Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
301 Cards in this Set
- Front
- Back
|
Strategic Management is the first high level necessary task to implement proactive privacy management through the following 3 subtasks:
|
(1) Define Privacy Vision and Privacy Mission Statement
(2) Develop Privacy Strategy (3) Structure Privacy Team |
|
|
Strategic management of privacy starts by creating or updating the organization vision and mission statement based on privacy best practices that should include: |
(1) Develop vision and mission statement objectives
(2) Define privacy program scope (3) Identify legal and regulatory compliance challenges (4) Identify organization personal information legal requirements |
|
|
Define Privacy Program Scope |
1) Identify & Understand Legal and Regulatory Compliance Challenges
ii) Identify the Data Impacted *Understand Global Perspective *Customize Approach *Be Aware of Laws, Regulations, Processes, Procedures *Monitor Legal Compliance Factors |
|
|
Types of Protection Models (4)
|
i) Sectoral (US)
ii) Comprehensize (EU, Canada, Russia) iii) Co–Regulatory (Australia) iv) Self Regulated (US, Japan, Singapore) |
|
|
Questions to Ask When Determining Privacy Requirements (Legal)
|
– Who collects, uses, maintians Personal Information
– What are the types of Personal Information – What are the legal requirements for the PI – Where is the PI stored – How is the PI collected – Why is the PI collected |
|
|
Steps to Developing a Privacy Strategy (5)
|
i) ID Stakeholders and Internal Partnerships
ii) Leverage Key Functions iii) Create a Process for Interfacing iv) Develop a Data Governance Strategy v) *Conduct a Privacy Workshop |
|
|
Data Governance Models (3)
|
i) Centralized
ii) Local/Decentralized iii) Hybrid |
|
|
What is a Privacy Program Framework?
|
Implementation roadmap that provides structure or checklists to guide privacy professionals through management and prompts for details to determine privacy relevant decisions.
|
|
|
Popular Frameworks (6)
|
APEC Privacy – regional data transfers
PIPEDA (Canada) & AIPP (Australian) OCED Privacy by Design US Government |
|
|
Steps to Develop Privacy Policies, Standards, Guidelines (4)
|
i) Assessment of Business Case
ii) Gap Analysis – iii) Review & Monitor iv) Communicate |
|
|
Business Case
|
Defines individual program needs and way to meet specific goals.
– Org Privacy Guidance – Define Privacy – Laws/Regs – Technical Controls – External Privacy Orgs – Frameworks – Privacy Enhancing Tech (PETs) – Education/Awareness – Program Assurance |
|
|
What are the 4 Parts of the Privacy Operational Life Cycle
|
i) Assess
ii) Protect iii) Sustain iv) Respond |
|
|
5 Maturity Levels of the AICPA/CICA Privacy Maturity Model?
|
i) Ad Hoc – Procedures informal, incomplete, inconsistently applied (not written)
ii) Repeatable – Procedures exist, partially documented, don't cover all areas iii) Defined – All documented, implemented, cover all relevant aspects iv) Managed – Reviews conducted assess effectiveness of controls v) Optimized – Regular reviews and feedback to ensure continuous improvements. |
|
|
Privacy Assessment Approach (Key Areas)
|
i) Internal Audit & Risk Management
ii) Information Tech & IT Operations/Development iii) Information Security iv) HR/Ethics v) Legal/Contracts vi) Process/3rd Party Vendors vii) Marketing/Sales viii) Government Relations ix) Accounting/Finance |
|
|
11 Principles of the Data Life Cycle Management Model
|
i) Enterprise Objectives
ii) Minimalism iii) Simplicity of Procedures & Training iv) Adequacy of Infrastructure v) Information Security vi) Authenticity and Accuracy of Records vii) Retrievabiliyt viii) Distribution Controls ix) Auditability x) Consistency of Policies xi) Enforcement |
|
|
What is CIA & AA
|
Confidentiality
Integrity Availability Accountability Assurance |
|
|
What is the difference between positive & negative controls?
|
Positive – Enable privacy and business practices (win/win)
Negative – Enable privacy but constrain business (win/lose) |
|
|
What are the 3 high level security roles?
|
i) Executive
ii) Functional iii) Corollary |
|
|
What are the 7 foundation principles of Privacy by Design?
|
i) Proactive not Reactive; Preventative not Remedial
ii) Privacy as Default Setting iii) Privacy Embedded into Design iv) Full Funcationality v) End to End Security (Throughout Lifecyle) vi) Visibility and Transparency vii) Respect for User Privacy |
|
|
3 keys to Sustainment?
|
i) Monitor
ii) Audit iii) Communicate |
|
|
4 keys to Response?
|
i) Information Requests
ii) Legal Compliance iii) Incident Response Planning iv) Incident Handling |
|
|
Proactive privacy management is accomplished through three tasks |
1) Define your organization's privacy vision and privacy mission statements 2) Develop privacy strategy 3) Structure your privacy team |
|
|
This is needed to structure responsibilities with business goals |
Strategic Management |
|
|
Strategic Management model |
Identifies alignment to organizational vision and defines the privacy leaders for an organization, along with the resources necessary to execute the vision. |
|
|
Privacy professional |
Member of the privacy team who may be responsible for privacy program framework development, management and reporting within an organization |
|
|
Strategic management of privacy starts by |
creating or updating the company's vision and mission statement based on privacy best practice |
|
|
Privacy best practices |
1) identify organization PI *legal requirements,2) Develop V&M statement objectives,3) identify legal & regulatory compliance challenges, &,4) define privacy program scope, |
|
|
Vision or mission statement |
This key factor that lays the groundwork for the rest of the privacy program elements and is typically comprised of a short sentence or two that describe the purpose and ideas in less than 30 seconds. |
|
|
Strategic managment |
Is the first high level task necessary to implement proactive privacy management. |
|
|
Strategic management (3 subtasks) |
(1) Define organization's (a) Privacy Vision and (b) Privacy Mission Statement (2) Develop Privacy Strategy (3) Structure Privacy Team |
|
|
How do you create a company's: Privacy Vision? |
(1) Acquire knowledge on privacy approaches (2) E valuate the intended objective (3) Gain executive sponsor approval for this Privacy Vision |
|
|
How do you establish a Privacy Program? |
(1) Define program scope and charter (2) Identify the sources, types, and uses of Personal Information (PI) within the org. and the applicable laws (3) Develop a Privacy Strategy |
|
|
Elements of a Privacy Strategy? |
(1) Business Alignment (2) Develop a data governance strategy for personal information (collection, authorized use, access, and destruction) (3) Plan inquiry/complaint handing procedures (customers, regulators, etc.) |
|
|
Structuring the Privacy Team involves: |
(1) Identifying and Establishing the appropriate Governance Model for your organization (usually based on size) (2) Responsibilities and reporting structure for Governance Model and Organization (3) Designate a point of contact for Privacy Issues (4) Establish/endorse the measurement of professional competency |
|
|
Types of Governance Models? |
(1) Centralized (2) Distributed (3) Hybrid |
|
|
How do you develop the Privacy Program Framework? |
(1) Develop organizational privacy policies, standards, and/or guidelines (2) Define Privacy Program activities |
|
|
Privacy Program activities usually consist of: |
