Privacy

Question 1

Organization for Economic Cooperation and Development (OECD)

Answer 1

Issued guidelines on the Protection of Privacy and Trans-border Flows of personal data which have been classified privacy principles

Question 2

OECD Privacy Guidelines/Principles

Answer 2

Notice - data subjects should be given notice when their data is being collected

Purpose - data should only be used for purpose stated and for no other purpose

Consent - data should not be disclosed without the data subjects consent

Security - collected data should be kept secure from any potential abuses

Disclosure - data subjects should be informed as to who is collecting their data

Access - data subjects should be allowed to access their data and make corrections to any inaccurate data

Accountability - data subjects should have a method available to them to hold data collectors accountable for not following the other principles

No Purple Car Sold, Do Act Alarmed

Question 3

General Data Protection Regulation (GDPR)?

Who must enact?

Who is penalized for violations and what penalties do they face?

Answer 3

Privacy regs enacted by the EU to protect citizens from data breaches resulting in loss of privacy of PII

Includes 9 EU Privacy Principles - Supersedes and strengthens EU Data Protection Directives

All EU members states were required to enact

Consequences for companies that control or process PII for EU citizens including heavy fines for violation

Question 4

EU Privacy Principles

Answer 4

1. Collection Limitation Principle
2. Data Quality Principle
3. Purpose Specification
4. Use Limitation Principle
5. Security Safeguard Principle
6. Open Principle
7. Individual Participation Principle
8. Accountable Principle
9. Right to be Forgotten or Erased

U COPS RAID

Question 5

EU Data Protection Directive 95/46/EC

Answer 5

in 1995 EU directive enacted concerning protection for individuals WRT processing personal data and the free movement of such data

2012 The Right to be Forgotten was added

Question 6

Penalties for GDPR

Answer 6

Can be fined a rate of 2% annual global profit or 10M Euro for initial breach

Subsequent breach cost up to 4% annual global profit or 20M Euro

Self reporting is mandatory, violators usually incur heaviest fines - data breaches must be reported to the DPA (Data Protection Authority) within 72 hours of discovery

Question 7

Additional EU Privacy Subjects

Answer 7

1. E-Privacy Directive - deals with regulation of information confidentiality, treatment of traffic data, spam, and use of cookies
2. Safe Harbor Program - a program that required US companies processing EU citizens PII to meet various standards developed by US Dept of Commerce
3. Model Contracts - EU approved contracts which create a bond between multinational companies that process EU citizen PII
4. Privacy Shield - provides companies with a mechanism to comply with EU data protection requirements when transferring data from the EU to the US
5. EU Data Retention Directive - a currently discontinued directive that required ISPs and phone providers to track connection information.

Question 8

National Laws Compliant with EU GDPR

Answer 8

1. All EU countries
2. Argentina
3. Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)
4. Israel
5. Singapore
6. Andorra
7. Australia - Privacy Act 1988, Australian Privacy Principles 2014
8. European Free Trade Association - Iceland, Lichtenstein, Norway, Switzerland
9. Japan
10. Uruguay

Question 9

Other Countries/Regions Data Privacy Regulations

Answer 9

1. African Personal Data Protection Regulations
2. Asia - Pacific Economic Cooperation (APEC)
3. Australia and New Zealand Privacy Principles

Question 10

African Personal Data Protection Regulations

Answer 10

About 2/3rds of African Nations have adopted these regulations

Data protections include:

1. Notice
2. Choice and consent
3. Data Security
4. Data access and correction
5. Data quality
6. Data retention and destruction
7. Registration with a Data Protection Authority (DPA)
8. Cross border transfer
9. Personal data breach notification
10. Appointment of a Data Protection Officer (DPO)

Question 11

Asia - Pacific Economic Cooperation (APEC)

Answer 11

ensure the free flow of information and open conduct of business within the region, while protecting privacy

not as stringent as the GDPR

includes 9 privacy principles

Question 12

Australia and New Zealand Privacy Principles

Answer 12

Makes it difficult to move sensitive information to a CSP that stores the data outside Australia and New Zealand

Australian National Privacy provides guidelines on how to collect, store, secure, process and disclose PII and PHI

Replaced by Australian Privacy Principles focuses on handling personal information with 13 principles

Question 13

Health Information Portability and Accountability Act - HIPAA

Answer 13

A national standard for electronic Heath care transactions and national identifiers for providers, health plans, and employers

Defines rules around handling and treatment of PHI

PHI can be stored in the cloud as long as it is stored in a manner compliant with HIPAA

Question 14

Gramm-Leach Bliley Act (GLBA)

Answer 14

a law to control the ways financial organizations deal with individual private information

requires financial organizations to give their customers written privacy notices that explain their information sharing practices

3 sections

1. Financial Privacy Rules - regulates collection and disclosure of private information
2. Safeguards Rule - requires financial institutions to implement security programs to protect individuals private information
3. Pretexting Provisions - prohibits accessing private information using false pretenses

Question 15

Family Education Rights and Privacy (FERPA)

Answer 15

Protects student data, including adult students

Once a person turns 18 parents can’t get student data without consent from the student

Question 16

Sarbanes - Oxley Act (SOX)

Answer 16

Protects investors from fraudulent corporate accounting activities. Publicly traded companies can’t lie to their investors.

