Non-technical Data and Privacy Controls Flashcards

1
Q

The process of managing information over its life cycle from creation to
destruction

A

Data Governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The process of applying confidentiality and privacy labels to information

A

Data Classification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

No restrictions on viewing the data and it presents no risk to
the organization is disclosed to the public at large

A

Unclassified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Viewing is restricted to authorized persons within the owner
organization or to third parties under a non-disclosure
agreement

A

Classified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Highly sensitive data that is for viewing only by approved
persons within the organization (and possibly by trusted third
parties under NDA)

A

Confidential

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Information that is valuable and must be protected by severely
restricting its viewing

A

Secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Information that would cause grave danger if inadvertently
disclosed

A

Top Secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The downgrading of a classification label overtime due to the information no
longer requiring the additional security protections provided by that classification

A

Declassification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A tag or label to identify a piece of data under a subcategory of a classification

A

Data Type

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The organization of information into preset structures or specifications

A

Data Format

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The location of data within a processing system
▪ Data at rest
▪ Data in motion
▪ Data in use

A

Data State

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Any type of information or asset should consider how a compromise of that information can threaten the three core security attributes of the CIA triad

A

Legal Requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Security controls focus on the CIA attributes of the processing system

A

Privacy versus Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A data governance requirement that arises when collecting and processing
personal data to ensure the rights of the subject’s data

A

Privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Personal data cannot be collected, processed, or retained without the individual’s
informed consent

A

General Data Protection Regulation (GDPR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Sets forth the requirements for the storage and retention of documents relating
to an organization’s financial and business operations, including the type of
documents to be stored and their retention periods

A

Sarbanes-Oxley Act (SOX)

17
Q

Sets forth the requirements that help protect the privacy of an individual’s
financial information that is held by financial institutions and others

A

Gramm-Leach-Bliley Act (GLBA)

18
Q

Sets forth the requirements for federal organizations to adopt information
assurance controls

A

Federal Information Security Management Act (FISMA)

19
Q

Sets forth the requirements that help protect the privacy of an individual’s health
information that is held by healthcare providers, hospitals, and insurance
companies

A

Health Insurance Portability and Accountability Act (HIPAA)

20
Q

Provides guidance on a variety of governance-related topics including fraud,
controls, finance, and ethics and relies on COSO’s ERM-integrated framework

A

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

21
Q

The principle that personal information can be collected and processed only for a
stated purpose to which the subject has consented

A

Purpose Limitation

22
Q

The principle that only necessary and sufficient personal information can be
collected and processed for the stated purpose

A

Data Minimization

23
Q

The principle that countries and states may impose individual requirements on
data collected or stored within their jurisdiction

A

Data Sovereignty

24
Q

A set of policies, procedures, and tools for managing the storage of persistent
data

A

Retention

25
Q

The process an organization uses to maintain the existence of and control over
certain data in order to comply with business policies and/or applicable laws and
regulations

A

Data Retention

26
Q

Refers to information that is kept for a specific purpose outside of an
organization’s data retention policy

A

Data Preservation

27
Q

The process of identifying the person responsible for the confidentiality, integrity,
availability, and privacy of information assets

A

Data Ownership

28
Q

A senior (executive) role with ultimate responsibility for maintaining the
confidentiality, integrity, and availability of the information asset

A

Data Owner

29
Q

A role focused on the quality of the data and associated metadata

A

Data Steward

30
Q

A role responsible for handling the management of the system on which the data
assets are stored

A

Data Custodian

31
Q

A role responsible for the oversight of any PII/SPI/PHI assets managed by the
company

A

Privacy Officer

32
Q

You can outsource a service or activity, but not the legal responsibility for it

A

Data Sharing

33
Q

A contractual agreement setting out the detailed terms under which a service is
provided

A

Service Level Agreement (SLA)

34
Q

An agreement used by federal agencies to set out a security risk awareness
process and commit the agency and supplier to implementing security controls

A
35
Q

A contract that sets forth the legal basis for protecting information assets
between two parties

A

Non-Disclosure Agreement (NDA)

36
Q

An agreement that sets forth the terms under which personal data can be shared
or used

A

Data Sharing and Use Agreement