(1) Education and awareness (2) Monitoring and responding to the regulatory environment (3) Internal policy compliance (4) Data inventories, data flows, and classification (5) Risk assessment (Privacy Impact Assessments, etc.) (6) Incident response and process, including jurisdictional regulations (7) Remediation (8) Program assurance, including audits |
|
|
Implementing the Privacy Policy Framework consists of: |
(1) Communicating the Framework to internal and external stakeholders (2) Ensuring continuous alignment to applicable laws and regulations to support the development of an organizational Privacy Program Framework |
|
|
Ensuring continuous alignment to applicable laws and regulations to support the development of an organizational Privacy Program Framework consists of: |
(1) Understanding applicable national laws and regulations (2) Understanding applicable local laws and regulations (3) Understanding the penalties for noncompliance (4) Understanding scope and authority of oversight agencies (5) Understand the privacy implications of doing business in or with countries with inadequate or without privacy laws (6) Maintain the ability to manage a global privacy function (7) Maintain the ability to track multiple jurisdictions for changes in privacy law (8) Understand international data sharing arrangements and agreements |
|
|
Privacy Program Framework is: |
An implementation road-map that provides the structure or checklists (document privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for the organization. |
|
|
Privacy Framework benefits include: |
Reduce risk; avoid incident of data loss; sustain organization market value and reputation and provide measurement in compliance to laws, regulations, and standards. |
|
|
Developing organizational privacy policies, standards, and/or guidelines involves: |
(1) Assessment of Business Case (2) Gap Analysis (3) Review and monitor privacy program (4) Communicate the framework |
|
|
Ten foundational elements for privacy Business Case Development are: |
(1) Organizational privacy office guidance (2) Define privacy (3) Laws and Regulations (4) Technical Controls (5) External Privacy Organizations (6) Industry Frameworks (7) Privacy Enhancing Technologies (PETs) (8) Information technology cutting-edge or innovation solutions (9) Education and Awareness (10) Program assurance or the governance structure |
|
|
Organizational privacy office guidance: |
If developed, offers the best staring point. This should be the first step, regardless of the program maturity. |
|
|
Define Privacy: |
As related to your program or organization. Use all available resources to determine the correct and appropriate definition of privacy for your org. |
|
|
Laws and regulations |
Provide the MANDATORY GOVERNMENT POLICY and guidance based on the organization's location and industry. |
|
|
Technical Controls: |
Provide the assurances necessary to achieve the goals of physical and data security. |
|
|
External Privacy Organizations: |
Serve as guardians or protectors against misuse, loss, or illegal practices. |
|
|
Industry frameworks: |
Provide taxonomies or privacy categorization guidelines that are not law or regulation based. (Eg. ISO, GAAP) |
|
|
Privacy Enhancing Technologies: |
Define privacy technology standards developed soley to be used for the transmission, storage and use of privacy data. |
|
|
Information technology cutting-edge or innovation solutions: |
Involve the use of newer or unregulated technology, such as social networking and the new Internet web cookie policy for eGov 2.0 |
|
|
Education and Awareness: |
Provide methods to inform the employee of the important aspects of privacy and the basic protections a non-privacy professional should know. |
|
|
Program assurance or the governance structure: |
Mandate operational safeguards that include auditing. |
|
|
Performing a gap analysis will... |
determine the capability of current privacy management to support each of the business and technical requirements |
|
|
Performance Measurement |
The process of formulating or selecting metrics to evaluate implementation, efficiency or effectiveness; gathering data and producing quantifiable output that describes performance. |
|
|
Metrics |
Tools that facilitate decision making and accountability through collection, analysis, and reporting of data. They must be measurable, meaningful, clearly defined (with boundaries), indicate progress, and answer a specific question to be valuable and practical. |
|
|
Five-Step Metric Life Cycle: |
(1) Identify (metric audience) (2) Define (the metric owner) (3) Select (the specific privacy metric) (4) Collect (the data for the metric - Who, what, how, when, etc) (5) Analyze (statistical analysis, e.g., trend) |
|
|
Metric - Identification |
Identification of the intended audience: WHO will use the data? |
|
|
Metric - Definition |
Definition of data sources: WHO is the data owner and HOW is that data accessed? |
|
|
Metric - Selection |
Selection of privacy metrics: WHAT metrics to use based on the audience, reporting resources, and final selection of the best metric? |
|
|
Metric - Collection |
Collection and refinement of systems/application collection points: WHERE will the data come from to finalize the metric collection report? WHEN will the data be collected? WHY is tat data important? |
|
|
Metric - Analyze |
Analyze the data/metric to provide value to the organization and provide a feedback quality mechanism |
|
|
Metric - Audience |
Primary, secondary, and tertiary stakeholders who obtain value from a metric |
|
|
Metric - Primary Audience |
Includes: Legal and privacy officers Senior leadership; chief information officer Chief security officer Program managers Information system owner Information security officer |
|
|
Metric - Secondary audience |
Chief Financial officer Training organizations Human resources Inspectors general HIPAA security officials |
|
|
Metric - Tertiary audience |
External watch dog groups Sponsors Stockholders |
|
|
Metric - Owner |
Process owner, champion, advocate and evangelist responsible for management of the metric throughout the metric life cycle |
|
|
Metric - Sigma Six |
Metric owner must: (1) Know what is critical about the metric. Why the output is important and understand how this metric fits into the business objectives. (2) Monitor process performance with the metric. Predictors of performance and monitoring data compiled by other metric owners, processes, or dependencies (operation, strategic, or tactical). (3) Make sure the process documentation is up to date. (4) Perform regular reviews. Determine if the metric is still required, capable to meet goals, and provides value to the organization. (5) Make sure that any improvements are incorporated and maintained in the process. (6) Advocate the metric to customers, partners, and others. (7) Maintain training, documentation, and materials. |
|
|
Attributes of an effective Metric |
Clear and concise metric that defines and measures progress toward a business objective or goal without overburdening the reader |
|
|
Metric taxonomies; provide the following categories: |
(1) Objective / Subjective (2) Quantitative / Qualitative (3) Information Technology Metrics / Quantitative Measurement (4) Static / Dynamic (5) Absolute / Relative (6) Direct / Indirect |
|
|
Metrics - Improper |
(1) Faulty Assumptions (2) Selective Use (3) The Well-chosen Average (4) Semi-attachment (5) Biased Sample (6) Intentional Deceit (7) Massaging the Numbers (8) Over-generalization |
|
|
# of Metrics a Privacy Professional should select? |
3 - 5 |
|
|
Examples of Compliance Metrics |
