf
. CCPA - uses the term business and service provider
. HIPPA - requires that covered entities establish a business associate agreement (BAA) with every service provider with access to the covered entities information or information systems
. Sarbanes-oxley - requires that organizations perform upfront and periodic due diligence on financially relevant service providers
Questionnaires and evidence
. Third parties need to be a assessed periodically
. This consists of creating and sending a privacy and or security questionnaire to the third party, with requests to answer all of the questions and returned to the organization within a reasonable amount of time
. May also request that third-party front of specific artifacts that serve as evidence that support the responses in the questionnaire
. Often it makes sense for an organization to utilize different versions of a questionnaire for each category of third party, so that the majority of the questions asked of each third party are relevant
Assessing processing centers in work centers
. Are performed to understand controls that directly or indirectly contribute to the protection of personal information
. Areas of Interest include the following:
- access controls
- surveillance
- hazards
- clean desk/ screen
- environmental controls
Influencing mergers, Acquisitions, and divestitures
. A privacy leader can you play role of subject matter expert and advisor to Executive management during the transitions planning and development
. The Privacy leader has an array of considerations:
- changing regulatory scope
- post transaction structure
- cultural impact
- divestiture
Integrating programs
. Privacy leaders must figure out how the new merge systems will take shape and operate on a day-to-day basis
. Will need to develop a strategy to return to single processes and solution that support the new organization’s needs
Privacy impact assessments (PIA) and data privacy impact assessments (DPIA)
. A targeted risk assessment undertaken to identify impacts to individual privacy and to an organization’s ability to protect information resulting from a proposed change to the business process for information system
. PIA is conducted for new processes or systems that will collect, store, or transmit personally identifiable information or significant modification to a process or system that may create a new privacy risk
. It identifies impacts that any process or system change has on an organization’s compliance with this privacy policy and applicable privacy laws and regulations
. Is to validate the proposed change from a privacy perspective
. A failure to assess the impact of a proposed change could be seen as negligence :
a reasonable person would find that such an organization at fault for not seeking to understand the potential impact of a proposed change upon palm security, privacy, or proposed use of personal information
Privacy threshold analysis
. Determines whether the process or system is associated with personal information. If so the PTA will determine the performance of a PIA
PIA procedure
. Obtained a description of the project or proposed to change
. Identify all changes to data collection, data flows, storage, protection and use of personal information
. Determine whether the proposed change violate any terms of the organization’s privacy policy or security policy
. Determine whether the proposed change violates any terms of privacy or security laws, regulations
. Determine whether the change it introduces any new security risk
. Determine whether the proposed change Alters any previously known security risk
. Development list of such impacts identified in the previous steps
. Write a formal report describing all of the above
