Module 2

Question 1

Privacy Policies

Answer 1

Are internal documents that inform employees on how to protect consumer data. This will include information about privacy and security and data management and loss prevention. These policies need to be documented, accessible, current, endorsed and enforced.

Question 2

Security Policies

Answer 2

Is a document that spells out the rules, expectations and overall approach that an organization uses to maintain the confidentiality, integrity and availability of its data.

Question 3

Data Classification Policy

Answer 3

Measure to secure data; The need to have policies that establish and enforce granting and revoking access to assets and information according to their classification. Employees that handle sensitive data should only be used to perform specific tasks.

Question 4

Data Schema

Answer 4

Measure to secure data; It is used to separated customer data. It formulates constraints to be applied on the data, defines its entities and the relationships among them.

Question 5

Data Retention

Answer 5

Measure to secure data; Policies that align with laws and regulation concerning the storage of data. These policies should establish data retention schedules, backup storage and removal of data when no longer of use to business’s objectives.

Question 6

Data Deletion

Answer 6

Measure to secure data; The disposal of data when it is no longer needed, including the removal of recovery methods and any derivatives from the system.

Question 7

Data Inventories

Answer 7

Comprehensive record of an oragnization’s data assets, including where it’s stored, how it’s used, and what it is. Also known as a data map.

Question 8

Privacy Impact Assessments (PIAs)

Answer 8

Used to identify and reduce the privacy risks that might come from a new project, system, or technology. It’s like a checklist that helps an organization make sure that they are protecting people’s personal information properly. Looks at how personal data is handled during an organization’s data life cycle.

Question 9

Data Protection Impact Assessment (DPIA)

Answer 9

Tool that organizations use to find and reduce risks to people’s personal data when they are planning a new project or system. It’s like a safety check to make sure that any personal information, like names, addresses, or health records, is handled in a way that keeps it private and secure. This is a requirement under certain privacy regulations.

Question 10

Compliance

Answer 10

Refers to the adherence to laws, regulations, standards, and guidelines that govern how data is collected, stored, processed, and shared. Ensures an organization is following all relevant external and internal rules that apply to its operations.

Question 11

Privacy

Answer 11

Refers to the protection of an individual’s personal information and their right to contol how their data is collected, used, shared, and stordee. Ensures that data about individuals is handled in a way that respects their rights and maintains the confidentiality of sensitive information.

Question 12

Reasonable assurance

Answer 12

Implies that the requirements and objective are not absolute and are based on criteria that is practical to implement and manage.

Put another way, in data privacy refers to the concept of implementing sufficient and appropriate controls to protect data from unauthorized access, disclosure, or misuse, while recognizing that absolute security is not always possible. It reflects a balance between achieving security goals and considering practical constraints like cost, technology, and operational impacts.

Question 13

Internal Controls

Answer 13

Are policies, procedures and practices put in place to ensure that data is accurate, reliable and secure.

Question 14

Preventative

Answer 14

A type of internal control that stops an activity

Question 15

Detective

Answer 15

A type of internal control that identifies problematic activity.

Question 16

Overlapping Safeguards

Answer 16

Refers to the practice of implementing multiple layers of security and protective measures that overlap with one another to create a more robust defense against threats.

Question 17

ITIL

Answer 17

A IT Framework with the focus on delivering high-quality IT services to meet business needs. It focuses on:
* Service Mangement: Breaks IT services into stages
* Best Practices: Guidelinses and best practices to ensure effcient and effective service delivery
* Cusotmer Satisfaction: quality of services and the end user experience
* Change management: Service interruptions are resolved promptly and managed smoothly

Remember it focuses on IT service managment and is trying to improve the quality of service delivery. It is primarily used by IT managers and service desk personel.

Question 18

COBIT

Answer 18

An IT management framework that focuses on the following:
* Governance: Helps organization create and implement IT Governance that aligns with business goals.
* Risk Management: Risk assessment to protect businsess from IT risks
* Compliance: Compliance with internal policies, laws and regulation.
* Performance Meaurement: Metrics to measure IT performance.

Remember, its primary focus is IT governance and risk management and is primarily used by executives, IT auditors, and compliance officers.

Question 19

ISO/IEC 27001

Answer 19

Published by ISO and the IEC, it explains how to implement best-practice information security practices. In simple terms, it provides a structured way for organizations to protect their data and sensitive information, ensuring it remains safe from unauthorized access, breaches, or loss. The standard outlines the best practices for creating a secure environment, from assessing risks to implementing controls and continually improving security processes.