(1) Collection (notice) (2) Responses to data subject inquiries (3) Use (4) Retention (5) Disclosure to third parties (6) Incidents (breaches, complaints, inquiries) (7) Employees trained (8) PIA metrics (9) Privacy risk indicators (10) % of company functions represented by governance mechanisms |
|
|
Business Resiliency Metrics |
ability to rapidly adapt and respond to business disruptions |
|
|
Privacy Operational Life Cycle (POLC): Assess |
(1) Document current baseline of your privacy (2) Processors and third party vendor assessment (3) Physical Assessments (4) Mergers, acquisitions, and divestitures (5) Conduct analysis and assessments, as needed or as appropriate |
|
|
POLC Assess: 1. Document current baseline of your privacy |
(a) Education and awareness (b) Monitoring and responding to regulatory environment (c) Internal policy compliance (d) Data, systems and process assessment (e) Risk assessment (f) Incident response (g) Remediation (h) Determine desired state and perform gap analysis against an accepted standard or law (i) Program assurance, including audits |
|
|
POLC/Assess/1.d. Data, systems, and process assessment involves: |
(1) Map data inventories, flows, and classification (2) Create "record of authority" of systems processing personal information within organization (3) Map and document data flow in systems and applications (4) Analyze and classify types and uses of data |
|
|
POLC/Assess/Processors and 3rd party vendor assessment includes: |
(1) Evaluate processors and third party vendors, in-sourcing and outsourcing privacy risks (a) Privacy and information security policies (b) Access controls (c) Where personal information is being held (e) Who has access to personal information (2) Understand and leverage the different types of relationships. (a) Internal audit (b) Information security (c) Physical security (d) Data protection authority (3) Risk Assessment (4) Contractual Requirements (5) Ongoing monitoring and auditing |
|
|
POLC / Assess / Risk assessment: |
(1) Type of data being outsourced (2) Location of data (3) Implication of cloud computing strategy (4) Legal compliance (5) Records retention (6) Contractual requirements (incident response, etc.) (7) Establish minimum standards for safeguarding information |
|
|
POLC / Protect |
(1) Data life cycle (creation to deletion) (2) Information Security Practices (3) Privacy by Design |
|
|
POLC / Sustain |
(1) Measure (2) Align (3) Audit (4) Communicate (5) Monitor |
|
|
POLC / Sustain / Measure |
(1) Quantify the costs of technical controls (2) Manage data retention with respect to the organization's policies (3) Define the methods for physical and electronic data destruction (4) Define the roles and responsibilities for managing the sharing and disclosure of data for internal and external use |
|
|
POLC/ Sustain / Align |
(1) Integrate privacy requirements and representations into functional areas across the organization |
|
|
POLC / Sustain / Audit |
(1) Align privacy operations to an internal and external compliance audit program (2) Audit compliance with privacy policies and standards (3) Audit data integrity and quality (4) Communicate audit findings with stakeholders |
|
|
POLC / Sustain / Communicate |
(1) Awareness (2) Targeted employee, management, and contractor training |
|
|
POLC/ Sustain/ Communicate / Awareness |
(1) Create awareness of the organization's privacy program (2) Ensure policy flexibility in order to incorporate legislative/regulatory/ market requirements (3) Develop internal and external communication plans to ingrain organizational accountability (4) Identify, catalog and maintain documents requiring updates as privacy requirements change |
|
|
POLC / Sustain / Communicate / Targeted employee, managment, and contractor training... |
(1) Privacy policies (2) Operational privacy practices (e.g., standard operating instructions), such as (a) Data creation/usage/retention/disposal (b) Access control (c) Reporting incidents (d) Key contacts |
|
|
POLC / Sustain / Monitor |
(1) Environment (e.g., systems, applications) monitoring (2) Monitor compliance with established privacy policies (3) Monitor regulatory and legislative changes (4) Compliance monitoring (e.g., collection, use, and retention) - can be done by : Internal Audits, Self-Regulation, Retention Strategy, or Exit Strategy |
|
|
POLC / Respond |
(1) Information Requests (2) Privacy Incidents |
|
|
POLC / Respond / Information Requests |
(1) Access (2) Redress (3) Correction (4) Managing data integrity |
|
|
POLC / Respond / Privacy Incidents |
(1) Legal Compliance (2) Incident Response Planning (3) Incident Detection (4) Incident Handling (5) Follow incident response process to ensure meeting jurisdictional, global and business requirements (6) Identify incident reduction techniques (7) Incident metrics - quantify the costs of a privacy incident |
|
|
POLC / Respond / Privacy Incidents / Legal Compliance |
(1) Preventing Harm (2) Collection Limitations (3) Accountability (4) Monitoring and enforcement |
|
|
POLC / Respond / Privacy Incidents / Incident Response Planning |
(1) Understand key roles and responsibilities (ID key business stakeholders and establish incident response teams). (2) Develop a privacy incident response plan (3) Identify elements of the privacy incident response plan (4) Integrate privacy incident response into business continuity planning |
|
|
POLC / Respond / Privacy Incidents / Incident Detection |
(1) Define what constitutes a privacy incident (2) Identify reporting process (3) Coordinate detection capabilities (w/ IT, Security, HR, Investigation team, Vendors) |
|
|
POLC / Respond / Privacy Incidents / Incident Handling |
(1) Understanding key roles and responsibilities (2) Develop a communications plan to notify executive management |
|
|
POLC / Respond / Privacy Incidents/ Follow incident response process to ensure meeting jurisdictional, global, and business requirements by... |
(1) Engage privacy team (2) Review the facts (3) Conduct analysis (4) Determine actions (contain, communicate, etc.) (5) Execute (6) Monitor |
|
|
Need for Data Life Cycle Management (DLM) |
DLM allows for identification and timely address of possible issues stemming from conflict of laws and differences in compliance with local legislation. Also, helps to decrease amount of info. |
|
|
11 element DLM model |
(1) Enterprise Objectives (2) Minimalism (3) Simplicity of Procedure and Effective Training (4) Adequacy of Infrastructure (5) Information Security (6) Authenticity and Accuracy of One's Own Records (7) Retreivability (8) Distribution Controls (9) Auditability (10) Consistency of Policies (11) Enforcement |
|
|
CIA Triad |
Confidentiality. Prevention of unauthorized disclosure of information. Integrity. Ensures information is protected from unauthorized or unintentional alteration, modification or deletion. Availability. Information is readily accessible to authorized users. +2 = Accountability, Assurance |
|
|
There are only 2 forms of privacy control: |
(1) Negative Controls - Enable privacy but constrain business (win/lose) (2) Positive Controls - Enable privacy and enable business objectives (win/win) |
|
|
eof |
eof |
|
|
Proactive privacy management is accomplished through three tasks
|
1) Define your organization's privacy vision and privacy mission statements 2) Develop privacy strategy 3) Structure your privacy team
|
|
|
This is needed to structure responsibilities with business goals
|
Strategic Management
|
|
|
Identifies alignment to organizational vision and defines the privacy leaders for an organization, along with the resources necessary to execute the vision.
