1
Q
What does the CIA triad stand for in information security?
A
- Confidentiality
- Integrity
- Availability
2
Q
What is information security?
A
The protection of information’s confidentiality, integrity, and availability.
3
Q
How does information security differ from cybersecurity?
A
- Information security covers all forms of information
- Cybersecurity focuses on digital systems and networks
4
Q
What does confidentiality mean in the CIA triad?
A
Data is accessed only by authorized personnel.
5
Q
What does integrity mean in the CIA triad?
A
Data is accurate, complete, and tamper-proof.
6
Q
What does availability mean in the CIA triad?
A
Data is accessible when needed.
7
Q
What does the DAD triad represent?
A
- Disclosure
- Alteration
- Destruction
8
Q
What is a control in information security?
A
A measure implemented to mitigate risk.
9
Q
What are the 3 categories of security controls?
A
- Administrative
- Technical
- Physical
10
Q
What are examples of administrative controls?
A
- Policies
- Procedures
- Training
- Signage
11
Q
What are examples of technical controls?
A
- Firewalls
- Logs
- Access controls
- Intrusion detection systems
12
Q
What are examples of physical controls?
A
- Locks
- Security cameras
- Fences
- Guards
13
Q
What is risk management?
A
The identification, assessment, and mitigation of potential harm.
14
Q
What is a risk in risk management?
A
A potential harm.
15
Q
What is a threat in risk management?
A
A threat delivers harm.
16
Q
What is the typical formula for calculating risk?
A
Risk score = severity of harm * probability of occurrence
17
Q
What was the first EU-US data transfer framework?
A
Safe Harbor Agreement
18
Q
What led to the invalidation of Safe Harbor?
A
Snowden revelations and Schrems I case
Schrems I: showed US surveillance violated EU data rights
19
Q
What replaced Safe Harbor in 2016?
A
EU-US Privacy Shield
20
Q
What did Schrems II case result in?
A
Invalidated EU-US Privacy Shield
21
Q
What replaced Privacy Shield in 2023?
A
EU-US Data Privacy Framework
22
Q
What US executive order addressed Schrems II concerns?
A
Executive Order 14086
23
Q
What are 3 legal mechanisms for EEA data transfers to third countries?
A
- Adequacy decision
- Appropriate safeguards
- Derogation
24
Q
What are examples of appropriate safeguards?
A
- Standard Contractual Clauses (SCC)
- Binding Corporate Rules (BCR)
- Binding public authority agreements
- Approved codes of conduct
- Certification mechanisms
25
What are examples of **derogation-based** transfers?
* Explicit consent
* Contractual necessity
* Public interest
* Subject unable to consent
* Public register data
26
What are IAPP's **3 security domains**?
* Preventative
* Incident Detection and Response
* Remedial
## Footnote
These will differ across different organization's frameworks. This is what you need to remember for the exam.
27
What is the goal of **preventative** controls?
To limit and mitigate risk.
## Footnote
Examples: incident response plans, insider threat monitoring, clear roles and responsibilities, employee training, encryption, firewalls, MFA
28
What is the goal of **incident detection and response**?
To identify and respond to security incidents.
## Footnote
Examples: Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), SIEM, Security Operation Center (SOC)
29
What is the goal of **remedial** controls?
To recover, repair, and apply lessons learned.
## Footnote
Examples: containment, software patching, post-incident review, updated training
30
What does GDPR require **regarding security**?
Implementation of appropriate technical and organizational safeguards.
31
What are '**sufficient guarantees**' under Article 28?
**Evidence** that the processor can implement technical and organizational measures to meet GDPR requirements.
## Footnote
Examples: contracts, processor certifications, audits, compliance checks, due diligence
32
What is the definition of a '**personal data breach**' under Article 4(12)?
The accidental or unlawful **destruction, loss, alteration, unauthorized disclosure of, or access to,** personal data.
33
What **triggers** breach notification **to a regulator**?
Controller:
* Becomes **aware** of the breach, and
* Determines that it **risks individuals’ rights and freedoms**
34
What is the **deadline** for breach notification to regulators?
72 hours
35
Is **phased reporting** allowed in breach notification?
**Yes**, initial notification followed by details as more information becomes available.
36
What are **factors to consider** in breach assessment per WP29?
* Type of breach
* Nature/sensitivity/volume of data
* Identifiability
* Risks to data subjects
37
What **resource** can assist with breach assessment?
ENISA’s breach assessment tool
## Footnote
ENISA: currently European Union Agency for Cybersecurity; originally European Network and Information Security Agency
38
What must a **breach notification** include?
* Nature of breach
* Number of impacted individuals and records
* Data categories
* DPO contact details
* Likely consequences
* Mitigation measures
39
Why should breach records be **retained**?
