Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
30 Cards in this Set
- Front
- Back
|
What are the four components of the Privacy Operational Life Cycle?
|
1. Assessing your organization
2. Protecting your data 3. Sustaining your program 4. responding to issues |
|
|
What are the five aspects you use to "Assess" your organization?
|
1. Document current privacy baseline
2. Processors and third-party vendor assessment 3. Physical assessments 4. Mergers, acquisitions and divestiture 5. Conduct analysis and assessments, as needed or appropriate |
|
|
... what are the 9 things and their sub-components you need to document in the current baseline of your privacy?
|
i. Education and awareness
ii. Monitoring and responding to the regulatory environment iii. Internal policy compliance iv. Data, systems and process assessment 1. Map data inventories, flows and classification 2. Create “record of authority” of systems processing personal information within organization 3. Map and document data flow in systems and applications. 4. Analyze and classify types and uses of data v. Risk assessment (PIAs, etc.) vi. Incident response vii. Remediation viii. Determine desired state and perform gap analysis against an accepted standard or law ix. Program assurance, including audits |
|
|
When you perform a processors and third-party vendor assessment, what are the 5 things you have to do?
|
i. Evaluate processors and third-party vendors in-sourcing and outsourcing privacy risks
ii. Understand and leverage the different types of relationships iii. Risk assessment iv. Contractual requirements v. Ongoing monitoring and auditing |
|
|
Let's break out how you evaluate processors and third-party vendors... in-sourcing and out-sourcing privacy risks...how do you do that? What 4 things do you look at?
|
With...
1. Privacy and information security policies. 2. Access controls. 3. Understanding where personal information is being held... and.. 4. Who has access to personal information |
|
|
To meet Privacy goals, who do you work on better understanding and leveraging different types of relationships with? What four groups?
|
1. Internal audit.
2. Information security. 3. Physical security. 4. Data protection authority. |
|
|
What seven things are involved in a risk assessment?
|
1. Type of data being outsourced
2. Location of data 3. Implications of cloud computing strategies 4. Legal compliance 5. Records retention 6. Contractual requirements (incident response, etc.) 7. Establish minimum standards for safeguarding information |
|
|
What are the seven areas of operational risk?
|
1. Data centers
2. Physical access controls 3. Document destruction 4. Media sanitization (e.g., hard drives, USB/thumb drives, etc) 5. Device forensics 6. Fax machine security 7. Imaging/copier hard drive security controls |
|
|
What are the two things you need to do relating to mergers, acquisitions and divestiture?
|
i. Due diligence.
ii. Risk assessment. |
|
|
What are a couple of things that will help you with your analysis and assessments?
|
i. Privacy Threshold Analysis (PTAs) on systems, applications and processes
ii. Privacy Impact Assessments (PIAs) |
|
|
What two things do you need to do as you define a process for conducting Privacy Impact Assessment?
|
a. Understand the life cycle of a PIA.
b. Incorporate PIA into system, process, product life cycles. |
|
|
Ok then, so how do you "Protect" your organization in relation to privacy infractions? Name three elements please...
|
By using:
a. Data life cycle (creation to deletion). b. Information security practices. c. Privacy by Design. |
|
|
What three choke-points can you implement in your Information security practices?
|
i. Access controls for physical and virtual systems
ii. Technical security controls. iii. Implement appropriate administrative safeguards. ii. Technical security controls iii. Implement appropriate administrative safeguards |
|
|
Tell me more about the three access controls for physical and virtual systems...
|
1. Access control should be based on "need to know".
2. Account management (e.g. provision process). 3. Privilege management. |
|
|
What are the two elements of "Privacy by Design"?
|
it.s when you....
i. Integrate privacy throughout the system development life cycle (SDLC) ii. Establish privacy gates/PIAs-Data Protection Impact Assessments (DPIAs) as part of the standard process, system development framework. |
|
|
The "sustain" portion of Privacy Operational Life Cycle sounds huge. The acronym is MAACM What's involved?
|
a. Measure
b. Align c. Audit d. Communicate e. Monitor |
|
|
The "Measure" portion under "Sustain" what four tasks does that consist of?
|
i. Quantify the costs of technical controls
ii. Manage data retention with respect to the organization’s policies iii. Define the methods for physical and electronic data destruction iv. Define roles and responsibilities for managing the sharing and disclosure of data for internal and external use |
|
|
The "Align" efforts under "Sustain" what 13+ groups do you need to align with?
