1
Q
List the 7 principles of Privacy by Design.
A
- Respect for users
- Proactive/preventative
- Default setting
- Embedded into design
- Positive sum
- End-to-end security
- Transparent
2
Q
List the 7 GDPR principles.
A
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
3
Q
What is a Data Flow Diagram?
(DFD)
A
A visual representation of how data flows through a system or process.
4
Q
What elements should be included in a DFD?
A
- Actors
- Location
- Data flow
- Risks
- Threats
- Vulnerabilities
- Controls
5
Q
Give examples of modern risks to information security.
A
- Cloud-based threats
- Insider threat
- Telework
- Phishing
- AI deepfakes
- IoT
- Ransomware
- Living off the Land (LotL) attacks
6
Q
What are the types of controls based on purpose?
A
- Preventative
- Detective
- Corrective
7
Q
What is an ISMS?
A
- Information Security Management System
- Framework to protect sensitive data using policies, procedures, and controls
8
Q
How do InfoSec and privacy overlap?
A
They share goals such as:
- Accuracy
- Integrity
- Authorized access
- Accountability
9
Q
How do InfoSec and privacy diverge?
A
InfoSec:
- Lacks FIPs
- Doesn’t always apply confidentiality to PII
- Can misuse PETs
10
Q
What is data classification?
A
Organizing data by content, sensitivity, and importance to assess risk and apply mitigations.
11
Q
What are common InfoSec data classifications?
A
- Public
- Confidential
- Highly Confidential
- Restricted
12
Q
What are privacy data types?
A
- Personal
- Sensitive
- Nonpersonal
13
Q
Describe the identifiability spectrum.
A
- Personal (identifiable)
- De-identified (pseudonymous)
- Anonymized (unlinkable)
14
Q
Why is context important in data classification?
A
Same data may be public in one context and restricted in another.
15
Q
What are key partnership areas between InfoSec and privacy?
A
- Breach response
- Standards
- Data mapping
- Due diligence
- Education
- PIAs
16
Q
What are principles for InfoSec-privacy alignment?
A
- Partner
- Leverage existing docs
- Raise awareness
- Prioritize issues
17
Q
What is the purpose of access control?
A
To restrict resource availability and regulate who can access system resources.
18
Q
What are the main components of access control?
A
- Authentication
- Authorization
- Audit
19
Q
What does authentication verify?
A
It verifies the user’s identity.
20
Q
What happens after authentication?
A
Authorization is granted to access specific resources.
21
Q
What is audit in access control?
A
Monitoring and recording user activities.
22
Q
What does RBAC stand for?
A
Role-Based Access Control
23
Q
What is the principle of segregation of duties?
A
Ensures no single person controls all aspects of a process to prevent fraud and error.
24
Q
What is the least privilege principle?
A
Users get only the access necessary to perform their job.
25
What is the **need-to-know** principle?
Access is **restricted** to only those who **need it for official duties**.
26
What is **Identity Access Management** (IAM)?
A framework to **manage digital identities** and regulate user access.
27
List IAM guidelines.
* Clean-desk policy
* Logical access
* Unique IDs
* Password management
* Access audits
* User training
28
What are the **4 types** of **administrative** policy controls?
* Laws and regulations
* Self-regulation
* Industry practice
* Corporate
29
What is an example of a **law and regulation** control?
* GDPR requires deletion upon request
* Control via metadata tagging and deletion mechanisms
30
What is **self-regulation** in administrative controls?
Organizations **follow industry standards** like PCI-DSS to protect data.
## Footnote
Example: PCI-DSS requires cardholder data encryption; control is AES 256
31
What is an **industry practice** control?
* Following GAPP
* Requiring consent through privacy notices and opt-in mechanisms
32
Give an **example** of a **corporate control**.
Apple's **App Tracking Transparency** feature based on privacy as a human right.
33
What is the purpose of **obfuscation** in technical controls?
To **render data unintelligible** and protect it from unauthorized access.
## Footnote
Examples: pseudonymizing data; showing only last 4 digits of SSN/account number.
34
What are **security measures** in **technical controls**?
**Encryption** and **access controls** to prevent unauthorized access.
35
What are **Privacy-Enhancing Technologies**?
| (PETs)
Tools/techniques to protect PII by minimizing its use and exposure.
36
What is the **difference** between a **privacy policy** and a **privacy notice**?
* **Policy** is internal (corporate accountability)
* **Notice** is external (public education)
37
What is a **privacy policy**?
* A **high-level document** explaining how an organization handles PII
* Supports **standards** and **procedures**
38
What are the **goals** of a privacy policy?