To **allow regulators to examine** the response rationale during investigations.
40
What are the **reporting duties of a processor** during a data breach?
Must report to the controller
41
**Who** performs the **risk to rights and freedoms assessment** after a breach?
**The controller**, not the processor
42
What are **examples of breaches** that **require notification** to data subjects?
* Unencrypted sensitive data leak
* Unauthorized access to financial data
* Ransomware with data exfiltration
43
What are **examples of breaches** that **do not require notification** to data subjects?
* Encrypted laptop theft
* Internal misdirected email
* System outage without data exposure
44
What are the **3 exceptions** to notifying data subjects of a breach?
* Encryption safe harbor
* Steps taken to mitigate high risk
* Disproportionate effort
45
What is considered '**high-risk**' under GDPR?
A breach likely to result in **significant adverse effects** on rights and freedoms.
## Footnote
Examples: discrimination, identity theft, financial loss, reputational damage, loss of sensitive data
46
What are the **6 stages** of the NIST Cybersecurity Framework (CSF) 2.0?
1. Identify
2. Protect
3. Detect
4. Respond
5. Recover
6. Govern
## Footnote
Govern throughout, not at the end.
47
What are the **3 stages** of the IAPP **Privacy Program Operational Life Cycle**?
1. Assess
2. Protect
3. Sustain
4. Respond
48
What is the **first step** in beginning a **risk assessment**?
Identify and understand the data life cycle
49
What **tasks** are involved in **understanding the data life cycle**?
* Conduct data mapping
* Create a data inventory
* Document data flows and access
* Legal justification for processing
50
What must happen during **employee separation**?
* Return assets
* Purge data
* Terminate access
51
What is the difference between policy, process, and procedure?
* **Policy**: high-level rules and goals
* **Process**: high-level outcome steps
* **Procedure**: detailed instructions
52
Why are policies important **to regulators**?
They are often the first item reviewed and **signal organizational compliance**.
53
What are **common challenges** controllers face in **vendor risk management**?
* Verifying and validating processor commitments
* Conducting audits
* Integrating requirements into contracts
* Continuous monitoring
54
What are **key contract considerations** in vendor risk management?
* Security requirements
* System testing
* Risk assessments
* Processing location rules
* Data disposition
* Indemnification clauses
* Incident response responsibilities
55
What is **incident response**?
A **planned approach** to addressing and managing an incident.
56
What activities help **prepare stakeholders** for incident response?
* Training and awareness campaigns
* Semi-regular tabletop exercises
57
What supports **post-mortem analysis** in incident response?
**Metrics** to track and evaluate response effectiveness.
58
What are the **core rights** under the GDPR?
* Informed
* Access
* Rectification
* Erasure
* Restriction
* Data Portability
* Objection
* Right not to be subject to automated decision-making (ADM) or profiling
59
What is the **mnemonic** for remembering GDPR rights?
I always remember every right data owners acquire
60
What must a controller do when a data subject **makes a request**?
**Verify the identity** of the requester.
61
How can a controller **confirm identity**?
* Request login
* Send code or link
* Ask security questions
62
What is a **Data Subject Request**?
| (DSR)
A request to exercise **any** GDPR data subject **right**.
63
What is a **Data Subject Access Request**?
| (DSAR)
A specific **request for access** under Article 15.
64
What is the **default response timeframe** for a data subject request (DSR) under GDPR?
Within 1 month of receipt.
65
When can the DSR response timeframe **be extended**?
In **special or complex** circumstances.
## Footnote
For up to an additional 2 months
66
What must the controller do upon **receiving a DSR**?
* Verify receipt
* Respond within the specified timeframe
67
What should the controller do if it **cannot fulfill a DSR**?
**Notify** the data subject that the request will not be fulfilled.
68
What is the GDPR's **preferred method** for receiving and responding to DSRs?
Electronically
69
Can a data subject request a different response medium?
**Yes**, controllers must accommodate reasonable requests such as a hard copy.
70
What does the **right of access** allow data subjects to do?
* **Obtain confirmation** from the controller that their personal data is being processed
* **Access** that data
71
What **categories of information** must be provided in response to an access request?
* Processing purpose
* Categories of data
* Recipients
* Retention period
* Rights
* Data source(s)
* Use of ADM/profiling
72
What are **examples of data categories** provided during access?
* Identity
* Contact
* Financial
* Location
* Health
* Inferred
* Observed
* Account
73
What are the **3 organizational tiers** involved in DSR operations?
* Strategic (vision)
* Tactical (departmental goals)
* Operational (day-to-day execution)
74
How should **third-party DSR requests** be handled?
Vet and document proxy requests.
