Shared Flashcard Set

Details

CIPT
CIPT exam
225
Other
Not Applicable
01/28/2018

Additional Other Flashcards

 


 

Cards

Term
what needs to be given to consumers to understand what a company is doing with their personal information
Definition
Notice
Term
What is the term used to describe giving consumers options as to how any personal info collected from them may be used?
Definition
Choice
Term
What term refers to secondary uses beyond those necessary to complete the contemplated transaction
Definition
Choice
Term
What term describes a customer's ability to view and edit their data?
Definition
Access
Term
What term describes technical and managerial controls that protect against loss and unauthorized access?
Definition
Security
Term
What term describes what needs to be done in oder for a core principle of privacy protection to be effective?
Definition
Enforcement
Term
NCASE rules are set out by who?
Definition
FTC's fair information practice principles (FIPPS)
Term
What is the definition of a single purpose machine?
Definition
bastion server
Term
What elements should be used to classify data?
Definition
origin, category, sensitivity and purpose
Term
What is the purpose of a security policy?
Definition
define responsibilities for employees
Term
what type of assessment finds gaps in coverage and determines security requirements to address them
Definition
privacy impact assessment (PIA)
Term
What are the external requirements of a security policy?
Definition
Corporate
Regulatory - FTC
Industry - BBB
Term
What is privileged access?
Definition
lockdown admin access to install apps.
Term
What four ways to create approved software policy?
Definition
mandate software list
standards board to approve apps
distribute a list of acceptable apps
provide guidance to employees about apps
Term
What are the three application deployment strategies?
Definition
1. IT controlled
2. IT monitored
3. Employee controlled
Term
What are some ways to mitigate network attacks?
Definition
prevent malware
apply smartphone policies
validate network devices
write secure code
validate apps
Term
What are some ways to prevent external threats?
Definition
strong authentication
network monitoring
network encryption
Term
What are two ways to secure external files
Definition
Passwords
Digital rights mgmt - need a policy server
Term
What are three ways to prevent a dba to have access to data?
Definition
SElinux OS
role based access control
Remote auditing
Term
Who are the Privacy stakeholders for a company?
Definition
Consumers
Regulators
Industry groups
Researchers
Employees
Term
What are some Consumer privacy agencies in US?
Definition
Coppa
Fair credit reporting act
Right to financial privacy act
Term
What is the Consumer privacy agency in the EU?
Definition
Data protection directive
Term
What is the role of the European Data Protection Supervisor?
Definition
Monitors the institutions
Commissions, council and parliament
Term
What is the org where member states establish independent national regulatory bodies?
Definition
European Free Trade Association
Monitored by EFTA Surveillance Authority
Term
What is Canada’s privacy commission?
Definition
Office of the Privacy Commissioner of Canada
Term
What Industry groups protect consumer privacy via self-regulation?
Definition
BBB
Interactive Advertising Bureau
TRUSTe
Term
What are some types of mistakes occur when managing personal data?
Definition
Insufficient policies
Improper training
Disjointed practices
Complacency
Third-party contracts
Term
What types of technologies can perform analysis of data without accessing it?
Definition
Homomorphic encryption
Multipart computation
Differential privacy
Term
What language can be used that permits the definition of policies that can be programmatically enforced via security controls?
Definition
Extendable Access Control Markup Language (XACML)
Term
What system permits the definition of users and group policies that can be programmatically enforced by the database?
Definition
SQL server policy based mgmt system
Term
Sections in a privacy notice
Definition
What data is collected
How it is used
How it is shared
User control over collected data
Controlling marketing contact
Use of cookies and tracking
Gaining access to data
Resolving privacy issues
Date of privacy notice
Changes in privacy notice
Term
Data that is observed, inferred and declared directly from users and third parties
Definition
Collected data
Term
Key item to control marketing contact
Definition
Should not have to receive marketing emails to get service emails. Should not get emails from other product groups.
Term
What topics should a privacy policy have?
Definition
Types of data classification
Data collection principles
Protection of data
Data retention period
Treatment of sensitive data
Sharing of data across groups, partners and vendors
Creation if dept priv policies
Performance of privacy reviews
Participation in a privacy response center
Responding to privacy inquiries
Responding to data inquiries
Term
What should the data collection principles cover?
Definition
When and how Data should be collected and List obligations for Data collection.
Notification, control, protection required, minimization requirements and sharing limits
Term
Ways to protect data during collection
Definition
Dependent on classification and regulatory requirements

Encryption or access control
Term
How to respond to data privacy requests?
Definition
Define conditions for request
Setup process to verify owner
Process to takedown content
Term
What can be done with data after the retention period is over?
Definition
Deleted
De-identified
Aggregated
Term
What is the multilevel security system? MLS
Definition
Strong role based or attribute based access control system
So protecting data is based on policy
Term
when to delete data?
Definition
based on retention period
termination of contract
acquisition by another company
completion of a contract
regulatory requirement
deletion request by the data owner
Term
Proper inventory controls
Definition
having rules governing where data can be placed.
minimize the use of offline storage and data placed on thumb drives
centralize contracts
classify data
create data flows and list all data stores in a data inventory
Term
What are some discretionary access control concerns?
Definition
review group permissions and the permission inheritance is enabled.
Term
what is a concern regarding mandatory access control?
Definition
possible to clear a resource's ACL and permanently lose access to a resource (SELinux supports MAC)
Term
What attributes are part of attribute-base access control?
Definition
time, location, nationality, age required to access
Term
what standard supports attribute based access control?
Definition
XACML - extensible access control markup language
Term
What should an incident response program consist of?
Definition
Incident response center
Web form
Email address
Phone number
Reps from hr, pr, legal, privacy and security
Term
What elements should a privacy response form have?
Definition
Accessible from privacy notice
Privacy categories
Auto response
Incident tracking system
Term
What are the web form Privacy categories?
Definition
data breach
data access request
account takeover
Term
Events that trigger a PIA
Definition
New product or service
New or updated program for processing data
Merger or acquisition
Creation of new data center
Onboarding new data
Movement of data to another country
New regulations
Term
What country has PIPEDA?
Who is affected?
Definition
Canada
Anyone doing business in Canada
Personal info protection and elec doc act
Term
Who is affected by GDPR?
Definition
All orgs holding personal data
Online or offline data
Term
What country uses Personal Data Ordinance?
Who is affected?
Definition
Hong Kong
Orgs doing business in HK
Term
What county uses the Law on the Protection of Personal Data Held by Private Parties?
Who does it affect?
Definition
Mexico
Companies doing business in Mexico
Term
Who is affected by COPPA?
What services are affected?
Definition
Children under 13
Websites or online services with actual knowledge that they are collecting, using or disclosing personal in for children under 13
Directly or indirectly
Term
5 phases of info lifecycle
Definition
Collection
Use
disclosure
Retention
Destruction
Term
The sharing or onward transfer of data to third parties is the definition of what?
Definition
Disclosure
Term
How does a user find out how their data is being used?
Definition
Privacy notice
Term
What are the eight OECD privacy principles?
Definition
Collection limitation principle
Data quality principle
Purpose specification principle
Use limitation principle
Security safeguards principle
Openness principle
Individual participation
Accountability
Term
Code of Fair Information Practices
Definition
No personal data record keeping system
Right to access / correct
Identifying Purpose
Take precautions to prevent misuse
Term
Issues with privacy control for consumers
Definition
Users can opt out of advertising but can’t control the collection of their data
Users can disable tracking of location data but then mapping is disabled
Term
Implied vs explicit consent
Definition
Implied- user never provides specific consent
Explicit - verifiable acknowledgement
Term
What are some ways to ensure accurate data from third parties?
Definition
1. Validate the company’s data collection and verification process
2. Member of BBB
3. all data fields are completed
4. Verify data with user
Track changes of access control
Term
What is the best way to validate a user
Definition
Credit card
Term
What are the factors that determine how data is used?
Definition
According to privacy policies
Regulations
Contractual agreements
Too many data elements
Outdated data elements
Internal sharing
Term
What are some ways to test applications that use PII?
Definition
Anonymization
Random data
Use data generator programs
Limited sets
Term
Onward transfer or ?? also means sharing of info external to the org collecting it.
Definition
Disclosure
Term
Internal disclosures use the metadata associated with the data flow diagram which should point to what?
Definition
privacy policies of the group sharing and receiving the data
Term
External Disclosures are covered by contracts and comply with what?
