Table of Contents
Collection.................................................................................................................................................................. 3
Policy and Awareness.............................................................................................................................................. 3
Usage....................................................................................................................................................................... 5
Sharing and Distribution........................................................................................................................................... 5
Retention and Storage.............................................................................................................................................. 7
Disposal.................................................................................................................................................................... 8
Subject Access Approval.......................................................................................................................................... 8
1
1 Source: www.knowledgeleader.com
� Risk Question Test
Collection
Sensitive data is • What sensitive data is collected or • Ask about the type(s) of sensitive
collected in an accessed? data collected or accessed.
unsecured manner.
• How is data collected? Are these • Ask how sensitive data is collected.
methods secure? When are
collections performed and by whom?
Sensitive information is • Is the collection of personal • Verify that the data collected is
collected that is not information limited to what is required for processing and specified
required for processing necessary for the purposes identified in the notice.
or is not specified in the in the privacy notice?
privacy notice.
Policy and Awareness
Privacy policies and • Does the entity clearly define and • Review applicable policies related to
procedures have not document its privacy policies with the privacy of sensitive data.
been defined, respect to the following areas?
• Confirm that privacy policies are
documented or − Notice documented and made available to
communicated.
− Choice and Consent internal personnel, customers and
third parties who need them.
− Collection
− Disclosure
− Security
− Monitoring and Enforcement
Sensitive data is not • How is data classified? Is their data • Discuss and review the process to
classified and therefore classification policy defined and classify data.
inadequately protected. documented?
Employees are not • Are privacy policies communicated at • Ask about the process to train users
aware of privacy policies least annually to the entity’s internal on the entity’s privacy policies and
and procedures. personnel responsible for collecting, procedures.
using, retaining and disclosing
• Verify that individuals with access to
personal information?
sensitive data are trained at least
− Does this include the annually.
consequences of noncompliance?
− How is the communication
facilitated?
− How do employees confirm their
understanding and agreement
with the policies?
− Are changes in privacy policies
communicated to personnel
shortly after the changes are
approved?
− How are new employees trained
on the policies?
− How are third parties or
contractors trained on the
2
2 Source: www.knowledgeleader.com
� Risk Question Test
policies?
Ownership has not been • Has a person or group been formally • Determine if a person or group has
established for privacy assigned the responsibility of been formally assigned the
policies and procedures, documenting, implementing, responsibility of maintaining the
resulting in outdated or enforcing, monitoring and updating entity’s privacy policies.
incomplete policies. the entity’s privacy policies?
• Confirm that privacy policies and
− Are their responsibilities clearly procedures are reviewed and
defined? approved by management.
− Is the designated person • Ask about the process for verifying
responsible for user, management that policies and procedures are in
and third-party acceptance? accordance with laws and
Are privacy policies and procedures regulations.
reviewed and approved by management
or an established committee?
Are policies and procedures reviewed
and compared to the requirements of
applicable laws and regulations?
• Is this reviewed at least annually?
• What is the process for this review?
Operational practices do • Is compliance with privacy policies • Ask about the process for ensuring
not follow documented and procedures, commitments and compliance with privacy policies and
policies and procedures. applicable laws, regulations, service- procedures, commitments and
level agreements, and other applicable laws, regulations, service-
contracts reviewed and documented, level agreements, and other
and are the results of such reviews contracts.
reported to management?
Operational practices do • Are instances of noncompliance with • Ask about the process for reporting
not follow documented privacy policies and procedures instances of noncompliance with
policies and procedures. documented and reported? privacy policies.
− If needed, corrective measures
are taken timely.
Company A client team • What is the procedure for ensuring • Ask about the process for ensuring
practices are not aligned Company A is acting in accordance that Company A is acting in
with local or national with local and national privacy accordance with local and national
privacy laws or internal standards and regulations? privacy standards and regulations.
Company A policies.
Client-specified security • Do client contracts specify security • Review client-specific policies and
controls are not clearly controls around how data is procedures.
documented or followed. collected, accessed or stored (e.g.,
• If applicable, verify compliance with
encryption)? How is compliance with
the client-specific policies and
these controls enforced/monitored?
procedures.
Usage
Individuals are not • Are individuals informed that • Ask about the process for informing
informed as to how their personal information is used only for individuals of how data will be used.
data will be used. the purposes identified in the notice?
