Term
what needs to be given to consumers to understand what a company is doing with their personal information |
|
Definition
|
|
Term
What is the term used to describe giving consumers options as to how any personal info collected from them may be used? |
|
Definition
|
|
Term
What term refers to secondary uses beyond those necessary to complete the contemplated transaction |
|
Definition
|
|
Term
What term describes a customer's ability to view and edit their data? |
|
Definition
|
|
Term
What term describes technical and managerial controls that protect against loss and unauthorized access? |
|
Definition
|
|
Term
What term describes what needs to be done in oder for a core principle of privacy protection to be effective? |
|
Definition
|
|
Term
NCASE rules are set out by who? |
|
Definition
FTC's fair information practice principles (FIPPS) |
|
|
Term
What is the definition of a single purpose machine? |
|
Definition
|
|
Term
What elements should be used to classify data? |
|
Definition
origin, category, sensitivity and purpose |
|
|
Term
What is the purpose of a security policy? |
|
Definition
define responsibilities for employees |
|
|
Term
what type of assessment finds gaps in coverage and determines security requirements to address them |
|
Definition
privacy impact assessment (PIA) |
|
|
Term
What are the external requirements of a security policy? |
|
Definition
Corporate Regulatory - FTC Industry - BBB |
|
|
Term
What is privileged access? |
|
Definition
lockdown admin access to install apps. |
|
|
Term
What four ways to create approved software policy? |
|
Definition
mandate software list standards board to approve apps distribute a list of acceptable apps provide guidance to employees about apps |
|
|
Term
What are the three application deployment strategies? |
|
Definition
1. IT controlled 2. IT monitored 3. Employee controlled |
|
|
Term
What are some ways to mitigate network attacks? |
|
Definition
prevent malware apply smartphone policies validate network devices write secure code validate apps |
|
|
Term
What are some ways to prevent external threats? |
|
Definition
strong authentication network monitoring network encryption |
|
|
Term
What are two ways to secure external files |
|
Definition
Passwords Digital rights mgmt - need a policy server |
|
|
Term
What are three ways to prevent a dba to have access to data? |
|
Definition
SElinux OS role based access control Remote auditing |
|
|
Term
Who are the Privacy stakeholders for a company? |
|
Definition
Consumers Regulators Industry groups Researchers Employees |
|
|
Term
What are some Consumer privacy agencies in US? |
|
Definition
Coppa Fair credit reporting act Right to financial privacy act |
|
|
Term
What is the Consumer privacy agency in the EU? |
|
Definition
Data protection directive |
|
|
Term
What is the role of the European Data Protection Supervisor? |
|
Definition
Monitors the institutions Commissions, council and parliament |
|
|
Term
What is the org where member states establish independent national regulatory bodies? |
|
Definition
European Free Trade Association Monitored by EFTA Surveillance Authority |
|
|
Term
What is Canada’s privacy commission? |
|
Definition
Office of the Privacy Commissioner of Canada |
|
|
Term
What Industry groups protect consumer privacy via self-regulation? |
|
Definition
BBB Interactive Advertising Bureau TRUSTe |
|
|
Term
What are some types of mistakes occur when managing personal data? |
|
Definition
Insufficient policies Improper training Disjointed practices Complacency Third-party contracts |
|
|
Term
What types of technologies can perform analysis of data without accessing it? |
|
Definition
Homomorphic encryption Multipart computation Differential privacy |
|
|
Term
What language can be used that permits the definition of policies that can be programmatically enforced via security controls? |
|
Definition
Extendable Access Control Markup Language (XACML) |
|
|
Term
What system permits the definition of users and group policies that can be programmatically enforced by the database? |
|
Definition
SQL server policy based mgmt system |
|
|
Term
Sections in a privacy notice |
|
Definition
What data is collected How it is used How it is shared User control over collected data Controlling marketing contact Use of cookies and tracking Gaining access to data Resolving privacy issues Date of privacy notice Changes in privacy notice |
|
|
Term
Data that is observed, inferred and declared directly from users and third parties |
|
Definition
|
|
Term
Key item to control marketing contact |
|
Definition
Should not have to receive marketing emails to get service emails. Should not get emails from other product groups. |
|
|
Term
What topics should a privacy policy have? |
|
Definition
Types of data classification Data collection principles Protection of data Data retention period Treatment of sensitive data Sharing of data across groups, partners and vendors Creation if dept priv policies Performance of privacy reviews Participation in a privacy response center Responding to privacy inquiries Responding to data inquiries |
|
|
Term
What should the data collection principles cover? |
|
Definition
When and how Data should be collected and List obligations for Data collection. Notification, control, protection required, minimization requirements and sharing limits |
|
|
Term
Ways to protect data during collection |
|
Definition
Dependent on classification and regulatory requirements
Encryption or access control |
|
|
Term
How to respond to data privacy requests? |
|
Definition
Define conditions for request Setup process to verify owner Process to takedown content |
|
|
Term
What can be done with data after the retention period is over? |
|
Definition
Deleted De-identified Aggregated |
|
|
Term
What is the multilevel security system? MLS |
|
Definition
Strong role based or attribute based access control system So protecting data is based on policy |
|
|
Term
|
Definition
based on retention period termination of contract acquisition by another company completion of a contract regulatory requirement deletion request by the data owner |
|
|
Term
Proper inventory controls |
|
Definition
having rules governing where data can be placed. minimize the use of offline storage and data placed on thumb drives centralize contracts classify data create data flows and list all data stores in a data inventory |
|
|
Term
What are some discretionary access control concerns? |
|
Definition
review group permissions and the permission inheritance is enabled. |
|
|
Term
what is a concern regarding mandatory access control? |
|
Definition
possible to clear a resource's ACL and permanently lose access to a resource (SELinux supports MAC) |
|
|
Term
What attributes are part of attribute-base access control? |
|
Definition
time, location, nationality, age required to access |
|
|
Term
what standard supports attribute based access control? |
|
Definition
XACML - extensible access control markup language |
|
|
Term
What should an incident response program consist of? |
|
Definition
Incident response center Web form Email address Phone number Reps from hr, pr, legal, privacy and security |
|
|
Term
What elements should a privacy response form have? |
|
Definition
Accessible from privacy notice Privacy categories Auto response Incident tracking system |
|
|
Term
What are the web form Privacy categories? |
|
Definition
data breach data access request account takeover |
|
|
Term
Events that trigger a PIA |
|
Definition
New product or service New or updated program for processing data Merger or acquisition Creation of new data center Onboarding new data Movement of data to another country New regulations |
|
|
Term
What country has PIPEDA? Who is affected? |
|
Definition
Canada Anyone doing business in Canada Personal info protection and elec doc act |
|
|
Term
|
Definition
All orgs holding personal data Online or offline data |
|
|
Term
What country uses Personal Data Ordinance? Who is affected? |
|
Definition
Hong Kong Orgs doing business in HK |
|
|
Term
What county uses the Law on the Protection of Personal Data Held by Private Parties? Who does it affect? |
|
Definition
Mexico Companies doing business in Mexico |
|
|
Term
Who is affected by COPPA? What services are affected? |
|
Definition
Children under 13 Websites or online services with actual knowledge that they are collecting, using or disclosing personal in for children under 13 Directly or indirectly |
|
|
Term
5 phases of info lifecycle |
|
Definition
Collection Use disclosure Retention Destruction |
|
|
Term
The sharing or onward transfer of data to third parties is the definition of what? |
|
Definition
|
|
Term
How does a user find out how their data is being used? |
|
Definition
|
|
Term
What are the eight OECD privacy principles? |
|
Definition
Collection limitation principle Data quality principle Purpose specification principle Use limitation principle Security safeguards principle Openness principle Individual participation Accountability |
|
|
Term
Code of Fair Information Practices |
|
Definition
No personal data record keeping system Right to access / correct Identifying Purpose Take precautions to prevent misuse |
|
|
Term
Issues with privacy control for consumers |
|
Definition
Users can opt out of advertising but can’t control the collection of their data Users can disable tracking of location data but then mapping is disabled |
|
|
Term
Implied vs explicit consent |
|
Definition
Implied- user never provides specific consent Explicit - verifiable acknowledgement |
|
|
Term
What are some ways to ensure accurate data from third parties? |
|
Definition
1. Validate the company’s data collection and verification process 2. Member of BBB 3. all data fields are completed 4. Verify data with user Track changes of access control |
|
|
Term
What is the best way to validate a user |
|
Definition
|
|
Term
What are the factors that determine how data is used? |
|
Definition
According to privacy policies Regulations Contractual agreements Too many data elements Outdated data elements Internal sharing |
|
|
Term
What are some ways to test applications that use PII? |
|
Definition
Anonymization Random data Use data generator programs Limited sets |
|
|
Term
Onward transfer or ?? also means sharing of info external to the org collecting it. |
|
Definition
|
|
Term
