Lesson 2: Summarizing Governance & Compliance Strategies

Question 1

What do you understand by PII?

Answer 1

Personally identifiable information describes data that can be used to directly or indirectly identify an individual. This covers a very broad range of information and is further subcategorized to include Sensitive PII, which describes US social security numbers, biometrics, financial records, medical records, immigration identifiers, and criminal history. Sensitive PII requires stricter handling and protection than other types of PII.

Question 2

What is PHI?

Answer 2

Protected Health Information (PHI) describes data that can be used to identify an individual and includes information about past, present, or future health, as well as related payments and data used in the operation of a healthcare business.

Question 3

What is PIFI?

Answer 3

Personal Identifiable Financial Information (PIFI) describes information about a consumer provided to a financial institution and includes information such as account number, credit/debit card number, personal information (such as name and contact information), and social security number. Generally, PIFI is used to obtain access to a financial product or service.

Question 4

What is Intellectual Property or IP?

Answer 4

IP describes intangible products of human thought and ingenuity. Intellectual property is protected by various laws such as copyrights, patents, trademarks, and trade secrets.

Question 5

Who is a data owner?

Answer 5

The data owner is the entity who is held accountable for the protection of the data under their control. The data owner is responsible for ensuring data is appropriately protected.

Question 6

How does the data owner ensure that the data under their control is protected?

Answer 6

The data owner will need to classify the data first and then determine what controls should be implemented to protect it based on that classification level.

Question 7

What is data classification?

Answer 7

Data classification establishes the necessary controls, such as security configurations, encryption, access controls, procedures, and physical security required in order to adequately protect data.

Question 8

What is data retention?

Answer 8

Data retention defines the timespan for which data must be kept. Retention defines not only the minimum amount of time data must be kept but also the maximum (or “no longer than”) timespan.

Question 9

This control describes the legally compliant means by which data is removed and made inaccessible.

Answer 9

Data destruction

Question 10

Match the following terms with their definition.
Term Definition
1. Sanitization - a. Refers to the sanitization of the key
used to perform decryption of data,
making recovery of the data
effectively impossible.

2. Crypto Erased - b. A general term describing the means
   by which information is removed
   from media and includes methods
   such as clear, purge, and damage.
3. Clear c. Physically breaking a storage device
   to render it useless or inoperable.
4. Purge d. A type of sanitization that involves
   multiple block-level overwrite cycles.
5. Damage e. A type of sanitization that provides
   effective protection from all recovery
   techniques, including clean-room
   methods.

Answer 10

1 —> b

2 —> a

3 —-> d

4 —> e

5 —> c

Question 11

What do you understand by data sovereignty?

Answer 11

Data sovereignty identifies that the laws governing the country in which data is stored have control over the data and describes the legal dynamics of data collection and use in a global economy.

Question 12

What are some data protection considerations that should be taken into account when constructing technology solutions to support the organization?

Answer 12

1) Consider the location of the data
2) Consider the location of the data subject
3) Consider the location of the cloud service provider

Question 13

Who is a data subject?

Answer 13

This is an individual who is identified by privacy data.

Question 14

What is the difference between a standard and a regulation?

Answer 14

Regulations establish the legal basis for enforcing compliance with rules and describe the consequences of non-compliance. Standards make things work by providing specifications (guidelines or requirements) for products, services, and systems. If used consistently, they ensure quality, safety, and efficiency.

Question 15

What is the General Data protection Regulation (GDPR) all about?

Answer 15

GDPR enforces rules for organizations that offer services to entities in the European Union (EU) or that collect and/or analyze data on a subject located in the EU.

Question 16

What are the 7 principles of GDPR?

Answer 16

Lawfulness, fairness and transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability

Question 17

What is the difference between due care and due diligence?

Answer 17

Due care represents a baseline that can be used to determine if reasonable safeguards are in place. Due diligence describes the ongoing and documented effort to continuously evaluate and improve the mechanisms by which assets are protected.

Question 18

What is a legal hold?

Answer 18

A legal hold, or litigation hold, describes the notification received by an organization’s legal team instructing them to preserve electronically stored information (ESI) and/or paper documents that may be relevant to a pending legal case.

Question 19

What is e-Discovery?

Answer 19

e-Discovery describes the electronic component of identifying, collecting, and providing the electronically stored information (ESI) identified by a legal hold. The scope of information included in e-Discovery can be vast and include everything from files, emails, logs, text messages, voicemail, databases, and social media activity.

Question 20

What is the Wassenaar Arrangement?

Answer 20

The Wassenaar Arrangement was established in 1996 and defines export controls for “conventional arms and dual-use goods and technologies.” The arrangement includes 42 participating states and generally defines controls crafted to prevent a destabilizing accumulation of weaponry by any single nation and to prevent advanced weaponry and military capabilities from being acquired by terrorist factions.

Question 21

What is a Master Service Agreement (MSA) used for?

Answer 21

Master service agreements are typically “umbrella” contracts that establish an agreement between two entities to conduct business during a defined term (typically a year,) but each engagement within the agreement is typically defined by individual scopes of work that define expectations and deliverables.

Question 22

What is a Non-Disclosure Agreement (NDA)?

Answer 22

Non-disclosure agreements are established between entities and define the conditions upon which data and information can be used.

Question 23

What is a Memorandum of Understanding (MOU)?

Answer 23

A memorandum of understanding is an extremely useful contract that can be used to establish rules of engagement between two parties. Widely considered as a non-binding agreement, or one that is difficult to enforce in a court setting, MOUs instead serve as a formal means to define roles and expectations.

Question 24

What is an Interconnected Security Agreement (ISA)?

Answer 24

An interconnection security agreement is established when two entities need to share data via an interface.

Question 25

What is a Service Level Agreement (SLA)?

Answer 25

A contractual agreement setting out the detailed terms under which a service is provided. SLAs typically govern services that are both measurable and repeatable and include an enforcement mechanism that typically includes financial penalties for non-compliance.

Question 26

What is Operational-Level Agreement (OLA)?

Answer 26

Operational-level agreements are typically internal documents established by an organization to define the essential operational needs of an organization in order for it to meet the performance metrics defined in a Service Level Agreement.

Question 27

Privacy Level Agreement (PLA)?

Answer 27

A Privacy Level Agreement is commonly used when establishing a relationship with a cloud service provider (CSP) and goes beyond the provisions detailed in an SLA to include metrics and measures related to conforming with specific information privacy and data protection requirements.