Definition
Policy notices
Term
What are the steps for vendor mgmt due diligence
Definition
Inventory of what will be sent
How to transfer data
Must review vendor’s data access, storage practices
Term
What methods can a record be disposed properly?
Definition
Deletion
Destruction
Recycling
Selling
Rights management expiration
Returning it to original owner
Term
What is the only method used to validate users who want access to their user data?
Definition
Credentials
Term
What are methods to protect transient records?
Definition
1. Storing online session data to preserve partial purchases that may have been abandoned
2. Enabling auto-save for docs
3. Enabling journal files for databases
Term
What is the format command to zero the entire disk?
Definition
Format drive letter /P:1
Term
What are good practices for developing an IT architecture?
Definition
Technology standardization
Policy consolidation
Data center distribution
(Privacy law issues with other countries)
Term
Issues to consider when acquiring data via a merger
Definition
Service provider processing of data
Vendor data
Customer data
Online data
Term
Governing body to protect processing data online for targeted advertising
Definition
Interactive advertising Bureau
Term
Governing agency to watch financial data for EU
Definition
Basel III
Term
What is the issue with context of authority?
Definition
The broader the scope of the context the more difficult it is to manage the privacy resources
Term
What are the guidelines for multi-enterprise/outsourced to user contexts?
Definition
1. Single contract covers where project data is stored
2. Single privacy policy
3. No shared credentials
4. Administration of resources is shared by members of each enterprise
Term
What is the Purpose of open ID federation?
Definition
Allows users to be authenticated by a relaying party
Term
What is the standards org established to define open standards for identity management?
Definition
Liberty Alliance
Term
What org builds trust frameworks for verifying online identities?
Definition
Kantara Initiative
Term
Why is Kantara more secure than open ID?
Definition
Uses federated approach and performs an assessment of ID providers
Term
What privacy enhancing identity solution was developed by Microsoft and why was it more private than liberty and katakara?
Definition
Identity Metasystem Architecture
Did not permit tracking of users
Term
What are the following examples of?
Open ID
Liberty alliance
Identity meta structure
Social networks
Definition
SSO
Term
What is an encryption blob (binary large object)?
Definition
Vendor gets only gets encrypted card number and transaction data is only unique to vendor
Term
What are the main PCI requirements
Definition
credit card data is protected by firewall
no defaults on vendor products
encrypt transmission
update antivirus
develop and maintain secure systems and applications
restrict access to cardholder data
assign unique IDs
restrict physical access
track and monitor access to resources
regularly test security systems and processes
info security policy for employees
Term
What are the three steps that are fulfilled by following PCI requirements?
Definition
Access - vulnerability assessment
Remediate - address issues found in assessment
Report -
Term
What is PA-DSS and its purpose?
Definition
Payment Application Data Security Standard
requirements for software developers that develop payment card software
Term
What are the requirements of PA-DSS?
Definition
Create a payment app
Create an implementation guide
educate customers, resellers
Ensure it passes review
provide copy to users for implementation guide
Term
What are some remote access guidelines?
Definition
use corporate devices
use approved devices
limit data transfers
limit types of access
mandate device controls
limit social access
provide notice and obtain consent
Term
What are some local network access guidelines?
Definition
limit computer access
require manual authentication
use multi-factor auth
Term
What are some guidelines for encryption?
Definition
Encryption size
Performance
Complexity
Utility - apply operations to data before encryption
Term
What are the pros and cons of record encryption?
Definition
Each record has a different key or salt
Performance issues
Backup issues
Term
What is the most common use for digital rights management?
Definition
Used to prevent docs from being accessed outside the org
Term
What are the methods that a file an be encrypted?
Definition
Password
DRM
Third party
Term
What are the guidelines for DLP?
Definition
Policies and training - minimization of data processing
physical security - only allow necessary computers access to data
access security - access controls
hardware constraints - USB
network monitoring - encryption, firewalls, routers, monitors
software tools - antivirus, encryption, rights mgmt
Term
Examples of just-in-time privacy notice
Definition
first run of an application
account creation
software installation
Term
What are the rules for aggregation?
Definition
1. Large enough population
2. Categorization should include a broad set of participants, but not all
3. No identifiable data
Term
What is the process of combining data from multiple records into a single record around a common index?
Definition
Aggregation
Term
Who is responsible for this role?
Define standards, policies, guidelines and auditing control
Definition
privacy professionals
Term
Whose role is this?
sponsors privacy program and mandate it
Definition
Company Executives
Term
Whose role is this?
