CIPM Respond Flashcards

1
Q

4 respond principles

A
  1. information requests
  2. legal compliance
  3. incident response planning (IRP)
  4. incident handling
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

requests: 2 layers response

A

leverage privacy governance structure:

  • first level/tier responders for common questions
  • privacy team and CPO for second level
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Negligence elements (when fail to notify DS of breach)

A
  1. Duty of care of org to DS = duty to have system to detect unauthorised access (but system designed to protect network)
  2. Failure to meet standard of care of RPP
  3. Proximate cause (generally multiple causes)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

IRP responders

A
  1. IS - forensic investigation, delete embedded malware, correct vulnerabilities
  2. Legal - help limit liability from breach; advise on response to notification requirements (who, how, when)
  3. HR - information conduit to employees after breach
  4. Marketing - positive consistent message during crisis; hi volume e-mail for notification
  5. Business development - relationship of trust with customers; notify key accounts
  6. communications and PR - media relations and coordination of internal/external messages
  7. union leadership - communication/coordination with union members
  8. Finance - calculate cost of breach responsibility and allocate necessary funds; arrange cyber insurance coverage
  9. President/CEO - held personally accountable; may publicly comment
  10. Customer care - may use these employees in breach response
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Privacy incident (breach) definition

A

any potential, actual compromise of PI in form that facilitates intentional or unintentional access by unauthorised third party

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

escalation

A

internal process of employees alerting supervisors about incident, who report to pre-defined list of experts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

IRP

A
  1. pre-notification process: to determine whether incident constitutes reportable breach
  2. isolate compromised system containing damage, preserve electronic evidence, chain of custody (legal and IT)
  3. consult legal to determine whether need to notify
  4. Elements of IRP
    - contact stakeholders
    - timetable
    - progress reporting
    - response evaluation and modifications
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

US fed govt (OMB) guidance re breach notification requirement

A

Cautions against notification when breach poses little or no risk of harm. To assess risk of harm, consider:

  • nature of data elements breached
  • no. of individuals affected
  • likelihood that information is accessible and usable
  • likelihood that breach may lead to harm
  • organization’s ability to mitigate risk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly