CIPM CH 5 Sustain Flashcards
Business process monitoring
Consists of a collection of Statistics created by business processes, subsequently examining these statistics, transforming statistics into key risk and key performance indicators, and Reporting these indicators to management
Event monitoring
The practice of examining the events occurring in an information system
. Types of events of interest to privacy and security managers include the following
- successful and unsuccessful logins
- unexpected system or device reboots
- changes made to security configurations
- changes made to operating systems files
- queries to databases
- changes made to access permission of sensitive files
- anomalous movement of sensitive files
Orchestration
. Refers to a scripted response that is automatically or manually triggered when a specific event occurs
. Can be a standalone system or may exist as part of the SIEM
. Run books coloring short procedures for personnel who manage seems our actions to perform when a specific type of event occurs
. Orchestration system can be figured to run some scripts immediately, while other skips can be set and run when an analyst approves them
Data loss prevention - DPL
Tools and techniques are available for Passive (detective) or active (preventive) DLP
. Document scanning: tools can be used to scan stores of unstructured data to determine the extent of the presence of sensitive and personal information
. Document tagging: DLP tools tag files if they contained data matching specific patterns such as Social Security numbers
. Document marking: once tagged, documents can be marked the Water Mart, which introduces human-readable content into files to remind people that these files contain sensitive information
. Email restrictions: DLB tools can be integrated into an organization email systems to Monitor and block the practice of emailing files containing sensitive information
. Storage restrictions: DLP tools can be integrated into end-user devices to monitor their handling of sensitive files
Threat hunting
The practice of conducting searches typically in Siem logs and configuration management databases to determine whether traces of intrusions are present in their systems
User behavioral analytics (UBA) - end-user behavioral analytics (EUBA)
Represents a detective capability where in each user’s actions are recorded in a profile of normal behavior is established
Input controls
Come in the form of DLP capabilities watching for incoming personal information, alerting Personnel of incoming data that is unexpected
Input authorization
Represents policy that states that new source of information is permitted only upon management approval
Control self-assessment (CSA)
A methodology used by organizations to review key business objectives, risks related to achieving these objectives, and the key controls designed to manage those risk
. The organization takes the initiative to self-regulate rather than engage Outsiders, who may be experts and auditing but not in an organization’s Mission, goals, and culture
. Primary objective is to transfer some of the responsibility for oversight of control performance and monitoring to the control owners
. Another objective is the long-term reduction in exceptions
CSA advantages
. Root causes can be detected earlier
. Control owners can improve their internal controls promptly
. Leads to Greater ownership of controls through involvement in the assessment and Improvement
. Leads to improved employee awareness
. Instant visibility into control effectiveness
. May help improve relationships between departments and auditors
CSA disadvantages
. May be mistaken as a substitute for an internal audit
.
May be considered extra work and dismissed as unnecessary
. Control owners may attempt to cover up shotty at work and misdeeds
. May be considered an attempt by an auditor to shrug off the fronts abilities
. Lack of employee involvement could translate into little or no process Improvement
CSA life cycle
. Identify and assess risk
. Identify and assess controls
. Development Personnel conducted a workshop
. Analyze completed questionnaire or assess Workshop results
. Undergo control remediation
. Conduct awareness training
Auditing privacy programs
. Audit is to confirm, using objective means the effectiveness of controls and processes
. The scope of a privacy program would likely be the controls, processes, and systems used to protect personal information, or the controls, processes, and systems used to collect, process, and use personal information
Types of privacy audits
. Operational audit: examination of the Privacy controls existence and effectiveness
. Information Systems audit: examination of an IT Department’s operations related to the storage and processing the personal information. Looks at it Governors to determine whether the IT department is aligned with overall organizational goals
.
. Integrated audit: combiners operational audit and information systems audit to help the auditor fully understand the entire environments it take information on it : involves an examination of the operational effectiveness of privacy-related business processes.
. Compliance audit: performed to determine the level and degree of compliance with one or more applicable privacy regulations and or legal requirements or internal policies and standards
. Forensic audit: performed in support of an anticipated or active legal proceeding and is typically part of an investigation of a privacy breach
. Service provider audit: third-party service organization will undergo one or more external audits to increase customers’ confidence in the integrity of the third-party services
Privacy audit planning
. Information needed includes:
. Location of locations that will be visited
A list of business processes and supporting applications to be examined.
. Personnel to be interviewed
. Technology supporting each application privacy policies standards and data flow diagrams that describe the environment and the personal data stored in process there
. This is all the information will enable the auditor to determine the resources and skills required to examine and evaluate privacy-related business processes and information systems