Internal disclosures use the metadata associated with the data flow diagram which should point to what? |
|
Definition
privacy policies of the group sharing and receiving the data |
|
|
Term
External Disclosures are covered by contracts and comply with what? |
|
Definition
|
|
Term
What are the steps for vendor mgmt due diligence |
|
Definition
Inventory of what will be sent How to transfer data Must review vendor’s data access, storage practices |
|
|
Term
What methods can a record be disposed properly? |
|
Definition
Deletion Destruction Recycling Selling Rights management expiration Returning it to original owner |
|
|
Term
What is the only method used to validate users who want access to their user data? |
|
Definition
|
|
Term
What are methods to protect transient records? |
|
Definition
1. Storing online session data to preserve partial purchases that may have been abandoned 2. Enabling auto-save for docs 3. Enabling journal files for databases |
|
|
Term
What is the format command to zero the entire disk? |
|
Definition
|
|
Term
What are good practices for developing an IT architecture? |
|
Definition
Technology standardization Policy consolidation Data center distribution (Privacy law issues with other countries) |
|
|
Term
Issues to consider when acquiring data via a merger |
|
Definition
Service provider processing of data Vendor data Customer data Online data |
|
|
Term
Governing body to protect processing data online for targeted advertising |
|
Definition
Interactive advertising Bureau |
|
|
Term
Governing agency to watch financial data for EU |
|
Definition
|
|
Term
What is the issue with context of authority? |
|
Definition
The broader the scope of the context the more difficult it is to manage the privacy resources |
|
|
Term
What are the guidelines for multi-enterprise/outsourced to user contexts? |
|
Definition
1. Single contract covers where project data is stored 2. Single privacy policy 3. No shared credentials 4. Administration of resources is shared by members of each enterprise |
|
|
Term
What is the Purpose of open ID federation? |
|
Definition
Allows users to be authenticated by a relaying party |
|
|
Term
What is the standards org established to define open standards for identity management? |
|
Definition
|
|
Term
What org builds trust frameworks for verifying online identities? |
|
Definition
|
|
Term
Why is Kantara more secure than open ID? |
|
Definition
Uses federated approach and performs an assessment of ID providers |
|
|
Term
What privacy enhancing identity solution was developed by Microsoft and why was it more private than liberty and katakara? |
|
Definition
Identity Metasystem Architecture Did not permit tracking of users |
|
|
Term
What are the following examples of? Open ID Liberty alliance Identity meta structure Social networks |
|
Definition
|
|
Term
What is an encryption blob (binary large object)? |
|
Definition
Vendor gets only gets encrypted card number and transaction data is only unique to vendor |
|
|
Term
What are the main PCI requirements |
|
Definition
credit card data is protected by firewall no defaults on vendor products encrypt transmission update antivirus develop and maintain secure systems and applications restrict access to cardholder data assign unique IDs restrict physical access track and monitor access to resources regularly test security systems and processes info security policy for employees |
|
|
Term
What are the three steps that are fulfilled by following PCI requirements? |
|
Definition
Access - vulnerability assessment Remediate - address issues found in assessment Report - |
|
|
Term
What is PA-DSS and its purpose? |
|
Definition
Payment Application Data Security Standard requirements for software developers that develop payment card software |
|
|
Term
What are the requirements of PA-DSS? |
|
Definition
Create a payment app Create an implementation guide educate customers, resellers Ensure it passes review provide copy to users for implementation guide |
|
|
Term
What are some remote access guidelines? |
|
Definition
use corporate devices use approved devices limit data transfers limit types of access mandate device controls limit social access provide notice and obtain consent |
|
|
Term
What are some local network access guidelines? |
|
Definition
limit computer access require manual authentication use multi-factor auth |
|
|
Term
What are some guidelines for encryption? |
|
Definition
Encryption size Performance Complexity Utility - apply operations to data before encryption |
|
|
Term
What are the pros and cons of record encryption? |
|
Definition
Each record has a different key or salt Performance issues Backup issues |
|
|
Term
What is the most common use for digital rights management? |
|
Definition
Used to prevent docs from being accessed outside the org |
|
|
Term
What are the methods that a file an be encrypted? |
|
Definition
|
|
Term
What are the guidelines for DLP? |
|
Definition
Policies and training - minimization of data processing physical security - only allow necessary computers access to data access security - access controls hardware constraints - USB network monitoring - encryption, firewalls, routers, monitors software tools - antivirus, encryption, rights mgmt |
