Module 2: The role of the technology professional in privacy Flashcards
Privacy policies
Inform employees about privacy, security, data management, and loss prevention
Must be documented, accessible, current, endorsed, and enforced
Security Policies
Data classification policies, data schema, data retention, data deletion
Data Inventories
Assets: Information, Physical, Intellectual
Classifications: Confidential, Internal use, public
Contracts and agreements
Expectations, Obligations, Audits, Compliance
Privacy technologists:
Risk analysis, Data separation, Data schemas, Require term acceptance
Privacy Impact Assessments
Ensure compliance, assess privacy risk, recommend methods for risk mitigation
Transactions for confidential data
Client-server architecture
Service-oriented architecture
Plug-in-based architecture
Breach Incident Response:
Discovery
Active monitoring of system activity or suspicious changes, detect tampering
Users can report suspicious activity
Breach Incident Response:
Containment
Terminate the ongoing incident and preserve evidence Ensure containment Do not wipe system logs Remove affected systems Fully document your investigation Have a contingency plan
Breach Incident Response:
Analyze and notify
Know data breach notification obligations
Consult legal counsel to advise the response team
Notify individuals and/or public
Breach Incident Response:
Repercussions
Media coverage results in decrease in business and loss of consumer trust
Security analyst must report to senior management
Technology person must diagnose the incident, mitigate the issue, and provide information
Breach Incident Response:
Prevention
Learning tool: address holes in procedures, review privacy policies to identify weaknesses, train employees
Breach Incident Response:
Third parties
Set responsibility of org and expectations/obligations of the vendor regarding personal information
Security and privacy in SLDC
Securely provision, operate and maintain, protect and defend, investigate
Privacy responsibilities
Risk forecasting, Process support, privacy support, compliance, risk mitigation, maintenance