3
3 Source: www.knowledgeleader.com
� Risk Question Test
Client data is used for • Is there a process in place to monitor • Ask about the process to monitor the
purposes outside of the use of personal data to ensure use of personal data.
those detailed in the that it is used for only its intended
client noticed or business purpose?
contract.
Sensitive data is used • Is application development • Understand and review a sample of
for testing purposes. performed? How is test data created test data to identify where it exists
for testing purposes? and where it originated.
Sharing and Distribution
Sensitive data is • Has a security program has been • Ask about the security program in
accessible to developed? place to protect sensitive data.
unauthorized personnel. − Has it been documented, • Verify that the following controls are
approved and implemented? in place to protect sensitive data:
− Does it include administrative and − Access limited based on business
technical aspects? need
− Are physical safeguards in place − Access logging/monitoring
to protect personal information
− Periodic reviews
from loss, misuse, unauthorized
access, disclosure, alteration and − Periodic network scans
destruction?
• What logical access controls are in • Refer to test steps above.
place to restrict access to sensitive
data?
Sensitive data is sent via • Is sensitive data sent via corporate • Ask about the extent of sensitive data
corporate email in an email? Can sensitive data be sent being sent via email.
unsecured format. over external email or IM or is it
• Discuss if sensitive data was sent
blocked? Is there an encryption
over external email or IM.
method in place to protect sensitive
data? • Discuss and assess any email
encryption solutions in place.
Sensitive data is • How is data being transferred? Is • Ask about the process for transferring
transferred via unencrypted sensitive data leaving sensitive data.
unsecured methods. the Company A corporate network?
Sensitive information • What criteria does the data have to • Ask about the process to encrypt
leaves the Company A meet to be encrypted? Can sensitive data.
network in the form of data be saved on unsecured media?
• Ask about the backup process and
unencrypted removable
• Where are backup tapes stored, and determine how backup data is moved
media and storage.
how often are they moved? Are off-site.
backup tapes encrypted?
Sensitive information is • What types of sensitive data are used • Ask about the use of web
uploaded or inputted into by web applications? Who manages applications in relation to sensitive
a website that does not the web applications? How is the data.
protect the data. traffic secured? Is the application
• Assess controls in place to protect
internal or external?
the transfer and subsequent storage
of sensitive information.
4
4 Source: www.knowledgeleader.com
� Risk Question Test
Sensitive information • Is sensitive data transferred via FTP • Ask about bulk transfers related to
exits the Company A or bulk transfer method? Are there sensitive data.
network via bulk transfer controls in place to secure the
• Assess the controls in place to
to third parties in an transfer?
protect transfers.
insecure format.
Use of client data by • If applicable, what type of information • Discuss the process for sharing data
third parties or is included in the contract/notice with third parties or consultants.
consultants is not when sensitive data is used by third
• Ask how individuals are notified when
adequately managed. parties or consultants?
data is processed by third parties.
• Are third-party contracts reviewed for • Discuss the process for reviewing
consistency with privacy policies and third-party contracts.
procedures?
• Is sensitive information solely • Discuss the process for sharing data
disclosed to third parties for the with third parties.
purposes described in the notice?
• Are privacy policies communicated to • Refer to test step above.
third parties to whom personal
information is disclosed?
• Is personal information disclosed only • Refer to test step above.
to third parties who have agreements
with the entity to protect personal
information in a manner consistent
with the relevant aspects of the
entity’s privacy policies?
• If applicable, is there a service-level • Determine if third-party processing
agreement in place providing takes place. If so, obtain and review
sufficient guarantees of technical and the third-party service-level
organizational measures governing agreement for appropriate
the processing to be completed? guarantees of sufficient measures.
Sensitive data is given • Is data ever requested by the • Ask about the types of external
to governmental government (e.g., through sensitive data requests that are made
authorities without subpoena)? If so, what is the process and the process that these are
following the correct for distributing the data? fulfilled.
process.
Sensitive data is lost • How is sensitive data protected from • Ask about the controls around the
through an external an external attack? network.
malicious act.
Sensitive data is printed • Are there policies and procedures • Ask about the policies regarding
and not adequately regarding the printing of sensitive printing sensitive data.
secured. data?
