Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP Certification > Module #6: Information Management from a US Perspective > Flashcards

Module #6: Information Management from a US Perspective Flashcards

1
Q

information management programs

A

developing programs to protect personal information is a critical step in adhering to laws and regulations on privacy and security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

privacy professionals

A

Assigning one or more privacy professionals to oversee the privacy and security programs helps to ensure compliance, provide training and assess risk when handling personal information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

vendor relationships

A

Information

management expands into both contract and vendor relationships to protect info from being compromised

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

incident response

A

development

of an incident response program in the event that information is compromised.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Individual Roles of the privacy professional

A

includes:

  • legal
  • marketing
  • sales
  • human resource
  • public and government relations
  • information technology
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Privacy Professional is made up of:

A

– Researching laws, guidelines, common practices and tools; monitoring current events and changing guidelines to provide guidance to the organization

– Educating the organization about privacy laws, organizational policies, risks and recommended practices

–Designing and recommending policies and procedures for the organization

    - Monitoring and managing organizational risk as it is impacted by privacy issues and policies
    - Monitoring internal and external threats to privacy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

4 types of risk using privacy info

A
  • legal risks
  • reputational risks
  • operational risks
  • investment risks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

legal risks

A

– Not complying with privacy laws (state, federal and international)

– Not fulfilling contractual commitments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Reputational risks

A

– Damaging trust in the brand: Organizations can face both legal enforcement and reputational harm if they do not adhere to their stated privacy policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Operational risks

A

– Affecting efficiency

– Inhibiting use of personal information that benefits the organization and customers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Investment risks

A

– Hampering the ability of the organization to receive an appropriate return on its investments in information, IT and information processing programs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Accountability consideration questions

A
  • Where, how and for what length of time should the data be stored?
  • How sensitive is the information?
  • Should the information be encrypted?
  • Will the information be transferred to or from other countries, and if so, how will it be transferred?
  • What are each country’s privacy laws?
  • Who determines the rules that apply to the information?
  • How will the information be processed, and how will these processes be maintained?
  • Is the use of PI dependent upon other systems?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the 4 steps of developing an information management program?

A

1) Discover
2) Build
3) Communicate
4) Evolve

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What should you consider during the Discover process (1st step of developing an information management program)

Consider?

A
  • Accountability
  • Company policy goals
  • PI data inventory
  • Data locations
  • Data sharing
  • Data transfers
  • Data flows
  • Data classification
  • Data risk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What tasks are included during the Discover process (1st step of developing an information management program)

Tasks?

A

Tasks include:
• Self-assessing and identifying privacy risk
• Classifying PI according to sensitivity
• Developing and documenting best practices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Build task

Definition?

(2nd step of developing an information management program)

A

Once an assessment of practices and goals is complete, determine how best to meet those goals by building a privacy program that both facilitates and restricts the flow
of personal information (as appropriate).

17
Q

Build task

What does this include?

(2nd step of developing an information management program)

A

– Internal privacy policies
o Enforceable legal documents (contracts)
o Policy reviews and monitor

– External privacy notices
o Common practices, sometimes required by law
o Promises to consumers
o Notice should accurately reflect policy and practices
o Version control
o Accessible online

18
Q

Communicate task

3rd step of developing an information management program

A

Even a well-constructed privacy program will not be successful if those involved in handling PI are not fully trained.

Communication is key, as well as:
o Documenting and updating policies and procedures
o Communicating policies, procedures & goals to decision-makers and consumer-facing employees
o Training and awareness programs for staff and management
o Individual accountability for compliance

19
Q

Evolve task

4th step of developing an information management program

A

Information management practices evolve in response to changing technologies, laws, market conditions and other factors.

Once an information management program is established, there must be a process for review and update.

Failure to do so can result in a company falling out of compliance with its public privacy promises or
failing to meet other organizational goals.

20
Q

Key actions of the Evolve tasks?

4th step of developing an information management program

A

Key actions include:

– Affirmation and monitoring
o Do policies and practices still comply with law, conform with company needs and support incident response programs?

– Adaptation
o What changes are necessary to comply with new laws, current company goals and industry practices?