Collect info from users via some form of communication
Definition
Marketers
Term
Whose role is this?
promotes the privacy program and responds to minimize backlash from an incident
Definition
Public relations
Term
What are guidelines for privacy by design?
Definition
1. commit to a PbD program
2. create a privacy standard
3. perform privacy reviews
4. perform a data flow analysis
4. Transparency - how the data is collected and processed should be in privacy notice
5. Control - providing users with granular level - modify and delete and export
6. retention -until accounts are deleted or retention policy
7. security
Term
What should be in the privacy standard?
Definition
1. describe expectations
2. provide guidelines and standards
3. ensure that commitments made in the privacy policy are met
Term
What needs to be performed for a data flow analysis?
Definition
1. inventory and categorization of data with custodians
2. Categories should be matched against how the data is handled at each step along the data flow
Term
What are the guidelines for privacy with social media
Definition
1. Determine your audience
2. Determine your message
3. Assign owners - to be consistent
4. Create content guidelines - to prevent leakage of sensitive information, improper statements
5. Use Corporate IDs to control the messaging
6. Limit what can be shared
6.
Term
What is the purpose of the e-Privacy Directive?
Definition
covers the processing of personal data and protection of online privacy.
Term
What are some of the aspects that the e-Privacy Directive cover
Definition
Website that use cookies for tracking purposes need to provide enhanced notice.
User should be able to view/edit/delete data
Term
CalOPPA
Definition
1. Must permit children under 18 to delete data
2. Must inform visitors of the type of Do NOT TRACK mechanisms they support
3. Easy to find privacy statements
Term
self-regulatory principles of programs
Definition
Digital Advertising Alliance
Interactive Advertising Bureau
Term
What is some advice for companies that cater to teens and children
Definition
Provide rules of conduct and enforce them
monitor open forum
provide features to allow blocking of users
provide the ability to report bad behavior
validate that your site's services are being used for criminal activity
Involve authorities when needed
Study international laws
Term
What are the different ad types and their relative value?
Definition
Remnant - run when not using a campaign
Premium - on homepage of a website
contextual - like search engine ads match what you are searching for
demographic - age, weight, zip codes
psychographic - hobbies or interests
behavioral online advertising- based on aggregated data
Term
What are the common online ad models?
Definition
Search ads
display ads (banner ads)
publisher ads - using a publisher for ads
third party ads
Term
What are some precautions when placing third-party ads?
Definition
Have a contract in place
Limit the ability to for ad networks place cookies
provide an opt-out
members of the DAA
Term
What are resources on a webpage called that are hidden?
Definition
Web beacon, pixel tags, clear GIFs
Term
what are local shared objects (LSOs)?
Definition
memory within the browser that can store data, similar to a cookie. (e.g. Adobe Flash and Silverlight)
Term
what trait do both cookies and local shared objects have?
Definition
only the website that stored the data can access the data.
Term
What is the term browser fingerprinting?
Definition
using the IP address sent during a browser session to a website and the browser's user agent string to uniquely identify the browser.
Term
What is a super cookie?
Definition
a mechanism for ensuring the value of a cookie persists even after it is deleted. Performed with browser fingerprinting and LSO storage
Term
What are the goals of privacy policy language?
Definition
does it solve the problem it was trying to address?
What is its adoption rate?
How well does it interoperate with identity, database and content management systems?
what is the deployment criteria
what is the training requirement
what is the maintenance involved?
Term
What is the purpose of the Platform for Privacy Preferences Project (P3P)
Definition
for websites with standardized way to express privacy practices. Put privacy notices in XML format
Term
Benefits of SAML
Definition
platform neutral
loose coupling of directories (no need to sync between directories or user info to be maintained)
improved online experience - SSO
Identity federation
reduce admin costs
risk transference
Term
What is the purpose of XACML
Definition
applies a set of tokens to a resource that describe the type of access permitted by a set of predefined roles.
Term
What are the benefits of XACML
Definition
it uses a standard language
it's generic, distributed and powerful
Term
What are some cookie tracking protection features?
Definition
Cookie blocking / deleting (once browser session ends)
Term
What are some ways to prevent automated data capture?
Definition
facial features - hat and sunglasses
magnetic strip - only use at certain places
RFID tags - place in foil
USB - password / encryption
Term
What are some anonymity tools?