* Outline strategy
* Direct stakeholders
* Guide resource allocation
39
What are **characteristics** of an effective privacy policy?
* Plain language
* Comprehensive
* Action-oriented
* Measurable
40
What is the **purpose section** of a privacy policy?
Explains the reason for existence, program goals, and alignment with business objectives.
41
What does the **scope section** of a privacy policy define?
Specifies **the data** the policy applies to.
42
What does the **applicability section** of a privacy policy define?
Identifies **who** the policy applies to.
43
What is covered in the **roles and responsibilities** section?
Defines **duties for each role** and determines **accountability**.
## Footnote
e.g., CPO, vendors
44
What does the **compliance section** outline?
Lists legal, regulatory, and policy requirements, monitoring, and enforcement authority.
45
What is the purpose of the **penalties for non-compliance section**?
Explains **penalties** and monitors them across the industry.
46
**Why** is it important to **communicate** the privacy policy?
To ensure:
* Awareness
* Local communication by function reps
* Privacy education
47
What are the **key elements** of an **internal communication plan**?
* Purpose
* Audience
* Existing channels
* Medium
* Office hours
* Buy-in
* Compliance motivation
48
What are **common mediums** for internal communication?
* In-person
* Virtual
* Hybrid
* Pre-recorded sessions
49
What are some **budget considerations** for privacy policy implementation?
* New tech/services
* Process changes
* Administrative tasks (e.g., drafting, publishing, auditing)
50
What causes **administrative burden** in policy drafting?
* Drafting
* Reviewing
* Publishing
* Communicating policy
* Audit participation
51
What is the purpose of **privacy-supporting policies**?
To **integrate** and **align** organizational policies with privacy principles.
52
What is an **Acceptable Use Policy**?
| (AUP)
A policy that **outlines rules and expectations** for system and resource access and use.
53
What are **key AUP considerations**?
* User privacy
* Legal protections
* Resource limitations
* Compliance with CIA and policies
54
What are the **objectives** of **InfoSec policies**?
* Protect CIA
* Ensure compliance
* Support data governance
55
What are typical **InfoSec** policy considerations?
* Password management
* Bring Your Own Device (BYOD)
* Software usage
* Internet access
* Control configurations
* Logging
56
What is **acquisition**?
* Process of obtaining goods, services, or assets
* Includes life cycle from planning to disposal
57
What is **procurement**?
* Subset of acquisition
* Sourcing and purchasing from external suppliers
58
What are vendor **policy considerations**?
* Equal standards as employees
* Identify obligations
* Assess risk
* Include in contract
* Audit
59
What should a **vendor policy** include?
* Procurement/employment lifecycle
* Data mapping
* Risk mitigation
* Certifications
60
What are **vendor contract** basics?
* Must meet legal, regulatory, policy needs
* Involve legal and SME input
61
What are **specifics** to include in **vendor contracts**?
* Data backups
* Metrics
* Permissions
* Controls
* Audit rights
* Data disposal
* Breach plan
62
What is **vendor risk management**?
* Also known as third-party risk management
* Ensures compliance and mitigates risks
63
What are the **key compliance areas** in vendor risk management?
* Contracts
* Legal
* Regulatory
* Policy requirements
* Financial obligations
64
What are the **main objectives** of a **Vendor Management Program**?
| (VMP)
* Ensure accountability
* Consistency
* Service delivery
* Privacy/security
* Prevent data misuse
65
How should organizations **manage** cloud-based vendors?
* Use the same risk management approach
* Apply to public, private, and hybrid clouds
66
What is the **role** of **Human Resources** (HR)?
Manages **workforce issues**.
## Footnote
E.g., hiring, training, benefits, compliance, and conflict resolution.
67
What is **Human Resources Management**?
| (HRM)
A **strategic approach** to **managing workforce**, including planning and decision-making.
68
What is the **goal** of HR policies in privacy?
To ensure protection of PII through data access, handling, and monitoring controls.
69
Why is a **data disposition policy** important?
* Supports data minimization
* Reduces expense, liability, and need for protection and storage
70
What are **key factors** in policy development for **data retention**?
Identify:
* What data
* Where it is
* How it's stored
* Why it's retained
71
What should **guide** data retention decisions?
* Legal, regulatory, industry requirements
* Business impact
72
**Why** collaborate **with IT** in policy development?
* Ensure technical feasibility
* Address cybersecurity retention needs
73
What are **best practices** for implementing a retention policy?
* Communicate via training
* Integrate into workflows
* Align with policies
* Consider jurisdictional needs
