Governance and Management of IT - IT Governance

The correct answer is 'Privacy Notice'.

Under the Gramm-Leach-Bliley Act (GLBA), financial institutions are required to provide customers with a 'Privacy Notice' that explains their information-sharing practices. This notice must inform customers about what personal information the institution collects, how it is used, and whether and how it is shared with third parties. The Privacy Notice requirement is a cornerstone of GLBA's consumer protection provisions.

The other options are incorrect:

'Financial Data Transparency Statement' is a made-up term that does not exist in GLBA regulations.

'Safeguards Rule Information Document' refers to a different aspect of GLBA. The Safeguards Rule requires financial institutions to protect customer information, but it does not specifically relate to explaining information-sharing practices to customers.

'Consumer Disclosure Protection Form' is also a fictitious term that is not part of GLBA's regulatory framework.

ISO/IEC 27001 is the international standard specifically designed to provide a framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).

This standard outlines requirements for organizations to systematically manage information security risks and implement appropriate controls to preserve confidentiality, integrity, and availability of information.

The other options are valid frameworks but serve different purposes:

COBIT 2019 is primarily focused on enterprise IT governance and management rather than specifically on information security management systems.

NIST SP 800-37 provides guidelines for applying the Risk Management Framework to federal information systems, but is not the international standard for ISMS implementation.

ITIL 4 is focused on IT service management practices rather than information security management systems specifically.

The correct answer is 'Notice'.

One of the fundamental privacy principles requires organizations to notify individuals about how their personal data will be processed, and this notification must occur either before or at the time of data collection. This principle is known as 'Notice' - it ensures transparency by requiring organizations to inform data subjects about what data is being collected, why it's being collected, how it will be used, who it might be shared with, and other key information about processing activities.

'Transparency in subsequent communications' is incorrect because the principle requires notification before or at the time of collection, not after collection has already occurred.

'Data quality assurance prior to usage' refers to ensuring data accuracy and integrity, which is a different privacy principle altogether (data quality/accuracy).

'Subject access reporting with complete documentation' relates to data subject access requests, which is a mechanism for individuals to access their personal data after it has been collected, not the initial notification about data processing activities.