CIPM CH 5 Sustain Flashcards

1
Q

Business process monitoring

A

Consists of a collection of Statistics created by business processes, subsequently examining these statistics, transforming statistics into key risk and key performance indicators, and Reporting these indicators to management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Event monitoring

A

The practice of examining the events occurring in an information system
. Types of events of interest to privacy and security managers include the following
- successful and unsuccessful logins
- unexpected system or device reboots
- changes made to security configurations
- changes made to operating systems files
- queries to databases
- changes made to access permission of sensitive files
- anomalous movement of sensitive files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Orchestration

A

. Refers to a scripted response that is automatically or manually triggered when a specific event occurs

. Can be a standalone system or may exist as part of the SIEM

. Run books coloring short procedures for personnel who manage seems our actions to perform when a specific type of event occurs

. Orchestration system can be figured to run some scripts immediately, while other skips can be set and run when an analyst approves them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Data loss prevention - DPL

A

Tools and techniques are available for Passive (detective) or active (preventive) DLP

. Document scanning: tools can be used to scan stores of unstructured data to determine the extent of the presence of sensitive and personal information

. Document tagging: DLP tools tag files if they contained data matching specific patterns such as Social Security numbers

. Document marking: once tagged, documents can be marked the Water Mart, which introduces human-readable content into files to remind people that these files contain sensitive information

. Email restrictions: DLB tools can be integrated into an organization email systems to Monitor and block the practice of emailing files containing sensitive information

. Storage restrictions: DLP tools can be integrated into end-user devices to monitor their handling of sensitive files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Threat hunting

A

The practice of conducting searches typically in Siem logs and configuration management databases to determine whether traces of intrusions are present in their systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

User behavioral analytics (UBA) - end-user behavioral analytics (EUBA)

A

Represents a detective capability where in each user’s actions are recorded in a profile of normal behavior is established

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Input controls

A

Come in the form of DLP capabilities watching for incoming personal information, alerting Personnel of incoming data that is unexpected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Input authorization

A

Represents policy that states that new source of information is permitted only upon management approval

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Control self-assessment (CSA)

A

A methodology used by organizations to review key business objectives, risks related to achieving these objectives, and the key controls designed to manage those risk

. The organization takes the initiative to self-regulate rather than engage Outsiders, who may be experts and auditing but not in an organization’s Mission, goals, and culture

. Primary objective is to transfer some of the responsibility for oversight of control performance and monitoring to the control owners

. Another objective is the long-term reduction in exceptions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

CSA advantages

A

. Root causes can be detected earlier

. Control owners can improve their internal controls promptly

. Leads to Greater ownership of controls through involvement in the assessment and Improvement

. Leads to improved employee awareness

. Instant visibility into control effectiveness

. May help improve relationships between departments and auditors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

CSA disadvantages

A

. May be mistaken as a substitute for an internal audit

.
May be considered extra work and dismissed as unnecessary

. Control owners may attempt to cover up shotty at work and misdeeds

. May be considered an attempt by an auditor to shrug off the fronts abilities

. Lack of employee involvement could translate into little or no process Improvement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

CSA life cycle

A

. Identify and assess risk

. Identify and assess controls

. Development Personnel conducted a workshop

. Analyze completed questionnaire or assess Workshop results

. Undergo control remediation

. Conduct awareness training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Auditing privacy programs

A

. Audit is to confirm, using objective means the effectiveness of controls and processes

. The scope of a privacy program would likely be the controls, processes, and systems used to protect personal information, or the controls, processes, and systems used to collect, process, and use personal information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Types of privacy audits

A

. Operational audit: examination of the Privacy controls existence and effectiveness

. Information Systems audit: examination of an IT Department’s operations related to the storage and processing the personal information. Looks at it Governors to determine whether the IT department is aligned with overall organizational goals

.

. Integrated audit: combiners operational audit and information systems audit to help the auditor fully understand the entire environments it take information on it : involves an examination of the operational effectiveness of privacy-related business processes.

. Compliance audit: performed to determine the level and degree of compliance with one or more applicable privacy regulations and or legal requirements or internal policies and standards

. Forensic audit: performed in support of an anticipated or active legal proceeding and is typically part of an investigation of a privacy breach

. Service provider audit: third-party service organization will undergo one or more external audits to increase customers’ confidence in the integrity of the third-party services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Privacy audit planning

A

. Information needed includes:

. Location of locations that will be visited

A list of business processes and supporting applications to be examined.

. Personnel to be interviewed

. Technology supporting each application privacy policies standards and data flow diagrams that describe the environment and the personal data stored in process there

. This is all the information will enable the auditor to determine the resources and skills required to examine and evaluate privacy-related business processes and information systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Sampling

A

. Refers to a technique used when it is not feasible to test an entire population of privacy events or transactions

. The objective of sampling is to select a portion of the population so that the characteristics will reflect the characteristics of the entire population

17
Q

Audit report

A

A written report that describes the entire audit project, including audit objectives, scope, controls evaluated, and opinions on the effectiveness and integrity of those controls, and recommendations for improvement

18
Q

Privacy policy audit

A

Will focus on one or more of these:

. Compliance with applicable privacy regulations

. Compliance with privacy policies

Alignment with security policy and practices

19
Q

Data management audit

A

Likely to focus on one of more of these

Data classification

Data protection

Data flows

Data loss prevention

20
Q

Auditing data collection

A

Will examine:
. Security

. Alignment with privacy policy

. Alignment with applicable regulations

. Considerate

. Data aggregation

21
Q

Auditing data subject request

A

Will include the following:

. Data subject Authentication

. Effectiveness of response

. Accuracy of response

. Completeness of response

. Timeliness of response

. Record keeping

. Compliance with policy and applicable regulations