|
Aligning your efforts with
1. Information security 2. IT operations and development 3. Business continuity and disaster recovery planning 4. Mergers, acquisitions and divestitures 5. Human resources 6. Compliance and ethics 7. Audit 8. Marketing/business development 9. Public relations 10. Procurement/sourcing 11. Legal arid contracts 12. Security/emergency services 13. Finance 14. Others |
|
|
What are the 5 considerations in the "Audit" step under "Sustain"?
|
i. Align privacy operations to an internal and external compliance audit program
1. Knowledge of audit processes 2. Align to industry standards ii. Audit compliance with privacy policies and standards iii. Audit data integrity and quality iv. Audit information access, modification and disclosure accounting v. Communicate audit findings to stakeholders |
|
|
The "Communicate" portion under "Sustain" what does that consist of? The two sections are Awareness and training. Please break out the 4 activities under awareness and the 2 (plus sub-activities) under training.
|
i. Awareness
1. Create awareness of the organization’s privacy program internally and externally 2. Ensure policy flexibility in order to incorporate legislative/regulatory/market requirements 3. Develop internal and external communication plans to ingrain organizational accountability 4. Identify, catalog and maintain documents requiring updates as privacy requirements change ii. Targeted employee, management and contractor training 1. Privacy policies 2. Operational privacy practices (e.g, standard operating instructions), such as a. Data creation/usage/retention/disposal b. Access control c. Reporting incidents d. Key contacts |
|
|
The 4 "Monitor"-ing elements under "Sustain" what are they?
|
i. Environment (e.g., systems, applications) monitoring.
ii. Monitor compliance with established privacy policies. iii. Monitor regulatory and legislative changes. iv. Compliance monitoring (e.g. collection, use and retention). |
|
|
Let's investigate "compliance monitoring" from the "Monitor" section and go into more detail. What are the 4 areas of effort here?
|
1. Internal audit
2. Self-regulation 3. Retention strategy 4. Exit strategy |
|
|
Related to "Privacy Operational Life Cycle"; which two things do you "Respond" to, for your organization?
|
a. Information requests
b. Privacy incidents |
|
|
Related to "Privacy Operational Life Cycle"; and what you "Respond" with to information requests for your organization... What are these 4 request types typically related to?
|
i. Access
ii. Redress iii. Correction iv. Managing data integrity |
|
|
Name the 6 "privacy incidents" you would be responding to under the Privacy Operational Life Cycle".
|
i. Legal compliance.
ii. Incident response planning. iii. Incident detection. iv. Incident handling. v. Follow incident response process to ensure meeting jurisdictional, global and business requirements. vi. Identify incident reduction techniques. vii. Incident metrics—quantify the cost of a privacy incident. |
|
|
What are the four considerations related to privacy incidents in terms of "legal compliance"?
|
1. Preventing harm.
2. Collection limitations. 3. Accountability. 4. Monitoring and enforcement. |
|
|
What are the four considerations (and 8 sub components) related to privacy incidents in terms of "Incident Response handling"?
|
1. Understand key roles and responsibilities.
a. Identify key business stakeholders. i. Information security ii. Legal iii Audit iv. Human resources v. Marketing vi. Business development vii. Communications and public relations viii. Other b. Establish incident oversight teams. 2. Develop a privacy incident response plan. 3. Identify elements of the privacy incident response plan. 4. Integrate privacy incident response into business continuity planning. |
|
|
What are the 3 considerations related to privacy incidents in terms of "Incident Detection"?
|
1. Define what constitutes a privacy incident
2. Identify reporting process 3. Coordinate detection capabilities a. Organization IT b. Physical security c. Human resources d. Investigation teams e. Vendors |
|
|
What are two considerations related to privacy incidents in terms of "Incident handling"?
|
1. Understand key roles and responsibilities.
2. Develop a communications plan to notify executive management. |
|
|
What are the seven things related to privacy incidents in terms of "Follow incident response process to ensure meeting jurisdictional, global and business requirements"?
|
1. Engage privacy team
2. Review the facts 3. Conduct analysis 4. Determine actions (contain, communicate, etc.) 5. Execute 6. Monitor 7. Review and apply lessons learned |