|
Strategic Management model
|
|
|
Member of the privacy team who may be responsible for privacy program framework development, management and reporting within an organization
|
Privacy professional
|
|
|
Strategic management of privacy starts by
|
creating or updating the company's vision and mission statement based on privacy best practice
|
|
|
Privacy best practices
|
1) identify organization PI *legal requirements,
2) Develop *V&M statement objectives*, 3) identify legal & regulatory *compliance challenges*, &,
4) define privacy program *scope*, |
|
|
This key factor that lays the groundwork for the rest of the privacy program elements and is typically comprised of a short sentence or two that describe the purpose and ideas in less than 30 seconds.
|
Vision or mission statement
|
|
|
This explains what you do as an organization, not who you are; what the organization stands for and why what you do an an organization to protect personal information is done
|
Mission Statement
|
|
|
What are the steps in the five step metric cycle
|
Identify, Define, Select, Collect, Analyze
|
|
|
The first step in the selecting the correct metrics starts by what?
|
Identifying the intended metric *audience*
|
|
|
The primary audience for metrics may include
|
Legal and privacy officers, senior leadership; CIO, CSO, PM, Information Systems Owner (ISO), Information Security Officer (ISO), Others considered users and managers
|
|
|
The secondary audience includes those who may not have privacy as a primary task include
|
CFO, Training organizations, HR, IG, HIPPA security officials
|
|
|
The tertiary audiences may be considered, based on the organization's specific or unique requirements such as who?
|
External watch dog groups, Sponsors, Stockholders
|
|
|
The difference between metrics audiences is based on what?
|
Level of interest, influence and responsibility to privacy within the business objectives, laws and regulations, or ownership
|
|
|
Specific to Healthcare metrics, audiences may include whom?
|
HIPPA privacy officers, medical interdisciplinary readiness teams (MIRTs), senior executive staff, covered entity workforce, self assessment tool and risk analysis/management
|
|
|
What is the second step in the metric life cycle?
|
Define Reporting Procedures
|
|
|
A metric owner must be able to do what?
|
Evangelize the purpose and intent of that metric to the organization
|
|
|
This person is the process owner, champion, advocate and evangelist responsible for management of the metric throughout the metric life cycle
|
Metric Owner
|
|
|
As Six Sigma teaches, an effective metric owner must do what?
|
1) Know what is critical about the metric,
2) Monitor process performance with the metric, 3) Make sure the process documentation is up to date, 4) Perform regular reviews, 5) Make sure that any improvements are incorporated and maintained in the process, 6) Advocate the metric to customers, partners and others, and 7) Maintain training, documentation, and materials. |
|
|
As a general practice, who should not perform the data collection tasks or perform the measurements of the metric?
|
Metric Owner
|
|
|
What is the third step in the metric life cycle
|
Select Privacy Metrics
|
|
|
Selecting the correct privacy metric requires what?
|
Full understanding of the business objectives and goals, along with a clear understanding of the primary business functions.
|
|
|
Prior to selecting metrics, the reader should first understand what?
|
Attributes of an effective metric with metric taxonomy and how to limit improper metrics.
|
|
|
An effective metric is a clear and concise metric that defines and measures what?
|
Progress toward a business objective or goal without overburdening the reader
|
|
|
Good metrics should not do what?
|
Overburden the reader
|
|
|
A metric should be clear in the meaning of what is being measured and what else?
|
1) Rigorously defined,
2) Credible and relevant, 3) Objective and quantifiable, and 4) Associated with the baseline measurement per the organization standard metric taxonomy. |
|
|
If a standard metric taxonomy does not exist, privacy professionals can generate their own using the best practices from where?
|
NIST, NISTIR 7564, "Directions in Security Metrics Research"
|
|
|
A mission statement should include what five items?
|
Value the organization places on privacy, Desired organizational objectives, Strategies to drive the tactics used to achieve the intended outcomes, Clarification of roles and responsibilities
|
|
|
Strategic Management assigns roles, sets expectations grants powers and what?
|
Verifies performance
|
|
|
This model identifies alignment to organization vision and defines the privacy leaders for an organization, along with the resources (people, policy, processes, and procedures) necessary to execute vision
|
Strategic Management Model
|
|
|
This is a key factor that lays the groundwork for the rest of the privacy program elements and is comprised of a short sentence or two that describes purpose and ideas in less than 30 seconds
|
Mission Statement
|
|
|
What are the four steps in defining your organization's privacy vision and privacy mission statements
|
1. Develop Vision and Mission Statement Objectives 2. Define Privacy Program Scope 3.Identify Legal and Regulatory Compliance Challenges 4. Identify Organizational Personal Information Legal Requirements
|
|
|
What are the steps of Strategic Management?
|
Define Privacy and Mission, Develop Privacy Strategy, Structure Privacy Team
|
|
|
This is someone who understands the importance of privacy and will act as an advocate for you and for the program. Typically, they will have experience with the organization, the respect of their colleagues and access to or ownership of budget.
|
Program Sponsor
|
|
|
This is an executive who acts as an advocate and sponsor to further foster privacy as a core organization concept
|
Program Champion
|
|
|
Individual executives who lead and "own" the responsibility of the relevant activities are called what?
|
Stakeholders
|
|
|
As a rule, privacy policies and procedures are created and enforced at a what level?
|
Functional
|
|
|
Policies imposing general obligations on employees may reside with whom?
|
Ethics, legal and compliance
|
|
|
Policies and procedures that dictate certain privacy and security requirements on employees as they relate to the technical infrastructure typically sit with whom?
|
IT
|
|
|
Policies that govern requirements that need to be imposed on provider of third-party services that implicate personal data typically sit with whom?