Definition
site blockers
Tor
The Free Network - can provide point to point communication
E-mail anonymity - maskme and lockify
differential privacy - analyze user data in a database without access to it.
Homomorphic encryption -
Term
What is Pharming?
Definition
when a person types a legitimate URL into a browser but is rerouted to a fake website.
Term
How is Application Preference Exchange Language (APPEL) different than P3P?
Definition
Express privacy settings in a browser
Not adopted. Express user's privacy preferences in XML
Term
What is Enterprise Privacy Authorization Language (EPAL)?
Definition
Privacy language that has access controls to a resource for specific purposes. IBM's privacy rights markup language.
Term
Privacy areas that should be covered by CSP
Definition
Assurance that employees follow org policies
Backups
Disposal of data
restrict visibility by other hosted companies
limitation on who can access the services
Term
What items should be covered in a CSP contract?
Definition
effective period
CSP access to systems and app configurations
restrictions on sharing and usage of data
compliance obligations
backups
disposal - after contract is up as well
Term
What are the ways a data breach can occur?
Definition
Malicious insider
Poor access controls
Lack of encryption
Traffic hijacking
Insecure interfaces
Denial of service
Services misuse
Term
What are some tools that can be used to provide secure connections to cloud services?
Definition
GSS-API (generic security services)
Ip address filtering
Mac address filtering
Network port disabling
OWASP ESAPI (enterprise security)
Protocol disabling
Virtual private network
Term
What is the CSA Cloud Computing Matrix?
Definition
Framework for implementing good cloud data security concepts and principles
13 domains
Term
What defines a functional interface that applications can use data throughout its lifecycle in the cloud?
Definition
Cloud Data Management Interface standard
Term
What is the main purpose of the cloud data management interface standard?
Definition
Permits apps to manage containers and the data that is placed in them and apply metadata to the containers and data elements
Term
RFID framework was created by what orgs?
Definition
Privacy rights clearinghouse
ACLU
EFF
electronic privacy info center
Term
IAPP mobile app privacy tool
is meant to provide best practices for applications for what developers/providers?
Definition
Application developers
Platform developers
Advertising vendors
Operating system providers
Mobile service providers
Term
What requirement categories are in the mobile app privacy toolkit?
Definition
Data collection
Retention
Notice and Transparency
Choice and consent
Accountability and oversight
Privacy controls and security
Children
Term
How do Geographic info system differ from gps?
Definition
Application that combines geographic data along with descriptive info associated with the data -metadata
Term
How do USERS minimize hacking risks of IOT ?
Definition
Auditing- monitor logs
Disconnect when not in use
Limit who can connect to them
Block camera lens
Encrypt
Password protect wifi
Change default passwords
Term
How do VENDORS minimize IOT risks?
Definition
Audit
Protect privacy and security
Permit users to use their own encryption key
Force password policies
Provide support
Auto update of patches
Term
What organization uses "the guidelines on the protection of privacy and transborder flows of personal data"
Definition
OECD (organization economic cooperation and development)
Term
What organization published "the privacy framework"
Definition
APEC (asia-pacific economic cooperation)
Term
What org published GAPP?
Definition
AICPA
Term
What org published Fair Information Practice Principles
Definition
FTC
Term
What org published the privacy control catalog - appendix J
Definition
NIST
Term
OECD guidelines
Definition
Collection limitation
Data quality
purpose specific
use limitation
security safeguards
openness
individual participation
accountability
Term
What are these terms refer to?
First-party
Surveillance
Third-party
Repurpose
Definition
Collection types
Active and passive
Term
Replay attack
Definition
Man in the middle attack
Replays the hash of the password
Term
Ways to anonymize data
Definition
Suppression
Generalization - replacing birthdate with year. Removing street from address
Noise addition - changing data values that won’t affect statistical data
Term
Methods of anonymizing microdata?
Definition
1. Bottom coded -
>80
2. Controlled rounding -
Nearest integer
3. Data imputation -
Replace with plausible data
4. Value swapping
Term
What are the five Fair Information Practice Principles?
Definition
N
C
A
S
E
Term
A security policy should include what security measures?
Definition
Encryption
Software Protection (antivirus, web filtering)
Access Controls
Physical protection
Social Engineering
Auditing
Term
How to avoid privacy-invasive applications?
Definition
Privileged Access
Software Policy - requirements and guidelines
Privacy links - all apps should have one
Application research
Employee training
IT involvement
Term
Saml vs xacml
Definition
Similar, but it goes further by providing a request/response language that permits the development of an access request
Term
What is differential privacy?
Definition
iPhone keystrokes

maximize the accuracy of queries from statistical databases while minimizing the chances of identifying its records.
Term
What are pixel tags?
Definition
Small blocks of code on a webpage that allow websites to do things like read and place cookies. The resulting connection can include information such as the person's IP address, the time the person viewed the pixel and the type of browser being used
Term
Web beacon
Definition
Allow checking that a user has accessed some content. Common uses are email tracking and page tagging for web analytics
Term
Multi-party computation (MPC)
Definition
Creates methods for parties to jointly compute a function over their inputs while keeping those inputs private. Unlike traditional cryptographic tasks, where the adversary is outside the system of participants
Term
Choice and Consent are regulated by what Act?
Definition
CAN-SPAM Act of 2003, European Data Directive (Articles 7 and 8)
Term
What privacy issues are related to location based services (LBS)?
Definition
data collection, consent and data sharing
Term
Who designed the P3P?
Definition
World Wide Web Consortium (W3C)
Term
When is a PIA performed?
Definition
Prior to developing or obtaining and IT system OR process which collects,stores or discloses PII.
Term
Lockify and Maskme are tools to do what?
Definition
Provide Email anonymity
Term
5 codes of FIPs
Definition
1. Openness: No hidden personal info.
2. Access: Give users access to data
3. Specific Purpose
4. Right to Edit
5. Integrity
Term
Biometric false negatives occur when they are more or less sensitive?
Definition
More sensitive
Term
Biometric false positives occur when they are more or less sensitive?
Definition
less sensitive
Term
Actions to preserve privacy
Definition
data classification plan
Inventory data
data flow diagrams
Term
What are the four encryption levels
Definition
disk, file, record, field
Term
Pseudonymous
Definition
you can link several pieces of information related to the same person, but not to come back to that person identity
Term
FIPs controls
Definition
security, quality, collection limitation, appropriate use, retention, limited disclosure, monitoring, and enforcement
Term
How does Maskme work?
Definition
permits the creation of a dynamic e-mail address that can be used in filling out forms and signing up for accounts
Term
How does lockify work?
Definition
permits the sending of encrypted e-mails to specific recipients such that only the sender and receiver can view the e-mails
Term
What is Mobilescope
Definition
Can see what data is being transmitted from their mobile devices.
Term
Who created video surveillance guidelines in the EU?
Definition
The European Data Protection Supervisor
Term
If surveillance needs to be performed, an individual should have the following rights
Definition
Be made aware of it and have control over the collected data.
Term
What us the purpose of the cloud security alliance?
Definition
consists of member organizations, including most large cloud providers, that work together to define best practices in security.
Term
How is data collected?
Definition
Via an org’s website
Third party site
Media shipped to org
Term
What privacy principles should be used when collecting data from users?
Definition
Notice
Choice
Control
Consent
Limit data set
Term
What does choice provide to a user?
Definition
Provides users with a say on how their data is managed by an org
Who can see my data?
Term
Ibm informix supports encryption of data transmissions between databases
Definition
Term
What actions need to be taken to ensure collected data is valid?
Definition
Part of BBB
validate process
Ensure all fields are completed
Audit process
Confirm periodically with users
Term
Why should auditing be enabled throughout the record lifecycle?
Definition
Ensure that record management policies are in place
Term
What are the phases of the record lifecycle?
Definition
Receipt or creation
Storage
Usage
Maintenance
Disposition
Term
What is the biggest security risk with portable media?
Definition
No accountability
Term
What is the best way to remove data from hard drives?
Definition
Degaussing
Term
Global sanitization standards
Definition
Canada - csec
Australia -ism
New zealand - nzism
Germany - vsitr
Us- dod
Term
Regulations for data destruction
Definition
Australia- privacy act 1988
Eu - dpd
India - the information technology rules of 2011
South Korea- 2012 act on the protection of personal data
Us - fair credit reporting act
Term
Downsides of
DAC
MAC
RBAC
Definition
Dac- users can add permissions
Mac - users can be locked out of files
Rbac - forget to remove users from groups
Term
Guidelines for multi-enterprise access
Definition
Single contract
Single privacy policy
No shared credentials
Administration is a shared responsibility
Term
What is the identity metadata architecture?
