Privacy Program Framework - Section II.A. - Developing a Privacy Program Framework Flashcards

1
Q

Privacy Vision

A

Who are we as an organization in terms of our beliefs about privacy?

A concise, clear statement that serves as an org’s guiding principle regarding its approach to privacy issues.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Privacy Strategy

A

Why is privacy important to us as an organization?

An org’s approach to communicating and obtaining internal support for the privacy program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Privacy Framework

A

What structure, policies, and procedures should we implement to achieve our privacy goals and aspirations?

An org’s roadmap to guide the privacy professional through privay management and privacy-relevant decision making.

Privacy framework is intended to organize a company’s approach to its compliance obligations and other privacy goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Advantages of a Privacy Program Framework?

instead of addressing privacy issues on an ad hoc basis.

A
  • Reduce Risk
  • Help to avoid and appropriatly respond to privacy incidents
  • Provide a means of measuring the “success” of the privacy program (i.e. determine whether the privacy program is meeting its intended goals)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Privacy Program Framwork Categories

A

1) Prinicples & Standards
2) Laws, Regulations, and Self-Regulatory Programs
3) Privacy Program Management solutions

2) FIPs are widely used to develop laws and regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

8 OECD Principles

Most widely followed set of FIPs (Fair Information Principles)

A
  1. Collection Limitation
  2. Data Quality
  3. Purpose Specification
  4. Use Limitation
  5. Openness
  6. Security Safeguard
  7. Individual Participation
  8. Accountability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

NIST Privacy Framework identifies:

A

1) “Core” activities that org’s can utilize as part of a privacy program
2) “Profiles” of each core activity
3) “Tiers” that org’s can aim to achieve based on the unique facts of an org

The NIST has released a document entitled “CIPM Crosswalk” that maps the various components of the NIST Privacy Framework with the IAPP’s CIPM Body of Knowledge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What question does a privacy program attempt to answer?

A

What structure, policies, and procedures should we implement to achieve our privacy goals and aspirations?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the primary difference between privacy program management tools and enterprise privacy management tools?

A

Privacy program management tools are designed specifically for use by the privacy team,

while enterprise privacy management tools are designed to be used throughout an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

True or False: One common element of a privacy policy is the identification of what functional aspects of the organization and what assets of the organization are impacted by the privacy policy.

A

True. One common element of most privacy policies is identification of the policy’s scope.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

True or False: A privacy policy contains specific, detailed guidelines and procedures that must be followed throughout an organization.

A

False. A privacy policy should be thought of as a high-level document that serves as the basis for developing more specific guidelines, standards, and procedures, which focus on implementing privacy at the functional level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a privacy policy?

A

An internal document that dictates how an organization governs its privacy function and handles personal information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are some examples of privacy program management solutions that can be used in creating an organization’s privacy framework?

A

NIST publications,
ENISA guidance,
ISACA’s COBIT 5 framework, and
Privacy by Design principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the NIST’s Privacy Framework?

A

A voluntary tool intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individual privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are some benefits of implementing a privacy framework rather than taking an ad hoc approach to privacy issues?

A

A privacy program framework will reduce risk; help an organization avoid and appropriately respond to privacy incidents; and provide a means of measuring the “success” of the privacy program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are some types of privacy program management tools?

A

(1) Assessment management;
(2) Consent management;
(3) Data mapping;
(4) Incident response management;
(5) Privacy information management; and
(6) Website scanning.

17
Q

True or False: When defining the purpose of a privacy policy, an organization should identify any laws, regulations, or frameworks that required the creation of the privacy policy.

A

True

18
Q

What are some types of enterprise privacy management tools?

A

(1) Activity monitoring;
(2) Data discovery;
(3) De-identification; and
(4) Enterprise communication.

19
Q

True or False: A privacy policy should identify what roles within an organization have specific responsibility for compliance with applicable privacy laws.

A

True

20
Q

True or False: A privacy policy should identify the individual consequences employees may face for failing to comply with the privacy policy.

A

False. A privacy policy is a high-level document that should focus on consequences for non-compliance that the organization might face; individual consequences are better left for procedures and handbooks.