Question 17

Children Online Privacy Protection Act (COPPA)

Answer 17

imposed certain requirements on web operators or online services directed to children under 13 years old or that have actual knowledge that they are collecting personal information from a child under 13 years old

Question 18

Clarifying Overseas Use of Data (CLOUD) Act

Answer 18

gives broad powers to US law enforcement officials to force US based organizations to release data regardless of where the company stores data

codifies the US right to access individuals data which conflicts with the GDPR

Question 19

Generally Accepted Privacy Principles (GAPP)

Answer 19

AICPA have documented 74 privacy principles, detailed in the GAPP report

There are 10 main privacy principles groups:

1. Management
2 Notice
3. Choice and consent
4. Collection
5. Use, Retention and Disposal
6. Access
7. Disclosure
8. Security for Privacy
9. Quality
10. Monitor and Enforcement

Question 20

What are the CMM maturity levels and CMM level key phrases they align to?

Answer 20

1. Initial - Process Unpredictable, Poorly controlled, and Poorly defined
2. Managed - Process characterized for projects and is often Reactive
3. Defined - Process characterized for the organization and is proactive
4. Quantitatively Managed - Process is Measured and Controlled
5. Optimized - Focus on Continuous Process Improvement

(IMDQO)

Question 21

Privacy Level Agreement

Answer 21

The Cloud Security Alliance (CSA) defines baselines for compliance with data protection legislation and leading practices in a standard format called PLA

By use of PLA, the CSP declares the level of personal data protection and security that it sustains for relevant data processing

Question 22

Internal Audit

Answer 22

An orgs internal audit, performed by an internal team acts as a 3rd line of defense after the business/IT functions and Risk Management by:

Independently verifies the cloud programs effectiveness
Providing assurance to the board and risk management team on the organizations cloud risk exposure

Question 23

External Audit

Answer 23

Performed by an external audit organization and may take the form of SOC report or ISO 27001 certification

Question 24

Audit Planning Steps In Order

Answer 24

1. Define audit objective
2. Define audit scope
3. Refine audit process from lessons learned
4. Fieldwork
5. Analysis
6. Reporting

(2DR-FAR)

Question 25

Gap analysis

Answer 25

is a tool designed to help you understand where you are and what you need to do to get to where you want to be

A function to begin benchmarking and identifying areas where requirements are not yet met against framework or standard.

Question 26

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Answer 26

Maps Frameworks to security/privacy controls

The cloud controls matrix provides a mapping with the main industry accepted security standards as well as regulatory, and control frameworks e.g. ISO 27001, COBIT5, PCI DSS, PIPEDA, NERC/CIP, etc.

A registry of cloud security controls arranged in separate security domains

Question 27

Cloud Security Alliance (CSA) Security, Trust, Assurance Registry (STAR)

Answer 27

A publicly accessible registry that documents security and privacy controls provided by cloud computing offerings

Provides a way to evaluate CSPs

Maps Controls to Providers

Question 28

CSA STAR Level 1

Answer 28

A self assessment done by CSP

The CSP submits one of the following:

1. Consensus Assessment Initiative Questionnaire (CAIQ) - documents the CSP security controls
2. Cloud Control Matrix

If the CSP must conform with GDPR they must submit the following two documents

1. Code of Conduct (CoC) Statement of Adherence
2. Self assessment results from PLA Code of Practice (CoP) Template

Question 29

CSA STAR Level 2

Answer 29

3rd Party Assessment based certification (ISO) or attestation (SOC)

To get this level organizations must submit one of the following:

1. STAR Attestation - SOC 2 engagement
2. STAR Certification - ISO 27001 certification
3. C-STAR - GB/T (China’s equivalent of ISO)- Applicable only to China
4. GDPR Code of Conduct Certification

Question 30

CSA STAR Level 3

Answer 30

Continuous Monitoring - cloud providers employ automated process of reporting on monitoring on a monthly basis, from self assessments to 3rd party attestations and certifications

highest comprehensive level of assurance a CSP can give to consumers

Question 31

NIST 800-34r4

Answer 31

A privacy framework for security and privacy controls for Federal Information Systems and Organizations

NIST 800 69/2=34 remainder 4 all, lets call that 34r4

Question 32

North American Electronic Reliability Corporation/Critical Infrastructure Protection (NERC/CIP)

Answer 32

A regulatory authority whose mission is to ensure the reliability of the North American bulk power system; includes Canadian and American power grids

If you are a bulk power system owner, operator, or user you must comply with NERC CIP standards: e.g. Required to register with NERC

CSPs and CSBs are not subject to NERC/CIP but power companies they contract with are

Question 33

What are the Privacy Maturity Model (PMM) maturity levels and PMM level key phrases they align to?

Answer 33

1. Ad Hoc - Poorly defined
2. Repeatable - Reactive
3. Defined - Proactive
4. Managed - Measured and Controlled
5. Optimized - Continuous Improvement

(ARDMO)

Question 34

US Privacy Laws

Answer 34

1. Health Information Portability and Accountability Act - HIPAA
2. Gramm-Leach Bliley Act (GLBA)
3. Family Education Rights and Privacy (FERPA)
4. Sarbanes - Oxley Act (SOX)
5. Children Online Privacy Protection Act (COPPA)
6. Clarifying Overseas Use of Data (CLOUD) Act