Question 20

Information Governance

Answer 20

The development of a decision and accountability framework that defines acceptable behavior in the creation, valuation, use, sharing, storage, archiving, and deletion of information. More specifically, it looks at the big picture of how information is managed throughout its entire life cycle—from the moment it’s created until it’s no longer needed. It focuses on policies, compliance, and risk management to ensure that information (like documents, emails, and records) is handled properly, stored securely, and disposed of when necessary. It includes data but also considers broader forms of information, including how it’s shared and protected to meet legal, ethical, and business standards.

Question 21

Enterprise Architecture

Answer 21

A blueprint for how a company’s technology, processes, and people work together. In simple terms, it’s a plan that helps a business align its IT systems (like software and hardware) with its overall goals and strategies.

Question 22

Client-Server Architecture

Answer 22

The client refers to a program that runs on a local computer, while the server is a program that runs on a remote computer. In this model, the data is stored on the client side to complete the transaction. The back-end services respond to the request and performs a task (transaction). Does not maintain shared data between the client and server. This model assumes the client data is secure and the storage and surveillance of data is clear to user.

Question 23

Service-oriented Architecture

Answer 23

This system is where the components on the network are arranged according to the services they offer. Compared to Client-Server, SOA is more scalable, flexible and reusable, making it more suitable for larger and more complex systems.

Question 24

Plug-in-Architecture

Answer 24

A design that allows extra features or functionalities to be added to a system without changing its core. Think of it like a smartphone: the phone has basic functions, but you can install apps (plug-ins) to add new features like games, social media, or productivity tools. These apps don’t change how the phone works at its core; they just add extra capabilities on top of it.

Question 25

Privacy Incident

Answer 25

An event that can affect the confidentiality, Integrity or availability of the data and involves personally identifiable information.

Question 26

Incident Response Plan

Answer 26

A set of instructions to help IT staff detect, respond to and recover from network security incidents. These types of plans address issues like cybercrime, data loss and service outages that threaten daily work.

Question 27

Discovery

Answer 27

Element 1 of Incident Response Plan: Actively monitoring system activity or suspicious changes to system activity is essential in detecting an incident that could lead to a breach (prevent an attack before it happens).

Question 28

Containment

Answer 28

Element 2 of Incident Response Plan: When an incident is occurring, this part should contain guidance on how to terminate the incident while preserving any evidence of the affected data and origin of the incident. Not only is it important to stop the threat before more damage is done, but documenting everything to assist with an investigation of the incident.

Question 29

Analyze and Notify

Answer 29

Element 3 of Incident Response Plan: Deals with preparation of notification of the incident. This means understanding notification laws and involvement of legal counsel regarding all legal matters (including notification-to law enforcement).

Question 30

Repercussions

Answer 30

Element 4 of Incident Response Plan: Considering the fallout of incidents (fines, lawsuits and nonmonetary repercussions, media coverage, etc.). Here, a privacy technologist would act as a subject matter expert to help diagnose the incident, mitigate the issue and provide information to the security analyst.

Question 31

Prevention

Answer 31

Element 5 of Incident Response Plan: Use any incidents as a learning tool to address holes in security and privacy procedures, review policies to identify weaknesses and train employees as needed.

Question 32

Third Parties

Answer 32

Element 6 of Incident Response Plan: PII data in the hands of a third party, still falls under the responsility of the organization in the event of a breach, including provisions that describe the expectations and obligations of the vendor should an incident occur.

Question 33

Systems Development Life Cycle (SLDC)

Answer 33

It is like building a house. It’s a step-by-step process to make sure everything is done correctly, from the initial idea to the finished product.

Planning: This is like deciding you want to build a house. You figure out what you need, set a budget, and decide on a timeline. In SDLC, this is where you define the project’s goals, what the system needs to do, and how much it will cost.

Analysis: Now, you work out the details—what kind of house you want, how many rooms, and what features it should have. In SDLC, this means understanding the requirements in detail and figuring out how the system should work.

Design: Here, you create blueprints for your house. You plan where everything will go, what materials you’ll need, and how it will all fit together. In SDLC, this step involves designing the system’s structure, user interface, and other technical aspects.

Development: This is the actual construction of the house—putting up walls, installing plumbing, and so on. In SDLC, this is when the coding happens, where developers build the system based on the design.

Testing: Once the house is built, you check everything to make sure it works properly—doors open, lights turn on, and plumbing doesn’t leak. In SDLC, testing ensures that the system works as expected, with no bugs or errors.

Deployment: Now the house is ready to move into! You hand over the keys and start living in it. In SDLC, this step is where the system is launched and made available to users.

Maintenance: Over time, you might need to fix things, like a leaky faucet or a broken window. In SDLC, maintenance involves updating the system, fixing issues, and making improvements as needed.

So, just like building a house, SDLC is about following a structured process to create a reliable and functional system.