## Footnote
For example, from attorneys
75
When can a request be **rejected** as **manifestly unfounded or excessive**?
When clearly **unreasonable or repeated**.
## Footnote
Threshold must be defined and documented.
76
What must **data subjects** be able **to identify** in targeted advertising?
The targeting organization
## Footnote
i.e., the controller
77
What must controllers **provide access to** in targeted advertising?
Data regarding **the targeting process**
## Footnote
Including data used to target the data subject.
78
What specific information must controllers provide **about profiling**?
The specific **data elements used to create the profile** and the categorization methodology.
79
What has the EDPB asked social media controllers to implement?
A **mechanism** allowing data subjects **to view and confirm their profile**, including data elements and sources.
80
What is the **right to rectification** under the GDPR?
The right of a data subject to **request amendment of inaccurate data**.
81
How does the UK Data Protection Act **define accuracy**?
Data **should not be incorrect** or misleading.
82
What **mediums** can a rectification request be made through?
* Written
* Oral
* Electronic
83
What must controllers do **while verifying** accuracy of data subject data?
Processing must be **restricted**.
84
What must a controller do if they **reject a rectification request**?
Inform the data subject of:
* The reason
* The right to complain to the DPA
* The ability to seek judicial remedy
85
What is the **right to erasure** under the GDPR?
The right of the data subject to **request personal data be erased**.
## Footnote
Also known as the right to be forgotten (RTBF).
86
**Under what conditions** can a data subject **request erasure**?
* Data no longer needed
* Consent withdrawn with no other legal basis
* Objection with no overriding grounds
* Unlawful processing
* Legal compliance
87
What must controllers do when personal data has been **made public** and that data **requires erasure**?
Take reasonable steps to **notify third-party controllers** of the erasure request.
88
What are the **exemptions to erasure** obligations?
* Freedom of expression
* Legal obligation
* Public interest
* Public health
* Archiving
* Research
* Legal claims
89
What is the GDPR **relevance of backup systems**?
Backup copies must be:
* Searched
* Amended
* Erased if they contain personal data
90
What is **search engine delisting**?
Removing results from search index containing a data subject's personal data.
## Footnote
Controller needn't remove the data from the original website.
91
What are **grounds** for requesting delisting?
* Inaccurate or outdated data
* Objection without overriding interest
* Unlawful processing
* Child data collection
92
When can a provider **refuse delisting**?
* To protect freedom of information
* For legal or public interest
* For archiving/research/statistical purposes
93
What does the **right to restrict processing** allow?
It allows the data subject to require the controller to **limit how data is used**.
94
At **what stage** of the data life cycle **can restriction be applied**?
At any stage
95
What is the objective of **data portability**?
To enable the **transfer** of personal data **from one IT environment to another**.
96
What **format** must be used for **data portability** requests?
A structured, commonly used, **machine-readable format**.
## Footnote
E.g., PDF, CSV, XLS, XML, JSON, or RTF
97
What is the **right to object** under the GDPR?
The right of a data subject to **oppose the controller's processing** of their personal data.
98
**How** can a data subject **object** to processing?
* Verbally or in writing
* To any part of the organization
* Without using a specific word or phrase
99
What must the **data controller's staff** do when receiving an objection?
* Identify
* Document
* Appropriately triage the objection
100
What is the right concerning **automated decision-making**?
| (ADM)
The right **not to be subject** to solely automated decisions that have legal or significant effects.
101
When does ADM **apply**?
When a decision is **based solely on automated processing** and has legal or similarly **significant effects**.
102
When is ADM **permissible** under GDPR?
* Authorized by law
* Necessary for a contract
* The data subject gives explicit consent with safeguards
103
What **safeguards** must be in place for **ADM to be permissible**?
* Right to human intervention
* Explanation of decision reached
* Data subject's ability to express their viewpoint
* Data subject's ability to challenge the decision
104
What is the objective of **EDPB Opinion 22/2024**?
To clarify:
* Controller duties
* Contract wording
* Obligations in third-country transfers involving processors and sub-processors
105
Who is ultimately responsible for **sub-processor compliance**?
The controller
106
Who is responsible for **third-country transfers between sub-processors**?
The controller
CIPP-E
flashcards
Decks in class (11)
# Cards
-
Early Data Protection Laws74
-
EU Institutions & Other Data Protection Laws94
-
Personal Data & Controller-Processor Relationship55
-
Risk Management & Data Subject Rights106
-
Data Processing Principles & Special Categories of Data69
-
Fair Processing Information & Third Country Data Transfers53
-
Territorial and Material Scope & Accountability56
-
Self-regulation & the European Data Protection Board63
-
Employee Data34
-
Surveillance and Direct Marketing64
-
Important Technology Concepts42
