Privacy Operational Lifecycle - Section III.C. - Sustain the Privacy Program Flashcards
What are two primary motivations for organizations to implement a privacy training or awareness program?
(1) It may be required by law; or
(2) It can result in significant cost savings.
What is the goal of privacy training and how, if at all, is it different from the goals of privacy awareness?
To correct bad practices and reinforce good practices through communication; both privacy training and privacy awareness programs share this same goal.
What is environment monitoring?
The internal and external monitoring an organization undertakes to protect against vulnerabilities.
True or False: Environment monitoring refers only to monitoring access provided to outsiders.
False. Environment monitoring is not solely focused on outsiders; insiders should also be monitored to avoid intellectual property theft or other cybersecurity threats.
What is an audit trail?
A chain of electronic activity or sequence of paperwork used to monitor, track, record, or validate an activity.
What are two important pre-requisites to conducting an effective privacy audit?
(1) Organizational policies must be clear; and
(2) Evidence of compliance must be available in accordance with the accountability principle.
How many categories of risk-level are set forth in the AI Act?
There are four levels of risk:
Minimal risk,
Limited risk,
High risk, and
Unacceptable risk.
When is an organization most likely to conduct a first-party audit?
When self-certifying as part of a self-regulatory program.
What is privacy training and how is it different from privacy awareness?
Training communicates the organization’s privacy message, policies and processes, including those for data usage and retention, access control, and incident reporting. It is a formal undertaking.
What are the three primary types of privacy-related monitoring that organizations can undertake?
(1) Environment monitoring;
(2) Legal and regulatory monitoring; and
(3) Compliance monitoring.
According to NIST SP 800-50, what are the three primary steps in building a training and awareness program?
(1) Designing the program;
(2) Developing the awareness and training material; and
(3) Implementing the program.
What is the relationship of environment monitoring and legal/regulatory monitoring with compliance monitoring?
Environment monitoring and regulatory monitoring can be thought of, at times, as part of a more comprehensive compliance monitoring program.
What is an audit of a privacy program?
The ongoing process of evaluating the effectiveness of controls throughout the organization’s operations, systems, and processes.
When is an organization most likely to conduct a third-party audit?
When requested by a supervisory authority or when confidence in the outcome is paramount.
True or False: A privacy audit is intended only to identify risks associated with the use of personal information, not provide recommendations about how to limit risk.
False. An audit will identify risks associated with an organization’s use of personal information, along with recommendations that can limit those risks.