|
Procurement
|
|
|
Policies that govern the use and disclosure of health information about employees of the organization typically reside with whom?
|
HR
|
|
|
This approach collects the various data-protection requirements and rationalizes them where possible
|
Pragmatic Approach
|
|
|
When defining your privacy program scope, you must first do what?
|
Understand and identify the legal and regulatory compliance challenges of the organization and identify the data impacted
|
|
|
If your organization plans to do business within a jurisdiction that has inadequate or no data protection regulations, you should do what?
|
Institute your organization's requirements, policies and procedures instead of reducing them to the level of the country
|
|
|
When developing your global privacy strategy, it must be relevant to what?
|
Markets, cultures, and geographical locations
|
|
|
According to Baker and McKenzie in their looking-ahead analysis of 2012, the goal of "achieving compliance" is steadily being replaced with what?
|
A corporate need to "achieve and maintain compliance"
|
|
|
What are examples of certain types of organizations and entities known as "covered entities"
|
Healthcare providers (hospitals, clinics, pharmacies) and health plans (medical plans, organization benefit plans) subject to HIPPA.
|
|
|
Merchants that handle cardholder information for debit, credit, prepaid, e-purse, ATM and POS cards must be in compliance with what?
|
Payment Card Industry Data Security Standard (PCI DSS), which is a global standard, not a law.
|
|
|
If you process personal information of any resident of a state that has adopted a breach notification law, understand that to the extent that non-encrypted data has been compromised, your compliance obligations may include notification to whom?
|
The residents of the states, as well as government bodies or state attorney general offices.
|
|
|
What is the first step when identifying Organizational Personal Information Legal Requirements
|
"roughing out" the scope of a privacy program by flagging areas in an organization where personal information is likely to be collected, access or used (HR, finance, marketing, customer relationship management systems, IT)
|
|
|
In the U.K., this regulation contains privacy rules for any form of electronic marketing, in addition to a vast array of statutes, regulations and voluntary codes of practice that govern direct marketing activity.
|
Privacy and Electronic Communications Regulations
|
|
|
Based on these three things, the privacy professional will need to determine the best methods, style and practices to working within the organization.
|
Individual culture, politics and protocols of the organization
|
|
|
This function is more closely aligned to the privacy group than any other function.
|
Information Security (IS)
|
|
|
This functional group adds processes and controls that support privacy principles. It creates processes to develop and test software and applications in a manner that does not require the use of production data decreases the chances that the data will be compromised and that individuals who have no business need will access the data
|
Information Technology (IT)
|
|
|
This functional group traditionally functions independently to assess whether controls are in place to protect personal information and whether people are abiding by these controls
|
Internal audit group
|
|
|
Many organizations create this, comprised of the same stakeholders that were identified at the start of the privacy program implementation process. Instrumental in making strategic decisions and driving such strategies and decisions through their own organizations.
|
Privacy committee or council
|
|
|
Organizations with a global footprint often create a governance structure that is comprised of whom?
|
Representatives from each geographic region and business function (ie., HR) in which the organization has a presence to ensure that proposed privacy policies, processes, and solutions align with local laws.
|
|
|
You first step when developing a Data-governance Strategy for Personal Information (Collection, Authorized Use, Access, Security, Destruction)
|
Take an inventory of relevant regulations that apply to your business. Once you determine which laws apply, you must design a manageable approach to handling and protecting personal information
|
|
|
This means implementing a solution that materially addresses the various requirements of the majority of laws or regulations with which you must comply.
|
Rationalization
|
|
|
Data-protection regulations typically include what items
|
• Notice
• Choice • Consent • Purpose limitations • Limits on retaining data • Individual rights to access • Correction and deletion of data • Obligation to safeguard data |
|
|
Privacy professionals should always involve whom to review, define or establish technical security controls, including common security controls such as firewalls, malware anti-virus, and complex password requirements
|
Security Engineer
|
|
|
This strategy seeks solutions that do not violate any data privacy laws, exceed budgetary restrictions or contradict organization goals and objectives
|
Strictest Standard
|
|
|
When positioning the privacy team, you should also consider the authority it will receive based on the what?
|
Governance model it follows
|
|
|
Executive leadership support for your governance model will have a direct impact on the level of success when implementing your privacy strategies. What are the important steps to integrate into any model?
|
o Involve senior leadership
o Involve stakeholders o Develop internal partnerships o Provide flexibility o Leverage communications o Leverage collaboration |
|
|
This type of governance fits well in organizations used to utilize single-channel functions (where direction flows from a single source) with planning and decision making completed by one group
|
Centralized Governance
|
|
|
This type of governance delegates decision-making authority down to the lower levels in an organization; relatively away from and lower than a central authority
|
Local or Decentralized
|
|
|
This is an implementation road map that provides the structure or checklists (document privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for the organization
|
Privacy Program Framework
|
|
|
Privacy governance framework provides the methods to what?
|
Access, protect, sustain and respond to the positive and negative effects of all influencing factors
|
|
|
This process provides the means to evaluate business rhythms, technical systems and associated costs to the strategic business objectives and performance of the organization.
|
Performance Measurement with Metrics Selection
|
|
|
This provides quantifiable output that is measurable, meaningful, answers specific questions and is clearly defined
|
Metrics performance
|
|
|
Major drivers impacting the increased need for privacy metrics include what?
|
Means of providing meaningful information on your privacy regime to key stakeholders, Generational change in the use of technology, Rapid advancements to technology, Catastrophes, such as data loss events, that drive tighter regulations, laws and standards, Current security and privacy solutions that are not designed to deal with the fast pace of emerging technologies or requirements, Privacy regulations becoming more stringent while privacy exceptions rise, Professionals embrace security and privacy as part of their job
|
|
|
Privacy Objectives are typically broad-based. What is an example of a privacy objective?
|
Privacy Notice
|
|
|
Privacy goals are specific and measurable. What is an example of a Privacy Goal?
|
Provide privacy notices to 100 percent of the customer base; number of privacy notices.
|
|
|
These provides common language between business, operational and technical managers to discuss the relevant information (e.g., good, bad, or indifferent) related to assessing progress.
|
Metrics
|
|
|
Generic privacy metrics should be developed to enable analyses of which processes?
