Privacy Flashcards

1
Q

Organization for Economic Cooperation and Development (OECD)

A

Issued guidelines on the Protection of Privacy and Trans-border Flows of personal data which have been classified privacy principles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

OECD Privacy Guidelines/Principles

A

Notice - data subjects should be given notice when their data is being collected

Purpose - data should only be used for purpose stated and for no other purpose

Consent - data should not be disclosed without the data subjects consent

Security - collected data should be kept secure from any potential abuses

Disclosure - data subjects should be informed as to who is collecting their data

Access - data subjects should be allowed to access their data and make corrections to any inaccurate data

Accountability - data subjects should have a method available to them to hold data collectors accountable for not following the other principles

No Purple Car Sold, Do Act Alarmed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

General Data Protection Regulation (GDPR)?

Who must enact?

Who is penalized for violations and what penalties do they face?

A

Privacy regs enacted by the EU to protect citizens from data breaches resulting in loss of privacy of PII

Includes 9 EU Privacy Principles - Supersedes and strengthens EU Data Protection Directives

All EU members states were required to enact

Consequences for companies that control or process PII for EU citizens including heavy fines for violation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

EU Privacy Principles

A
  1. Collection Limitation Principle
  2. Data Quality Principle
  3. Purpose Specification
  4. Use Limitation Principle
  5. Security Safeguard Principle
  6. Open Principle
  7. Individual Participation Principle
  8. Accountable Principle
  9. Right to be Forgotten or Erased

U COPS RAID

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

EU Data Protection Directive 95/46/EC

A

in 1995 EU directive enacted concerning protection for individuals WRT processing personal data and the free movement of such data

2012 The Right to be Forgotten was added

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Penalties for GDPR

A

Can be fined a rate of 2% annual global profit or 10M Euro for initial breach

Subsequent breach cost up to 4% annual global profit or 20M Euro

Self reporting is mandatory, violators usually incur heaviest fines - data breaches must be reported to the DPA (Data Protection Authority) within 72 hours of discovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Additional EU Privacy Subjects

A
  1. E-Privacy Directive - deals with regulation of information confidentiality, treatment of traffic data, spam, and use of cookies
  2. Safe Harbor Program - a program that required US companies processing EU citizens PII to meet various standards developed by US Dept of Commerce
  3. Model Contracts - EU approved contracts which create a bond between multinational companies that process EU citizen PII
  4. Privacy Shield - provides companies with a mechanism to comply with EU data protection requirements when transferring data from the EU to the US
  5. EU Data Retention Directive - a currently discontinued directive that required ISPs and phone providers to track connection information.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

National Laws Compliant with EU GDPR

A
  1. All EU countries
  2. Argentina
  3. Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)
  4. Israel
  5. Singapore
  6. Andorra
  7. Australia - Privacy Act 1988, Australian Privacy Principles 2014
  8. European Free Trade Association - Iceland, Lichtenstein, Norway, Switzerland
  9. Japan
  10. Uruguay
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Other Countries/Regions Data Privacy Regulations

A
  1. African Personal Data Protection Regulations
  2. Asia - Pacific Economic Cooperation (APEC)
  3. Australia and New Zealand Privacy Principles
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

African Personal Data Protection Regulations

A

About 2/3rds of African Nations have adopted these regulations

Data protections include:

  1. Notice
  2. Choice and consent
  3. Data Security
  4. Data access and correction
  5. Data quality
  6. Data retention and destruction
  7. Registration with a Data Protection Authority (DPA)
  8. Cross border transfer
  9. Personal data breach notification
  10. Appointment of a Data Protection Officer (DPO)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Asia - Pacific Economic Cooperation (APEC)

A

ensure the free flow of information and open conduct of business within the region, while protecting privacy

not as stringent as the GDPR

includes 9 privacy principles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Australia and New Zealand Privacy Principles

A

Makes it difficult to move sensitive information to a CSP that stores the data outside Australia and New Zealand

Australian National Privacy provides guidelines on how to collect, store, secure, process and disclose PII and PHI

Replaced by Australian Privacy Principles focuses on handling personal information with 13 principles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Health Information Portability and Accountability Act - HIPAA

A

A national standard for electronic Heath care transactions and national identifiers for providers, health plans, and employers

Defines rules around handling and treatment of PHI

PHI can be stored in the cloud as long as it is stored in a manner compliant with HIPAA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Gramm-Leach Bliley Act (GLBA)

A

a law to control the ways financial organizations deal with individual private information

requires financial organizations to give their customers written privacy notices that explain their information sharing practices

3 sections

  1. Financial Privacy Rules - regulates collection and disclosure of private information
  2. Safeguards Rule - requires financial institutions to implement security programs to protect individuals private information
  3. Pretexting Provisions - prohibits accessing private information using false pretenses
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Family Education Rights and Privacy (FERPA)

A

Protects student data, including adult students

Once a person turns 18 parents can’t get student data without consent from the student

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Sarbanes - Oxley Act (SOX)

A

Protects investors from fraudulent corporate accounting activities. Publicly traded companies can’t lie to their investors.