Definition
Privacy snd security enhancing identity solution from Microsoft
(Cardspace)
SSO
Term
Record encryption
Most secure / worst performance
Backups should be done by application
Definition
Term
Benefits of symmetric keys vs asymmetric keys
Definition
Sharing large blocks of data to multiple people
Faster and requires a smaller key
AES and DES
Term
Purpose of just-in-time notice
Definition
A link to privacy statement / controls as account is created or program installed
Term
What is a weakness of using biometrics?
Definition
Revocation capabilities
Privacy risk
Need to encrypt biometrics
Term
What do RSA secure id, LUKS and TAILS do?
Definition
Security via portable devices
Term
LUKS
LINUX Hard DISK ENCRYPTION
Definition
Term
What is a persistent idenifier
Definition
This is an identifier that can provide a single view of an individual across numerous devices — across desktop, mobile web, and in-app, without duplication
Term
Hashing unique IDs that have a specific computer or user, it does not make the data anonymous
Definition
Term
Making Data imprecise
Age
Location
URL
IP ADDRESS
SEARCH KEYWORD
Definition
Age. 65
Location zipcode, city
URL no subdomain
IP ADDRESS remove last octet
SEARCH KEYWORD convert to non sensitive category or delete
Term
What is declared data?
Definition
A person’s demographic info, interests and associations
Term
What is the purpose of declared data?
Definition
To develop an online profile
Term
Best practices for secure code for designers
Definition
Signup for bugtraq
View competitors vulnerabilities
New users have low rights and strong passwords
Sample code reviewed
Privacy implications understood
Term
Best practices for secure code for developers
Definition
Check all untrusted input
Check buffer management
Check latest update
Check all DACLS and remove defaults
Limit error messages
Term
Best practices for secure code for web and database
Definition
Output must be filtered
No concatenation of sql commands
No connecting to database as admin
No use of eval functions
No reliance on REFERER header
Term
Best practices for secure code for testers
Definition
List of attack points
Comprehensive data mutation, test SQL and XSS
Past vulnerabilities
Fails safely
Attack surface is small
Term
What should the privacy standard consist of?
Definition
should describe expectations around the privacy by design program, provide guidelines and practices and ensure that the commitments are met.
Term
Where would you find info about the company's transparency regarding privacy?
Definition
privacy notice on website, installation of application or when data is collected.
Term
What does a data flow analysis consist of?
Definition
An evaluation of where all data is collected, stored, processed and transmitted.
Term
What should data inventory consist of?
Definition
Data owners, categorization, how the data is handled at each step
Term
GAPP Maturity Model Levels
Definition
Ad-hoc - informal
Repeatable - not complete
Defined
Managed - monitored
Optimized - enforced
Term
What us a blended mobile statement?
Definition
Combo of nutrition and icons in privacy notice
Term
What us a combination privacy statement?
Definition
Icons and definitions
Term
What are the data collection principles?
Definition
notification,
control,
protection required,
minimization requirements
sharing limits
Term
When performing a PIA what factors need to be considered?
Definition
Regulations
Standards
Contractual obligations
Commitments from privacy notice
Gaps, controls and types of new data collected
Term
What is Canada PIPEDA minimum requirement?
Definition
At a minimum, organizations must obtain opt-out consent from data subjects in order to collect, use or disclose personal information.
Term
Main concern Hong Kong’s Personal Data ordinance
Definition
Data subjects must be provided the right to access, correct or delete their personal information.
Term
What are the common privacy principles?
Definition
Collection limitation
Use limitation
Data quality
Specific purpose
Security
Openness
Individual participation
Accountability
Term
What needs to be performed first for internal disclosures of data?
Definition
Data flow diagram
Term
What needs to be performed for external disclosures?
Definition
Limits of processing data
Retention
Destruction
Follow privacy notices
Know type of data and group that will have access to it
Term
What is the importance of metadata for retrieving backups?
Definition
Metadata can be used to determine the type of data being stored on backup media without exposing the contents of the data. For example, the metadata could provide categorization information, sensitivity level or even the index to the encryption keys used to encrypt the contents of the backup.
Supporting users have an ad free experience!