|
o Collection (notice)
o Responses to data subject inquiries o Use o Retention o Disclosure to third parties o Incidents (breaches, complaints, inquiries) o Employee training o Privacy Impact Assessment o Privacy risk indicators o Percent of organization functions represented by governance mechanisms |
|
|
What are the steps of the Metric Life Cycle
|
o Identify the intended audience - Who will use the data
o Define the data sources - Who is the data owner and how is that data accessed o Select privacy metrics - what metrics to use based on the audience, reporting resources and final selection of the best metric o Collect and refine systems/applications collection point - where will the data come from to finalize the metric collection report? When will the data be collected? Why is that data important? o Analyze the data/metrics to provide value to the organization and provide a feedback quality mechanism |
|
|
This lists the metric characteristics that delineate boundaries between metric categories
|
Metric taxonomy
|
|
|
Metric taxonomies provide what categories?
|
Objective/Subjective, Quantitative/Qualitative, IT Metrics/Quantitative Measurement, Static/Dynamic, Absolute/Relative, Direct/Indirect
|
|
|
Objective metrics are more desirable than what type?
|
Subjective
|
|
|
These measurements typically map to best practices
|
Qualitative measurements
|
|
|
These type of measurements use data recorded within a numerical-mathematical fashion
|
Quantitative measurements
|
|
|
Per recent industry surveys, Chief Information Security Officers seem to prefer which type of measurements?
|
Qualitative measurements
|
|
|
This type of metric evolves with time
|
Dynamic measurements
|
|
|
The distinction between direct and indirect metrics is based on what?
|
The way a metric is measured
|
|
|
Size is an example of what type of metric
|
Direct
|
|
|
Quality or complexity can only be measured how?
|
Indirectly by extrapolation from other measured factors
|
|
|
The privacy professional must guard against improper conclusions such as these
|
Faulty Assumptions, Selective Use, Well-chosen Average, Semi-attachment, Biased Sample, Intentional Deceit, Massaging the Numbers, Overgeneralization
|
|
|
This conclusion is based on the occurrence of concurrent events without substantive evidence correlating the events
|
Faulty Assumptions
|
|
|
This is a specific subset of information is extrapolated from the larger data set, which leads to invalid/incorrect conclusions.
|
Selective Use
|
|
|
Many times the mean is used for a metric, but it is sometimes more appropriate to use the median or mode rather than the true mean/average
|
Well-chosen Average
|
|
|
When an individual is unable to provide their point, this may result with the exclusion of elements of a measurement when conveying results
|
Semi-attachment
|
|
|
This measurement completely excludes certain elements from the data population, thus providing on a partial set of data and leading to false assumptions
|
Biased Sample
|
|
|
An ethical issue, this occurs when data is knowingly and purposely omitted that may have a detrimental effect on the metric or metric owner
|
Intentional Deciet
|
|
|
This is slightly adjusting measurements to provide the appearance of success or other-than-actual results, leading the reviewer to believe the metric is more successful than it actually may be
|
Massaging the Numbers
|
|
|
This occurs when inferences are made concerning a general data population that leads to poor conclusions
|
Over-generalizations
|
|
|
As a basic business practice in the selection of metrics, the privacy professional should select how many key privacy metrics that focus on the key organizational objectives
|
Three to five
|
|
|
This is a data pattern that shows trends in an upwards or downward tendency i.e, privacy breaches over time
|
Time series
|
|
|
This is an indicator used to measure the financial gain/loss (or value) of a project in relation to its cost
|
Return on Investment (ROI)
|
|
|
Return on Investment (ROI) is measured how
|
(Benefits - Costs) / Costs
|
|
|
Privacy ROI defines metrics to measure the effectiveness of investments to protect investments in what?
|
Physical assets, Personnel assets, IT assets, Operational assets
|
|
|
This term relates to the protection of hardware, software, and data against physical threats, to reduce or prevent disruptions to operations and services and loss of assets
|
Physical assets
|
|
|
These are measures to reduce the likelihood and severity of accidental and intentional alteration, destruction, misappropriation, misuse, misconfiguration, unauthorized distribution and unavailability of an organization's logical and physical assets, as the result of action or inaction by insiders and known outsiders, like business partners
|
Personnel assets
|
|
|
Inherent technical features that collectively protect the organizational infrastructure, achieving and sustaining confidentiality, integrity, availability, and accountability.
|
IT assets
|
|
|
As it relates to ROI metrics, the first step is to identify and characterize the ROI metric to address what?
|
The specific risk that control or feature is supposed to mitigate
|
|
|
As it relates to ROI metrics, the second step is to define what
|
the value of the asset
|
|
|
This is the ability to rapidly adapt and respond to business disruptions and to maintain continuous business operations
|
Business Resiliency
|
|
|
The privacy professional or organization should include in the privacy budget the costs to generate what?
|
metrics
|
|
|
The most time consuming task of a privacy professional was of a strategic nature, which was what?
|
advising the organization on privacy issues
|
|
|
What are the phases of the privacy operational life cycle
|
o Assess (measure)
o Protect (improve) o Sustain (evaluate) o Respond (support) |
|
|
What are the PMM maturity levels?
|
Ad hoc, Repeatable, Defined, Managed, Optimized
|
|
|
This PMM maturity level indicates procedures or processes are generally informal, incomplete, and inconsistently applied
|
Ad hoc
|
|
|
This PMM maturity level indicates procedures or processes exist; however, they are not fully documented and do not cover all relevant aspects
|
Repeatable
|
|
|
This PMM maturity level indicates procedures or processes are fully documented and implemented and cover all relevant aspects
|
Defined
|
|
|
This PMM maturity level indicates that reviews are conducted to assess the effectiveness of the controls in place
|
Managed
|
|
|
This PMM maturity level indicates that regular review and feedback is used to ensure continuous improvement towards optimization of the given process
|
Optimized
|
|
|
What are the seven foundational principles of PbD?
|
Proactive not Reactive-Preventative not Remedial; Privacy as the Default Setting; Privacy Embedded into Design; Full Functionality-Positive Sum not Zero-sum; End-to-End Security-Full Life Cycle Protection; Visibility and Transparency; Respect for User Privacy
|
|
|
This ensures that privacy and security controls and aligned with an organization's tolerance for risk and its compliance with regulations and commitment to building a sustainable privacy-minded culture
|
PbD paradigm
|
|
|
One tool used to determine whether a PIA should be conducted is called what?
|
Privacy Threshold Analysis (PTA)
|
|
|
These type of assessments further assist the privacy professional in the Protect phase
|
PIA, risk assessments, security assessments
|
|
|
This is a policy-based approach to manage the flow of information through a life cycle from creation to final disposition
|
DLM/ILM
|
|
|
Main drivers of DLM/ILM
|
1. Enterprise data growth
2. Growth in unstructured data 3. Limitations in relational database management system performance 4. Information access and security concerns 5. Lack of effective methods for classifying data 6. Difficulty in assessing productivity of systems, applications and databases |
|
|
Main benefits of DLM and ILM are what?
