Non-technical Data and Privacy Controls

Question 1

The process of managing information over its life cycle from creation to
destruction

Answer 1

Data Governance

Question 2

The process of applying confidentiality and privacy labels to information

Answer 2

Data Classification

Question 3

No restrictions on viewing the data and it presents no risk to
the organization is disclosed to the public at large

Answer 3

Unclassified

Question 4

Viewing is restricted to authorized persons within the owner
organization or to third parties under a non-disclosure
agreement

Answer 4

Classified

Question 5

Highly sensitive data that is for viewing only by approved
persons within the organization (and possibly by trusted third
parties under NDA)

Answer 5

Confidential

Question 6

Information that is valuable and must be protected by severely
restricting its viewing

Answer 6

Secret

Question 7

Information that would cause grave danger if inadvertently
disclosed

Answer 7

Top Secret

Question 8

The downgrading of a classification label overtime due to the information no
longer requiring the additional security protections provided by that classification

Answer 8

Declassification

Question 9

A tag or label to identify a piece of data under a subcategory of a classification

Answer 9

Data Type

Question 10

The organization of information into preset structures or specifications

Answer 10

Data Format

Question 11

The location of data within a processing system
▪ Data at rest
▪ Data in motion
▪ Data in use

Answer 11

Data State

Question 12

Any type of information or asset should consider how a compromise of that information can threaten the three core security attributes of the CIA triad

Answer 12

Legal Requirements

Question 13

Security controls focus on the CIA attributes of the processing system

Answer 13

Privacy versus Security

Question 14

A data governance requirement that arises when collecting and processing
personal data to ensure the rights of the subject’s data

Answer 14

Privacy

Question 15

Personal data cannot be collected, processed, or retained without the individual’s
informed consent

Answer 15

General Data Protection Regulation (GDPR)

Question 16

Sets forth the requirements for the storage and retention of documents relating
to an organization’s financial and business operations, including the type of
documents to be stored and their retention periods

Answer 16

Sarbanes-Oxley Act (SOX)

Question 17

Sets forth the requirements that help protect the privacy of an individual’s
financial information that is held by financial institutions and others

Answer 17

Gramm-Leach-Bliley Act (GLBA)

Question 18

Sets forth the requirements for federal organizations to adopt information
assurance controls

Answer 18

Federal Information Security Management Act (FISMA)

Question 19

Sets forth the requirements that help protect the privacy of an individual’s health
information that is held by healthcare providers, hospitals, and insurance
companies

Answer 19

Health Insurance Portability and Accountability Act (HIPAA)

Question 20

Provides guidance on a variety of governance-related topics including fraud,
controls, finance, and ethics and relies on COSO’s ERM-integrated framework

Answer 20

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Question 21

The principle that personal information can be collected and processed only for a
stated purpose to which the subject has consented

Answer 21

Purpose Limitation

Question 22

The principle that only necessary and sufficient personal information can be
collected and processed for the stated purpose

Answer 22

Data Minimization

Question 23

The principle that countries and states may impose individual requirements on
data collected or stored within their jurisdiction

Answer 23

Data Sovereignty

Question 24

A set of policies, procedures, and tools for managing the storage of persistent
data

Answer 24

Retention

Question 25

The process an organization uses to maintain the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations

Answer 25

Data Retention

Question 26

Refers to information that is kept for a specific purpose outside of an organization’s data retention policy

Answer 26

Data Preservation

Question 27

The process of identifying the person responsible for the confidentiality, integrity, availability, and privacy of information assets

Answer 27

Data Ownership

Question 28

A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset

Answer 28

Data Owner

Question 29

A role focused on the quality of the data and associated metadata

Answer 29

Data Steward

Question 30

A role responsible for handling the management of the system on which the data assets are stored

Answer 30

Data Custodian

Question 31

A role responsible for the oversight of any PII/SPI/PHI assets managed by the company

Answer 31

Privacy Officer

Question 32

You can outsource a service or activity, but not the legal responsibility for it

Answer 32

Data Sharing

Question 33

A contractual agreement setting out the detailed terms under which a service is provided

Answer 33

Service Level Agreement (SLA)

Question 34

An agreement used by federal agencies to set out a security risk awareness process and commit the agency and supplier to implementing security controls

Question 35

A contract that sets forth the legal basis for protecting information assets between two parties

Answer 35

Non-Disclosure Agreement (NDA)

Question 36

An agreement that sets forth the terms under which personal data can be shared or used

Answer 36

Data Sharing and Use Agreement