Monitoring and Audits Flashcards
What are the three tiers of audience for business metrics?
Primary audience: Legal and privacy officers, senior leadership, chief information officer (CIO), program managers (PM), information system owners, chief information security officer (CISO) and chief privacy officers (CPO).
Secondary audience: Chief financial officer (CFO), training organizations, human resources (HR), inspectors general (IG), HIPAA security officials
Tertiary audience: External watchdog groups, sponsors, stockholders
These are differentiated by the level of interest, influence, ownership and responsibility of privacy within the business objectives
What is trend analysis? What are the types?
Trend analysis ensures data is interpreted correctly and apparent relationships are meaningful and significant
- Time series: Shows trends in an upward or downward tendency
- Cyclical component: Shows weekly, monthly or yearly data describing any regular fluctuations
- Irregular component: Also known as “noise”—this is what is left over when the other components of the series (time and cyclical) have been accounted for and is the most difficult to detect.
What is ROI?
Return on investment is an indicator used to measure the financial gain or loss (value) of a project in relation to its cost. ROI = (Benefits – Costs)/Costs. Privacy ROI helps provide justification to pay for a good privacy program by defining metrics to measure the effectiveness of investments and the cost to protect personal data.
What are the five maturity levels of the AICPA/CICA Privacy Maturity Model?
o Level 1 (Ad hoc): Informal, incomplete, undocumented and undefined
o Level 2 (Repeatable): There is structure and consistent focus on improvement
o Level 3 (Defined): Defined and documented with consistency
o Level 4 (Managed): Requirements and controls are in place with metrics
o Level 5 (Optimized): Deliberate and continuous process improvement
What are the responsibilities of a metric owner?
A metric owner is responsible for managing the metric throughout its life cycle. Responsibilities include knowing what is critical about the metric and how it fits into business objectives; monitoring performance with the metric; updating process documentation (including the metric’s definition); performing regular reviews; and incorporating improvements into the process
Name four ways to analyze privacy program metrics?
trend analysis, return on investment (or ROI), business resiliency and program maturity.
Define “Audit”
Audits are an ongoing process of evaluating the effectiveness of controls throughout the organization’s operations, systems, and processes … The purpose of a privacy audit is to determine the degree to which technology, processes, and people comply with privacy policies and practices.
What are the five phases of an audit?
The high-level, five phase audit approach includes:
1. Audit planning: Risk assessment, schedule, selecting auditor, pre-audit questionnaire, preparatory meeting/visit and checklist
- Audit preparation: schedule; confirm and prepare checklists, sampling criteria and audit plan
- The audit itself
- Reporting: Noncompliance records and categories (major/minor), audit report, closing meeting and distribution
- Follow-up: Confirm scope, schedule, methodology and closure
What are the differences between first-party, second-party, and, third-party audits?
A first-party audit is performed by internal employees. Functions to review are determined by manpower and compliance factors.
Second-party audits are often known as “supplier audits,” because they typically involve the organization auditing existing suppliers or subcontractors.
Third-party audits are required under consent decree or by a regulator.
They are conducted by independent outside sources
What are the two questions an audit should answer?
Audits should answer two questions:
1) Do the privacy operations do what they were designed to do?
2) Are data privacy controls correctly managed?