|
Increased control over data, regulatory compliance (thereby minimizing business risk) and reduced costs (by eliminating redundancies in data storage
|
|
|
In the EU, who retains legal liability for any harm associated with the collected data?
|
Data Controller
|
|
|
OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, what are five factors that should be considered in a data breach?
|
Nature of the data elements breach, number of individuals affected, likelihood that the information is accessible and usable, likelihood the breach may lead to harm, the organization's ability to mitigate the risk of harm
|
|
|
What does the Federal government guidance state when a breach poses little or no risk of harm?
|
Notification could create unnecessary concern and confusion
|
|
|
To establish tort liability, a third-party plaintiff must show what?
|
That the organization owed to him or her duty of care
|
|
|
A breach will typically involve
|
Third party hacker who intentionally exploits vulnerabilities of the customer system, Customer failure to properly operate, use or secure its systems, Lost or stolen computer equipment, Misconduct of customer employees
|
|
|
As part of the incident-response planning process, this group will provide guidance regarding the detection, isolation, removal, and preservation of affected systems.
|
Information Systems (IS)
|
|
|
One of this group's primary role after a breach is to advise corporate privacy and executive teams on response notification requirements, in particular, who should be notified, how and when
|
Legal
|
|
|
In the aftermath of a data breach, this group may serve as the organization's informational conduit, working closely with PR or corporate communications to inform and update employees about the incident
|
HR
|
|
|
This group's role during a data breach can be to work with management and PR teams to establish and maintain a positive, consistent message, during both the crisis and the post-breach notifications
|
Marketing
|
|
|
Because of their unique association with customers and the bond of trust built carefully over time, this group is often asked to notify key accounts when their data has been breached
|
BD
|
|
|
When a data breach occurs, these stakeholders quickly assume their position on the front lines, preparing for the response to potential media inquiries and coordinating internal and external status updates
|
Communications and PR
|
|
|
After a breach occurs, the primary role for this stakeholder is to provide members with timely updates and instructions.
|
Union Leadership
|
|
|
One of the first and arguably most critical steps taken by the top executive is to what?
|
Promptly allocate funds and manpower needed to resolve the breach.
|
|
|
This plan is typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams must take before, during, and after a data breach
|
Business Continuity Plan (BCP)
|
|
|
In a 2011 survey of 400 IT executives, one-fifth indicated these events had made business continuity planning a much higher priority in recent years?
|
Natural disasters, security and terrorist threats
|
|
|
This is a structured readiness testing activity that simulates an emergency situation in an informal, stress-free setting
|
Table top exercise
|
|
|
Generally speaking, this may be described as any potential or actual compromise of personal information in a form that facilitates intentional or unintentional access by unauthorized third parties
|
Privacy incident
|
|
|
A 2012 study revealed what groups were most often the cause for privacy incidents?
|
Insiders and third parties
|
|
|
This is the internal process of employees alerting supervisors about a security-related incident, who in turn report the details to a predefined list of experts
|
Escalation
|
|
|
This is the process of informing affected individuals that their personal data has been breached
|
Notification
|
|
|
Assuming privacy incident notification is required, organizations generally have how long to notify the affected individuals
|
60 days
|
|
|
This is one method enforcing security and accountability in how personal data is handled by third parties
|
Binding contractual obligations and reporting requirements
|
|
|
This activity triggers the pre-notification process
|
Once breach investigators conclude that an actual compromise of sensitive information has occurred
|
|
|
Generally, most well-conceived incident response plans account for and/or include which elements?
|
Key stakeholders, Execution timeline, Progress reporting and Response evaluation and modifications
|
|
|
Common reporting intervals in incident response plans include what?
|
Hourly, daily, weekly, monthly
|
|
|
Reporting resources can be found with the technical and business characteristics of an organization that include
|
People, Processes, Technology
|
|
|
These are two complimentary processes that prepare an organization for crises and managing the business afterwards, thereby reducing risk.
|
Business Continuity and Disaster Recovery Planning (BCDR)
|
|
|
Privacy is concerned with an individual's ability to control the use of personal information while information security focuses on what?
|
Mechanisms for protection of information and information systems
|
|
|
CIA triad in additional to further advanced information security concepts are what?
|
Confidentiality, Integrity, Availability, Accountability, Assurance
|
|
|
Separation of legal, compliance, internal audit and security functions: collaboration is more challenging, but what?
|
functional independence is assured
|
|
|
Combining of legal, compliance, internal audit and security functions: collaboration is assured, but what?
|
functional independence is more challenging
|
|
|
What are the steps of the Audit Life Cycle?
|
Planning, Preparation, Audit, Report, Follow-up
|
|
|
What are the three types of audit categories?
|
First party/internal audit, Second-party audits, Third-party/external audits
|
|
|
These audits are a form of "self-evaluation"
|
First-party/internal audits
|
|
|
These types of audits are typically Supplier Audits because they are used where an organization has to assure itself of the ability of a potential or existing supplier or subcontractor to meet the requirements.
|
Second-party audits
|
|
|
This is a form of internal audit that does not exempt an organization from fulfilling obligations under applicable laws or regulations
|
Self-Certification
|
|
|
A well known self certification framework is what?
|
US-EU Safe Harbor
|
|
|
The Sustain phase of the privacy operational life cycle provides privacy management through what?
|
Monitoring, auditing, and comunication
|
|
|
The Respond phase of the privacy operational life cycle includes which principles?
|
Information requests, legal compliance, incident response planning and incident handling
|
|
|
The form of Redress that is offered to the complainant should be clearly defined in what?
|
Your complaint response process and documented for resolution
|
|
|
Data integrity issues are often the results of what?
|
Human failure or systemic error.
|
|
|
The fundamental principle that should govern a privacy incident is to what?
|
Allow an affected person the opportunity to protect themselves from identify theft or other harm
|
|
|
The primary focus when managing any privacy incident is always what?
|
Harm prevention and/or minimization
|
|
|
It is best practice to have the notice of a breach issued to the affected individuals by whom?