Retention and Storage
Sensitive client data is • What is the process to verify that • Verify that retention policies and
retained for a period of personal information is retained no procedures are documented.
time longer than longer than necessary to fulfill the
5
5 Source: www.knowledgeleader.com
� Risk Question Test
necessary to provide intended business purposes? • Ask about the process to ensure that
services to the client, sensitive data is only kept for the
per the contract. stated retention time.
Sensitive client data is • When sensitive data is no longer • Ask about the process of scrubbing
retained for a period of needed for processing, is the data sensitive data when it is no longer
time longer than scrubbed, making the subjects needed.
necessary to provide nonidentifiable?
services to the client,
per the contract.
Employees have access • How is sensitive data (hard copy and • Discuss the process to restrict
to sensitive hard copy electronic) restricted to users who access to data to users that need the
and/or electronic data need the information to perform their information to perform their job
sources without a job functions? functions.
legitimate business
need. • If applicable, are background • Identify all key servers that store
investigations performed on and/or transmit sensitive information.
personnel who are authorized to
• Identify all personnel that have
access the information or data?
physical and electronic access to
these servers.
• Ask management about the hiring
criteria.
Servers or file cabinets • Are physical access controls in place • Ask about the types of physical
housing sensitive data to restrict access to personal security controls in place for both
are not secure. information in any form (including the paper and servers.
principles of the entity's system[s]
• Determine if a clean desk policy is in
that contain or protect sensitive
place.
information)? Is there a clean desk
policy?
Disposal
Sensitive data is not • Are shredding/disposal bins locked? • Identify all physical locations of
securely disposed of Who can access these sources? sensitive data marked for shredding.
prior to leaving the
• Confirm that shredding bins are
Company A perimeter.
present throughout the entity and that
no one has access to the sensitive
data unless their job description
requires it.
• How is sensitive data destroyed? Do • Assess security policies pertaining to
these procedures mirror those the disposal of sensitive data.
present in Company A policy?
• Verify that practices follow the policy
requirements.
6
6 Source: www.knowledgeleader.com
� Risk Question Test
Sensitive data no longer • What is the process for permanently • Ask about applications and
in use is not destroyed, destroying data on storage media? processes used to destroy electronic
and a malicious user data that is no longer needed.
could recover it from
• Verify that data bits are permanently
hard disks and
overwritten.
removable storage
devices.
Subject Access Approval
The subject of the • How is the subject notified of what • Ask about the process for notifying
sensitive data does not type of processing will be done on the subjects on the collection and
approve of the type and their sensitive data? Is notice processing of sensitive data.
extent of processing. provided to the individual about the
entity’s privacy policies and
procedures?
• Is implicit or explicit consent obtained • Ask about the process of collecting
from the individual at or before the client consent.
time personal information is collected
• Verify that client consent is properly
or as soon as practical thereafter?
carried out.
• Determine if the following applies • Ask about the process to notify
when collected information is used individuals when information must be
for purposes not previously identified used for purposes not previously
in the privacy notice: identified.
− Is a new purpose documented?
− Is the individual notified?
− Is implicit or explicit consent
obtained prior to such new use or
purpose?
• Are individuals informed about how to • Ask about the process for individuals
contact the entity with complaints to contact the entity with complaints.
(e.g., via a privacy notice)?
• Is a process in place to facilitate • Ask about the process for data
requests from data subjects objecting subjects objecting to the processing
to the processing of data? Is a of data.
process in place to investigate,
address complaints, and document
and communicate resolution to the
individual?
Data is not accurate or • Does the subject have access to the • Ask about the process for data
complete. data that will allow them to update subjects to view or update their
and/or verify the accuracy and personal data.
completeness of the data? Is the
identity of the individual authenticated
prior to granting them access to the
data?
Is there an established procedure for
handling data subject requests for
access to view and update their
7
7 Source: www.knowledgeleader.com
� Risk Question Test
data?
Sensitive data is shared • Are individuals informed that • Ask about the process of informing
without proper personal information is disclosed to individuals about sensitive
authorization from the third parties only for the purposes information that is shared with third
subject. identified in the notice? parties.
• Is that only for instances where the
individual has provided implicit or
explicit consent unless a law or
regulation specifically allows or
requires otherwise?
8
8 Source: www.knowledgeleader.com