21
Q

Training

A

–Should be provided regularly especially to those working with sensitive data and keep records

–training may provide a script to customer service representatives to help them provide or direct customers to the org’s outward-facing privacy notice

–clarify when issues and incidents should be escalated

– Everyone who handles personal
information, including those who make decisions regarding it, such as leadership, should be trained in privacy

–Training should be tailored to individual roles and responsibilities

22
Q

User preferences

A

-keep in mind consumer preferences and rights regarding data access and correction

–opt-in and opt-out:
&raquo_space;users should have the choice to opt-in before data is used or collected and opt-out of info being sold or shared with 3rd parties

–no option:
»the customers should expect their info to be shared with 3rd parties or used in other ways, as thru 3rd party shipping, fraud prevention or 1st party marketing

–when org’s have multiple business units, preference management can be challenging but essential

–Access and correction:
»users should have access to personal info held about them as well as the ability to challenge the accuracy of the data

23
Q

Incident Response programs

> > 6 steps are?

A

1) Preparation
2) Identification
3) Containment
4) Eradication
5) Recovery
6) Lessons learned

24
Q

Incident Response programs

step #1: Preparation

A

Preparing users and IT staff to handle potential incidents

25
Q

Incident Response programs

step #2: Identification

A

Determining whether an event is, indeed, a security incident

26
Q

Incident Response programs

step #3: Containment

A

Limiting the damage of the incident and isolating affected systems to prevent further damage

27
Q

Incident Response programs

step #4: Eradication

A

Finding the root cause of the incident and removing affected systems from the production environment

28
Q

Incident Response programs

step #5: Recovery

A

Permitting affected systems back into the production environment and ensuring no threat remains

29
Q

Incident Response programs

step #6: Lessons learned

A

Completing incident documentation and performing analysis to learn from the incident and potentially improve future response efforts

30
Q

What should current incident response programs need to address

A

cyberthreats (such as ransomware or cyberbullying)

31
Q

Vendor Due Diligence Checklist

A
    • Vendor reputation
    • Prior security incidents
    • Financial Condition
    • Information Security controls
    • Point of transfer
    • Disposal of information
    • Employee training and user awareness
    • Vendor incident response
    • Privacy impact assessments
32
Q

Data classification

A

The classification level assigned to data defines the clearance of individuals who can access or handle that data, as well as the baseline level of protection that is appropriate for that data.

– An organization’s inventory of personal information being processed should include PI that is collected, used, stored or disclosed, whether internally or externally

– The inventory can then be classified based on the sensitivity level of the data; levels may include confidential, proprietary, sensitive, restricted and public data

– Once data has been classified, segregate highly sensitive data from less sensitive data, such as through use of access controls

33
Q

What types of risk should an organization consider when designing and administering a
privacy program? Select all that apply.

A) Legal
B) Reputational
C) Operational
D) Investment
E) Resources
A

A, B, C, D (all but resources)

Legal, reputational, operational, investment.

34
Q

What are the four steps involved in the development of a privacy program?

A) Discover, build, communicate, evolve
B) Research, design, build, audit
C) Brainstorm, propose, implement, follow-through
D) Test, learn, revise, monitor

A

A

Discover, build, communicate, evolve.

35
Q

Who may need privacy training? Select all that apply.

A) Customer service representatives
B) Leaders at the executive level
C) Marketing managers
D) Sales executives
E) IT staff
A

All of the above

  • -Customer service representatives
  • -leaders at the executive level
  • -marketing managers
  • -sales executives
  • -IT staff
36
Q

Which step in the process for developing an incident response program involves permitting
affected systems back into the production environment and ensuring no threat remains?

A) Containment
B) Eradication
C) Recovery
D) Lessons learned

A

C) Recovery

37
Q

Which is not a reason for assigning classification levels to personal data?

A)_Defining the clearance of individuals who can access or handle the data
B)_Determining the data’s sensitivity based on the level of pseudonymization
C)_Identifying the baseline of protection that is appropriate for the data
D)_Using the classification levels to segregate highly sensitive data from less sensitive
data

A

B)

Determining the data’s sensitivity based on the level of pseudonymization

CISSP Certification (14 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions