Privacy Management Framework Pt 1
How many Privacy Management Frameworks are there?
Nine
The entity provides data subjects with access to their PI when requested or when asked to update and correct data errors or make changes.”
Access
Includes all information that can be tied back to a specific individual.
Personally identifiable information (PII)
External forces that jeopardize the security of your information and systems. BLANK might be naturally occurring, such as hurricanes and wildfires, or human-made, such as hacking and terrorism. Normally we cannot control.
Threats
The risk of an attacker targeting your organization with a ransomware attack is an example of what type of risk?
External
The entity makes formal agreements, notifies and communicates with and offers choices when seeking data subject consents, including reasons why and purposes for which the entity seeks to obtain and use a data subject’s PI.
Agreement, notice, and communication
The entity defines, formally documents, communicates, and assigns accountability for its PI (personal information) privacy policies and procedures.”
Management
Includes health care records that are regulated under the Health Insurance Portability and Accountability Act (HIPAA).
Protected health information (PHI)
Weaknesses in your security controls that a threat might exploit to undermine the confidentiality, integrity, or availability of your information or systems. These might include missing patches, promiscuous firewall rules, or other security misconfigurations.These are normally controllable.
Vulnerabilities
The way that you process checks creates an opportunity for employees in the accounting department to commit fraud is an example of what type of Risk?
Internal
The entity discloses PI to third parties only for the purposes identified in data subject privacy agreements and its privacy notice and with the explicit consent of the data subject.”
Disclosure to third parties
“The entity limits the use of PI to the purposes identified in the formal agreements/notices, and for which a data subject has provided explicit (or implicit) consent. The entity retains PI for the time necessary to fulfill the stated purposes identified in the formal agreements/notices or as required by laws or regulations. Once those purposes have been met, the entity securely disposes of the information.”
Use, retention, and disposal
Have an obligation to protect the privacy of personal information, particularly when the individuals involved have a reasonable expectation of privacy.
IT Professionals
Occur when your environment contains both a vulnerability and a corresponding threat that might exploit that vulnerability,
Risks
Systems have been around for a long time and remain in use despite their age and possible lack of maintenance pose what type of Risk?
Legacy
What is the entity collects and creates PI only for the purposes identified in its agreements with data subjects, and in ongoing communications with and notices provided to data subjects.
Collection and creation
The entity protects PI against unauthorized access, removal, alteration, destruction and disclosure (both physical and logical.
Security for privacy
Risks are prioritized based on their BLANK & BLANK
Likelihood and Impact
Businesses often go to great lengths to protect their intellectual property investment in software, including performing audits of organizations and assessing significant fines to those who violate (BLANK).
Software License Compliance
If a software as a service (SaaS) provider is compromised that poses a risk to all customers, what type of Risk is this?
Multiparty
“The entity maintains accurate, complete and relevant PI for the purposes identified in the notice and protects the representational integrity of the PI in its ongoing interactions with data subjects.”
Data integrity and quality
The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.”
Monitoring and enforcement
An organization’s risk profile begins with its BLANK. Security professionals then apply controls to reduce that BLANK, leaving the remaining residual risk. Controls may introduce new control risks.
Inherent Risk
What are the four risk treatment options?
Avoiding a risk, transferring a risk, mitigating a risk, and accepting a risk
In the information age, the value delivered by many businesses resides in their (BLANK BLANK). If attackers were able to alter, destroy, or steal this information, it would cause significant damage to the business. Therefore, (BLANK BLANK) theft poses a risk to information- based organizations.
Intellectual Property