Overall Guide 1 Flashcards
List one requirement of the Fair Credit Reporting Act (FCRA) that employers must follow in order to conduct background checks on employees.
Notify applicants about the process.
Obtain written authorization from applicants.
If a background screen includes interviews with personal contacts of the applicant to learn more about attributes such as “character” or “mode of living,” then it would be considered an investigative report under the FCRA
Provide certification to the furnisher of background reporting information that they are in full compliance with the FCRA and all other applicable federal and state states, including laws prohibiting discrimination.
What is active data collection?
The consumer directly fills out forms.
What is GLBA?
The Financial Services Modernization Act of 1999 is more commonly known as the Gramm–Leach–Bliley Act (GLBA) after the names of the lead lawmakers who sponsored the legislation. The GLBA establishes broad federal regulations that include information privacy and security requirements for the financial services industry.
What categories of information are protected under the Genetic Information Nondiscrimination Act (GINA)?
GINA protects personal genetic information, including any information from genetic tests or services, including prenatal health services.
What is California SB-1 (2003)?
Known as the California Financial Information Privacy Act, SB-1 (2003) builds on the Gramm–Leach–Bliley Act (GLBA) by adding additional requirements for financial institutions that operate in California.
What is the transition management phase of the employment process?
Transition management refers to the process of voluntarily or involuntarily ending an employment relationship.
Which federal court has the least superiority and which one has the greatest superiority?
In order from lesser to greater superiority: U.S. District Courts, U.S. Circuit Courts of Appeals, U.S. Supreme Court
How does the Americans with Disabilities Act (ADA) restrict employers from collecting personal data?
To protect job seekers from discrimination based on disability, the ADA prohibits employers from collecting information about disability status for use in hiring decisions.
What is anonymization?
The process of taking personal information and making it impossible to identify the individual to whom the information relates.
What is the Telecommunications Act’s definition of a carrier?
Any business that charges a fee for providing telecommunications services to the public
What is eDiscovery?
Electronic Discovery, or eDiscovery, is the process of identifying, collecting, preserving, and producing electronic records for legal proceedings.
Give three examples of removable information required by the Safe Harbor deidentification method.
Names
Web URLs
Geographic divisions and ZIP codes containing fewer than 20,000 people
The month and day of a person’s birth, death, hospital admission or discharge or the age in years of a person over 89
Telephone numbers
Vehicle identifiers, serial numbers, and license plate numbers
Fax numbers
Device identifiers and serial numbers
Email addresses
Social Security numbers
IP addresses
Medical record numbers
Biometric identifiers
Health plan numbers
Full-face photographs
Account numbers
Certificate/license number
When an organization makes an unfavorable decision about a person based on a consumer report, what must the FCRA-required notice to the person include?
Contact information for the consumer reporting agency (CRA) that provided the credit report
An explanation that the CRA only furnished the information and did not play a decision-making role
An explanation of consumer rights, including the right to access the credit report, credit score, and to dispute inaccurate information
List three reasons why we should care about privacy.
Privacy is an ethical obligation.
Laws and regulations require privacy protections.
Poor privacy practices reflect poorly on an organization.
List three of the 12 high-level requirements of PCI DSS.
Install & maintain a firewall
Do not use vendor-supplied defaults
Protect stored cardholder data.
Encrypt cardholder data on open networks.
Use antivirus software.
Develop and maintain secure systems & applications.
Restrict access to cardholder data by need-to-know.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.
Track & monitor all access to network resources & cardholder data.
Regularly test security systems and processes.
Maintain a policy that addresses information security
What are the three key objectives of cybersecurity programs and what do they mean?
Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information.
Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally.
Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.
When is information not personal information?
First, if the information is not about a person, then it is not personal information. Second, information is not personal information if it does not provide a way to identify the person that the information is about.
What is COPPA?
COPPA is the federal Children’s Online Privacy Protection Act, which provides special privacy protections for children under the age of 13.
What are three primary privacy roles?
Data subject, data controllers, data processors
What kind of information is considered PII?
Personally identifiable information (PII) includes any information that uniquely identifies an individual person, including customers, employees, and third parties.
What are the 10 GAPP principles?
- Management
- Notice
- Choice and Consent
- Collection
- Use, Retention, and Disposal
- Access
- Disclosure to Third Parties
- Security for Privacy
- Quality
- Monitoring and Enforcement
What is aggregation?
The process of summarizing data about a group of individuals in a manner that makes it impossible to draw conclusions about a single person.
Give three examples of key elements that are recommended by NIST in incident response policies
Statement of management commitment
Purpose and objectives of the policy
Scope of the policy (to whom it applies and under what circumstances)
Definition of cybersecurity incidents and related terms
Organizational structure and definition of roles, responsibilities, and level of authority
Prioritization or severity rating scheme for incidents
Performance measures for the CSIRT
Reporting and contact forms
Give three examples of special categories of personal data listed by GDPR.
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data used for the purpose of uniquely identifying a natural person
Health data
Data concerning a natural person’s sex life or sexual orientation