Term
|
Definition
Sensitive org info (marketing plans, trade secrets) is protected from unauthorized disclosure
Focus: Protect ORG data
*Merger & Acquisition Plans |
|
|
Term
|
Definition
Personal info about customers is collected, used, disclosed and protected from authorized disclosure
Focus: CUST personal info |
|
|
Term
| Intellectual Property (IP) - 5 items that must be secured & preserved |
|
Definition
1. Strategic Plans
2. Trade Secrets
3. Cost Info
4. Legal docs
5. Process Improvements |
|
|
Term
| 4 Steps to Secure IP/Preserve Confidentiality |
|
Definition
1. Identify and classify the info to be protected
2. Encrypt sensitive info
3. Control access to sensitive info
4. Training
** These 4 steps are the same for Confidentiality & Privacy |
|
|
Term
|
Definition
| Used to protect the privacy of a customers' personal info while giving programmers a realistic data set w which to test a new app |
|
|
Term
Training - Most **
This teaches emps to: |
|
Definition
-Protect confidential data
-Encrypt SW
-Always log out of apps
-Code reports
-Leave reports on desk
-Do not "reply all"
-Not disclose info at conferences |
|
|
Term
|
Definition
1. SPAM: Unsolicited email that contains advertising or offensive content
2. Identity Theft: Unauthorized use of someone's personal info for the perpetrator's benefit |
|
|
Term
| Privacy Regulatory Act - HIPAA |
|
Definition
| Health Insurance Portability & Accountability Act |
|
|
Term
| Privacy Regulatory Act - HITECH |
|
Definition
| Health Info Tech for Economic * Clinical Health Act |
|
|
Term
| Privacy Regulatory Act - FSMA |
|
Definition
Financial Services Modernization Act
aka Gram-Leach-Bliley Act |
|
|
Term
| 3 Privacy Regulatory Acts |
|
Definition
HIPPA, HITECH, FMSA
All 3 impose specific requirements on orgs to protect the privacy of cust personal info |
|
|
Term
10 Internationally Recognized Best Practices for protecting the PRIVACY of cust' personal info:
GAAP |
|
Definition
GAAP: Generally Accepted Privacy Principles
1. Management
2. Notice
3. Choice & Consent
4. Collection
5. Use & Retention
6. Access
7. Disclosure to 3rd Parties
8. Security
9. Quality
10. Monitor and Enforce |
|
|
Term
|
Definition
Procedures & Policies
Assignment of responsibility
Idea that security is a MGMT issue, not a technical issue |
|
|
Term
|
Definition
| Give notice to customer of policies, and when info is collected |
|
|
Term
| GAAP 10 - Choice & Consent |
|
Definition
Allow customers consent over info provided, stored
Opt-Out (US) vs. Opt-In |
|
|
Term
|
Definition
| Collect only what is necessary and stated in policy |
|
|
Term
| GAAP 10 - Use & Retention |
|
Definition
Based on policy and only for as long as needed for the business
Create retention policies and ensure compliance with those policies |
|
|
Term
|
Definition
| Customers should be capable of reviewing, editing, deleting info stored about them |
|
|
Term
| GAAP 10 - Disclosure to 3rd Parties |
|
Definition
| Based on policy & only if 3rd party has some privacy policy standard |
|
|
Term
|
Definition
Protection of personal info
P, D, C controls |
|
|
Term
|
Definition
Allow cust review
Info needs to be reasonably accurate |
|
|
Term
| GAAP 10 - Monitor & Enforce |
|
Definition
| Ensure compliance w policy |
|
|
Term
| Encryption is a ____ Control |
|
Definition
|
|
Term
Encryption: ___ -> ____
Decryption: ___ -> ____ |
|
Definition
Encryption: plaintext --> ciphertext
Decryption: ciphertext --> plaintext |
|
|
Term
Encryption uses 2 things:
1.
2. |
|
Definition
1. Key: string of binary digits of a fixed length
2. Algorithm: formula that combines the key & text |
|
|
Term
|
Definition
2 identical keys
+ cheap, fast
- Scalability (have 500+ keys)
One key is used to both encrypt & decrypt.
B/c the key is shared by both parties, there is no way to prove who created and encrypted a doc. |
|
|
Term
|
Definition
One private key & one public key
Diff key used to encrypt than to decrypt
Public: widely distributed and available to everyone
Private: kept secret and known only to the owner & that pair of keys
+ Secure, only 2 keys
- Expensive, very slow |
|
|
Term
|
Definition
| Make copies of all encryption keys used by emps and store them securely |
|
|
Term
Hashing
1. Def
2. One-way or reverse function?
3. Output size |
|
Definition
1. Takes plaintext of any length and transforms it into short code called a hash
2. One-way Function - CANNOT REVERSE or 'unhash'
3. Any size input --> fixed same output (Always a fixed - SHORT length) |
|
|
Term
| Diff b/t Hashing & Encryption |
|
Definition
Hashing - one way function (can NOT reverse)
Encryption - reversible (CAN decrypt back to plaintext)
Hashing - any size input --> same fixed short length output
Encryption - output size is approx same as input size |
|
|
Term
Digital Sig
-Def
-Created using
-Provides proof |
|
Definition
-Hash of a doc/file
-Created using signer's PRIVATE key
-Provides proof that the doc has NOT been altered & of the CREATOR of the doc |
|
|
Term
|
Definition
Electronic doc that contains an entity's public key
Certifies the identity of the owner of that particular public key
Issued by Certificate Authority (proves digital certificate is genuine) |
|
|
Term
| A Digital Certificate is like a ____. Why? |
|
Definition
Passport or Driver's License
B/c it is issued by a trusted indep party (gov't)
Employes holograms and watermarks to prove they are genuine |
|
|
Term
|
Definition
Virtual Private Newtork
Encrypts info while it traverses the Internet
Prob: firewalls cannot examine packets that are encrypted |
|
|