|
|
Term
Examples of just-in-time privacy notice |
|
Definition
first run of an application account creation software installation |
|
|
Term
What are the rules for aggregation? |
|
Definition
1. Large enough population 2. Categorization should include a broad set of participants, but not all 3. No identifiable data |
|
|
Term
What is the process of combining data from multiple records into a single record around a common index? |
|
Definition
|
|
Term
Who is responsible for this role? Define standards, policies, guidelines and auditing control |
|
Definition
|
|
Term
Whose role is this? sponsors privacy program and mandate it |
|
Definition
|
|
Term
Whose role is this? Collect info from users via some form of communication |
|
Definition
|
|
Term
Whose role is this? promotes the privacy program and responds to minimize backlash from an incident |
|
Definition
|
|
Term
What are guidelines for privacy by design? |
|
Definition
1. commit to a PbD program 2. create a privacy standard 3. perform privacy reviews 4. perform a data flow analysis 4. Transparency - how the data is collected and processed should be in privacy notice 5. Control - providing users with granular level - modify and delete and export 6. retention -until accounts are deleted or retention policy 7. security |
|
|
Term
What should be in the privacy standard? |
|
Definition
1. describe expectations 2. provide guidelines and standards 3. ensure that commitments made in the privacy policy are met |
|
|
Term
What needs to be performed for a data flow analysis? |
|
Definition
1. inventory and categorization of data with custodians 2. Categories should be matched against how the data is handled at each step along the data flow |
|
|
Term
What are the guidelines for privacy with social media |
|
Definition
1. Determine your audience 2. Determine your message 3. Assign owners - to be consistent 4. Create content guidelines - to prevent leakage of sensitive information, improper statements 5. Use Corporate IDs to control the messaging 6. Limit what can be shared 6. |
|
|
Term
What is the purpose of the e-Privacy Directive? |
|
Definition
covers the processing of personal data and protection of online privacy. |
|
|
Term
What are some of the aspects that the e-Privacy Directive cover |
|
Definition
Website that use cookies for tracking purposes need to provide enhanced notice. User should be able to view/edit/delete data |
|
|
Term
|
Definition
1. Must permit children under 18 to delete data 2. Must inform visitors of the type of Do NOT TRACK mechanisms they support 3. Easy to find privacy statements |
|
|
Term
self-regulatory principles of programs |
|
Definition
Digital Advertising Alliance Interactive Advertising Bureau |
|
|
Term
What is some advice for companies that cater to teens and children |
|
Definition
Provide rules of conduct and enforce them monitor open forum provide features to allow blocking of users provide the ability to report bad behavior validate that your site's services are being used for criminal activity Involve authorities when needed Study international laws |
|
|
Term
What are the different ad types and their relative value? |
|
Definition
Remnant - run when not using a campaign Premium - on homepage of a website contextual - like search engine ads match what you are searching for demographic - age, weight, zip codes psychographic - hobbies or interests behavioral online advertising- based on aggregated data |
|
|
Term
What are the common online ad models? |
|
Definition
Search ads display ads (banner ads) publisher ads - using a publisher for ads third party ads |
|
|
Term
What are some precautions when placing third-party ads? |
|
Definition
Have a contract in place Limit the ability to for ad networks place cookies provide an opt-out members of the DAA |
|
|
Term
What are resources on a webpage called that are hidden? |
|
Definition
Web beacon, pixel tags, clear GIFs |
|
|
Term
what are local shared objects (LSOs)? |
|
Definition
memory within the browser that can store data, similar to a cookie. (e.g. Adobe Flash and Silverlight) |
|
|
Term
what trait do both cookies and local shared objects have? |
|
Definition
only the website that stored the data can access the data. |
|
|
Term
What is the term browser fingerprinting? |
|
Definition
using the IP address sent during a browser session to a website and the browser's user agent string to uniquely identify the browser. |
|
|
Term
|
Definition
a mechanism for ensuring the value of a cookie persists even after it is deleted. Performed with browser fingerprinting and LSO storage |
|
|
Term
What are the goals of privacy policy language? |
|
Definition
does it solve the problem it was trying to address? What is its adoption rate? How well does it interoperate with identity, database and content management systems? what is the deployment criteria what is the training requirement what is the maintenance involved? |
|
|
Term
What is the purpose of the Platform for Privacy Preferences Project (P3P) |
|
Definition
for websites with standardized way to express privacy practices. Put privacy notices in XML format |
|
|
Term
|
Definition