|
The organization that these individuals are likely to recognize from a prior or current relationship
|
|
|
The privacy statement should indicate: |
(1) The value the organization places on privacy (2) Desired organizational objectives (3) Strategies to drive the tactics used to achieve the intended outcomes (4) Clarification of roles and responsibilities |
|
|
Privacy Worshop |
Conduct a privacy workshop for your stakeholders to level the privacy playing field by defining privacy for the organization, explaining the market expectations, answering questions, and reducing confusion. |
|
|
What enables you to create a data-governance strategy for your organization? |
Taking an inventory of relevant regulations that apply to your business. |
|
|
Rationalizing requirements (as part of creating a data governance strategy) means... |
Taking a more pragmatic approach and collect the various data protection requirements and "rationalize" them where you can. Rationalizing means implementing a solution that materially addresses the various requirements of the majority of laws and regulations which you must comply. * must address high risk exceptions as part of this process too! |
|
|
Strictest Standard (another data governance strategy for personal information) |
Look to the strictest standard when seeking a solution; provided it does not violate any (1) data privacy laws (2) exceed budgetary restrictions (3) contradict organization goals and objectives. |
|
|
First step of developing a Privacy Policy Framework? |
Assessment of the Business Case for the current (or forthcoming) privacy program or privacy requirements for privacy policies, standards, and/or guidelines. |
|
|
Second step of developing a Privacy Policy Framework? |
A gap analysis of the information collected for the Business Case, ensuring there are no gaps or holes in the current or developing privacy program. |
|
|
Third and final step of developing a Privacy Policy Framework? |
Review and Monitor the program and Communicate the Privacy Policy Framework. |
|
|
No matter the size of an organization, if the core business of the organization revolves around the processing of personal data... |
...having in place as thorough a Privacy Policy Framework as possible becomes all the more important and should be prioritized within the organization. |
|
|
Business Case (as a step in developing the Privacy Policy Framework) |
Allows for the understanding of the role of privacy in the context of business requirements and identification of business benefits and risks. |
|
|
Privacy Domain (third step in developing the Privacy Policy Framework) |
Privacy Domain - determines the privacy elements, such as industry, privacy organizations and other data, that will provide the necessary laws, standards, guidelines and other factors that should be evaluated. |
|
|
One method that can be used as a baseline for assessing your privacy program... |
Consider how valuable, sensitive, or confidential the personal information is and what damage or distress could be caused to individuals if there was a security breach. |
|
|
Establishing the CURRENT BASELINE of your privacy program (PP) is the process of collecting "as-is" data privacy requirements in order to document the current environment and any protections or policies in place...usually includes collecting info on: |
(1) Collection Limitation (2) Data Quality (3) Purpose Specification (4) Use Limitation (5) Security Safeguards (6) Openness (7) Individual Participation (8) Accountability |
|
|
Est. Current Baseline of PP, Collection Limitation: |
There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. |
|
|
Est. Current Baseline of PP, Data Quality: |
Personal data should be relevant to the purpose for which they are to be used, and, to the extent necessary for those purposes should be accurate, complete, and kept up-to-date. |
|
|
Est. Current Baseline of PP, Purpose Specification: |
The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. |
|
|
Est. Current Baseline of PP, Use Limitation: |
Personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except with the consent of the data subject or by the authority of law. |
|
|
Est. Current Baseline of PP, Security Safguards: |
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data. |
|
|
Est. Current Baseline of PP, Openness: |
There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available to establish the existence and nature of personal data, and the main purpose of their use, as well as the identify and usual residence of the data controller. |
|
|
Est. Current Baseline of PP, Individual Participation: |
An individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; (c) to be given reasons if a request made under sub-paragraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed, or amended. |
|
|
Est. Current Baseline of PP, Accountability: |
A data controller should be accountable for complying with measures which give effect to the principles stated above (Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, and Individual Participation). |
|
|
Key aspects of Internal Policy include: |
(1) a formal written policy and (2) designated points of contact |
|
|
Internal Policy, Written Policy: |
Should document the principles, policies, and practices that influence privacy for the organization. Provide direction on org. privacy practices, privacy roles and responsibilities, breach or incident documents, privacy ownership, assign stakeholders. They should also provide formal procedures for receiving and resolving privacy-related inquiries and complaints from both internal and external sources. |
|
|
Internal Policy, Designated Point of Contact: |
E.g., Privacy Office or Privacy Officer. This contact can also serve as the liaison to information security, legal and human resources. |
|
|
Privacy Function: |
Is not a standalone function. It is imperative that the privacy professional work closely with the IT, security, HR and legal functions in order to take a coordinated approach to solutions. |
|
|
ISOs ( Information Security Owner or Information Security Officer) |
While, stakeholders at all levels should be involved in the selection and management of any metric to ensure buy-in and a sense of ownership, ISOs are seen as a primary audience for metrics data because they have a higher level of interest, influence, and responsibility to privacy with the business objectives, laws and regulations, or ownership. |
|
|
Performance Measurement |
The process of formulating or selecting metrics to evaluate implementation, efficiency or effectiveness. |
|
|
Tracking and bench-marking data protection indicators through Performance Measurement is important because... |
it ensures proper data protections are in place within businesses and between employees, consumers, and customers. |
|
|
Effective Metrics: |
(1) define and measure progress toward business goals and objectives (2) Should be concise - large amounts of useless info is counterproductive (3) Should be clear in the meaning of what is being measured (4) rigorously defined (5) credible and relevant (6) objective and quantifiable (7) associated with the baseline measurement per the organization standard metric taxonomy |
|
|
Data Inventory |
Conducting a data inventory reveals where personal data resides, which will identify the data as it moves across various systems and thus how data is shared and organized and its locations. That data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities. The data inventory offers a good starting point for the privacy team to prioritize resources, efforts, risk assessments and current policy in response to incidents. |
|
|
Privacy Governance Framework |
Provides the methods to access, protect, sustain, and respond to the positive and negative effects of all influencing factors. This master plan, or framework, thereby provides reusable procedures and checklists that outline the operational life cycle courses of action, research, and subject matter expertise, constituting a "best practice" approach to an idea, thought or subject. Like maps, frameworks provide inquiry topics and direction (e.g., problem definition, purpose, literature review, methodology, data collection and analysis) to ensure quality through repeatable steps throughout program management, thereby reducing errors or gaps in knowledge or experience. |
|
|
Training Programs |
Dealing with privacy policies should be based on clear polices and standards and have ongoing mechanisms and processes to educate and guide employees in implementation. Everyone who handles personal information needs to be trained in privacy policies and how to deploy them within their area to ensure compliance with all policy requirements. This applies to employees, management, contractors and other entities with which your organization might share personal information. |
|
|
Technical Controls |
such as implementing systems that support role-based access, also support the larger purposes of the privacy program by specifically identifying and limiting who can access the personal information in a particular database. |
|
|
Breaches |
Not all breaches require notification. There are various types of notification requirements to regulators and affected individuals. Once it is concluded that an actual compromise of sensitive information has occurred, the pre-notification process is triggered. Steps taken may vary depending on several factors, but the purpose is to confirm that the event does indeed constitute a "reportable" breach. |