17
Q

Children Online Privacy Protection Act (COPPA)

A

imposed certain requirements on web operators or online services directed to children under 13 years old or that have actual knowledge that they are collecting personal information from a child under 13 years old

18
Q

Clarifying Overseas Use of Data (CLOUD) Act

A

gives broad powers to US law enforcement officials to force US based organizations to release data regardless of where the company stores data

codifies the US right to access individuals data which conflicts with the GDPR

19
Q

Generally Accepted Privacy Principles (GAPP)

A

AICPA have documented 74 privacy principles, detailed in the GAPP report

There are 10 main privacy principles groups:

1. Management
2 Notice
3. Choice and consent
4. Collection
5. Use, Retention and Disposal
6. Access
7. Disclosure
8. Security for Privacy
9. Quality
10. Monitor and Enforcement
20
Q

What are the CMM maturity levels and CMM level key phrases they align to?

A
  1. Initial - Process Unpredictable, Poorly controlled, and Poorly defined
  2. Managed - Process characterized for projects and is often Reactive
  3. Defined - Process characterized for the organization and is proactive
  4. Quantitatively Managed - Process is Measured and Controlled
  5. Optimized - Focus on Continuous Process Improvement

(IMDQO)

21
Q

Privacy Level Agreement

A

The Cloud Security Alliance (CSA) defines baselines for compliance with data protection legislation and leading practices in a standard format called PLA

By use of PLA, the CSP declares the level of personal data protection and security that it sustains for relevant data processing

22
Q

Internal Audit

A

An orgs internal audit, performed by an internal team acts as a 3rd line of defense after the business/IT functions and Risk Management by:

Independently verifies the cloud programs effectiveness
Providing assurance to the board and risk management team on the organizations cloud risk exposure

23
Q

External Audit

A

Performed by an external audit organization and may take the form of SOC report or ISO 27001 certification

24
Q

Audit Planning Steps In Order

A
  1. Define audit objective
  2. Define audit scope
  3. Refine audit process from lessons learned
  4. Fieldwork
  5. Analysis
  6. Reporting

(2DR-FAR)

25
Q

Gap analysis

A

is a tool designed to help you understand where you are and what you need to do to get to where you want to be

A function to begin benchmarking and identifying areas where requirements are not yet met against framework or standard.

26
Q

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

A

Maps Frameworks to security/privacy controls

The cloud controls matrix provides a mapping with the main industry accepted security standards as well as regulatory, and control frameworks e.g. ISO 27001, COBIT5, PCI DSS, PIPEDA, NERC/CIP, etc.

A registry of cloud security controls arranged in separate security domains

27
Q

Cloud Security Alliance (CSA) Security, Trust, Assurance Registry (STAR)

A

A publicly accessible registry that documents security and privacy controls provided by cloud computing offerings

Provides a way to evaluate CSPs

Maps Controls to Providers

28
Q

CSA STAR Level 1

A

A self assessment done by CSP

The CSP submits one of the following:

  1. Consensus Assessment Initiative Questionnaire (CAIQ) - documents the CSP security controls
  2. Cloud Control Matrix

If the CSP must conform with GDPR they must submit the following two documents

  1. Code of Conduct (CoC) Statement of Adherence
  2. Self assessment results from PLA Code of Practice (CoP) Template
29
Q

CSA STAR Level 2

A

3rd Party Assessment based certification (ISO) or attestation (SOC)

To get this level organizations must submit one of the following:

  1. STAR Attestation - SOC 2 engagement
  2. STAR Certification - ISO 27001 certification
  3. C-STAR - GB/T (China’s equivalent of ISO)- Applicable only to China
  4. GDPR Code of Conduct Certification
30
Q

CSA STAR Level 3

A

Continuous Monitoring - cloud providers employ automated process of reporting on monitoring on a monthly basis, from self assessments to 3rd party attestations and certifications

highest comprehensive level of assurance a CSP can give to consumers

31
Q

NIST 800-34r4

A

A privacy framework for security and privacy controls for Federal Information Systems and Organizations

NIST 800 69/2=34 remainder 4 all, lets call that 34r4

32
Q

North American Electronic Reliability Corporation/Critical Infrastructure Protection (NERC/CIP)

A

A regulatory authority whose mission is to ensure the reliability of the North American bulk power system; includes Canadian and American power grids

If you are a bulk power system owner, operator, or user you must comply with NERC CIP standards: e.g. Required to register with NERC

CSPs and CSBs are not subject to NERC/CIP but power companies they contract with are

33
Q

What are the Privacy Maturity Model (PMM) maturity levels and PMM level key phrases they align to?

A
  1. Ad Hoc - Poorly defined
  2. Repeatable - Reactive
  3. Defined - Proactive
  4. Managed - Measured and Controlled
  5. Optimized - Continuous Improvement

(ARDMO)

34
Q

US Privacy Laws

A
  1. Health Information Portability and Accountability Act - HIPAA
  2. Gramm-Leach Bliley Act (GLBA)
  3. Family Education Rights and Privacy (FERPA)
  4. Sarbanes - Oxley Act (SOX)
  5. Children Online Privacy Protection Act (COPPA)
  6. Clarifying Overseas Use of Data (CLOUD) Act