Privacy Operational Lifecycle - Section III.C. - Sustain the Privacy Program Flashcards

1
Q

What are two primary motivations for organizations to implement a privacy training or awareness program?

A

(1) It may be required by law; or
(2) It can result in significant cost savings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the goal of privacy training and how, if at all, is it different from the goals of privacy awareness?

A

To correct bad practices and reinforce good practices through communication; both privacy training and privacy awareness programs share this same goal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is environment monitoring?

A

The internal and external monitoring an organization undertakes to protect against vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

True or False: Environment monitoring refers only to monitoring access provided to outsiders.

A

False. Environment monitoring is not solely focused on outsiders; insiders should also be monitored to avoid intellectual property theft or other cybersecurity threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is an audit trail?

A

A chain of electronic activity or sequence of paperwork used to monitor, track, record, or validate an activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are two important pre-requisites to conducting an effective privacy audit?

A

(1) Organizational policies must be clear; and
(2) Evidence of compliance must be available in accordance with the accountability principle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How many categories of risk-level are set forth in the AI Act?

A

There are four levels of risk:
Minimal risk,
Limited risk,
High risk, and
Unacceptable risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When is an organization most likely to conduct a first-party audit?

A

When self-certifying as part of a self-regulatory program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is privacy training and how is it different from privacy awareness?

A

Training communicates the organization’s privacy message, policies and processes, including those for data usage and retention, access control, and incident reporting. It is a formal undertaking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the three primary types of privacy-related monitoring that organizations can undertake?

A

(1) Environment monitoring;
(2) Legal and regulatory monitoring; and
(3) Compliance monitoring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

According to NIST SP 800-50, what are the three primary steps in building a training and awareness program?

A

(1) Designing the program;
(2) Developing the awareness and training material; and
(3) Implementing the program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the relationship of environment monitoring and legal/regulatory monitoring with compliance monitoring?

A

Environment monitoring and regulatory monitoring can be thought of, at times, as part of a more comprehensive compliance monitoring program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is an audit of a privacy program?

A

The ongoing process of evaluating the effectiveness of controls throughout the organization’s operations, systems, and processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When is an organization most likely to conduct a third-party audit?

A

When requested by a supervisory authority or when confidence in the outcome is paramount.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

True or False: A privacy audit is intended only to identify risks associated with the use of personal information, not provide recommendations about how to limit risk.

A

False. An audit will identify risks associated with an organization’s use of personal information, along with recommendations that can limit those risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

In what ways can employee training and awareness act as a cost savings mechanism?

A

(1) It lowers the frequency with which privacy incidents occur; and
(2) It lowers the costs of actually responding to a privacy incident if one does occur.

17
Q

When is an organization most likely to conduct a second-party audit?

A

When necessary to ensure compliance by a third-party vendor, or as required by contract or applicable law (such as the GDPR).

18
Q

What are the five steps in the audit life cycle?

A

(1) Planning;
(2) Preparation;
(3) Conducting the audit;
(4) Reporting; and
(5) Follow up.

19
Q

What are four common approaches toward compliance monitoring?

A

(1) Self-monitoring;
(2) Audit management;
(3) Security/system management; and
(4) Risk management.

20
Q

What are the top three privacy risks posed by the use of artificial intelligence?

A

(1) Harmful bias;
(2) Bad governance; and
(3) A lack of legal clarity

21
Q

What is legal and regulatory monitoring?

A

The monitoring of applicable laws and regulations that an organization is subject to in order to track changes that occur.

22
Q

What are two important pre-requisites to conducting an effective privacy audit?

A

(1) Organizational policies must be clear; and
(2) Evidence of compliance must be available in accordance with the accountability principle.

23
Q

True or False: A privacy audit is always conducted on a privacy program as a whole, not its individual parts.

A

False. Many aspects of a privacy program may be subject to a privacy audit, in addition to the program as a whole.

24
Q

What is a common alternative to a full audit that organizations use in order to self-assess a privacy program?

A

Requiring departments throughout an organization to attest to their compliance with an organization’s privacy program.

25
Q

What separates a privacy audit from a privacy assessment?

A

A privacy audit is evidence-based and looks to metrics and other measurements, while most privacy assessments rely on more anecdotal or subjective information.

26
Q

What is the goal of conducting a privacy audit?

A

To measure an organization’s data protection practices against legal and regulatory obligations, industry best practices, and compliance with an organization’s own privacy policies.