platform neutral loose coupling of directories (no need to sync between directories or user info to be maintained) improved online experience - SSO Identity federation reduce admin costs risk transference |
|
|
Term
What is the purpose of XACML |
|
Definition
applies a set of tokens to a resource that describe the type of access permitted by a set of predefined roles. |
|
|
Term
What are the benefits of XACML |
|
Definition
it uses a standard language it's generic, distributed and powerful |
|
|
Term
What are some cookie tracking protection features? |
|
Definition
Cookie blocking / deleting (once browser session ends) |
|
|
Term
What are some ways to prevent automated data capture? |
|
Definition
facial features - hat and sunglasses magnetic strip - only use at certain places RFID tags - place in foil USB - password / encryption |
|
|
Term
What are some anonymity tools? |
|
Definition
site blockers Tor The Free Network - can provide point to point communication E-mail anonymity - maskme and lockify differential privacy - analyze user data in a database without access to it. Homomorphic encryption - |
|
|
Term
|
Definition
when a person types a legitimate URL into a browser but is rerouted to a fake website. |
|
|
Term
How is Application Preference Exchange Language (APPEL) different than P3P? |
|
Definition
Express privacy settings in a browser Not adopted. Express user's privacy preferences in XML |
|
|
Term
What is Enterprise Privacy Authorization Language (EPAL)? |
|
Definition
Privacy language that has access controls to a resource for specific purposes. IBM's privacy rights markup language. |
|
|
Term
Privacy areas that should be covered by CSP |
|
Definition
Assurance that employees follow org policies Backups Disposal of data restrict visibility by other hosted companies limitation on who can access the services |
|
|
Term
What items should be covered in a CSP contract? |
|
Definition
effective period CSP access to systems and app configurations restrictions on sharing and usage of data compliance obligations backups disposal - after contract is up as well |
|
|
Term
What are the ways a data breach can occur? |
|
Definition
Malicious insider Poor access controls Lack of encryption Traffic hijacking Insecure interfaces Denial of service Services misuse |
|
|
Term
What are some tools that can be used to provide secure connections to cloud services? |
|
Definition
GSS-API (generic security services) Ip address filtering Mac address filtering Network port disabling OWASP ESAPI (enterprise security) Protocol disabling Virtual private network |
|
|
Term
What is the CSA Cloud Computing Matrix? |
|
Definition
Framework for implementing good cloud data security concepts and principles 13 domains |
|
|
Term
What defines a functional interface that applications can use data throughout its lifecycle in the cloud? |
|
Definition
Cloud Data Management Interface standard |
|
|
Term
What is the main purpose of the cloud data management interface standard? |
|
Definition
Permits apps to manage containers and the data that is placed in them and apply metadata to the containers and data elements |
|
|
Term
RFID framework was created by what orgs? |
|
Definition
Privacy rights clearinghouse ACLU EFF electronic privacy info center |
|
|
Term
IAPP mobile app privacy tool is meant to provide best practices for applications for what developers/providers? |
|
Definition
Application developers Platform developers Advertising vendors Operating system providers Mobile service providers |
|
|
Term
What requirement categories are in the mobile app privacy toolkit? |
|
Definition
Data collection Retention Notice and Transparency Choice and consent Accountability and oversight Privacy controls and security Children |
|
|
Term
How do Geographic info system differ from gps? |
|
Definition
Application that combines geographic data along with descriptive info associated with the data -metadata |
|
|
Term
How do USERS minimize hacking risks of IOT ? |
|
Definition
Auditing- monitor logs Disconnect when not in use Limit who can connect to them Block camera lens Encrypt Password protect wifi Change default passwords |
|
|
Term
How do VENDORS minimize IOT risks? |
|
Definition
Audit Protect privacy and security Permit users to use their own encryption key Force password policies Provide support Auto update of patches |
|
|
Term
What organization uses "the guidelines on the protection of privacy and transborder flows of personal data" |
|
Definition
OECD (organization economic cooperation and development) |
|
|
Term
What organization published "the privacy framework" |
|
Definition
APEC (asia-pacific economic cooperation) |
|
|
Term
|
Definition
|
|
Term
What org published Fair Information Practice Principles |
|
Definition
|
|
Term
What org published the privacy control catalog - appendix J |
|
Definition
|
|
Term
|
Definition
Collection limitation Data quality purpose specific use limitation security safeguards openness individual participation accountability |
|
|
Term
What are these terms refer to? First-party Surveillance Third-party Repurpose |
|
Definition
Collection types Active and passive |
|
|
Term
|
Definition
Man in the middle attack Replays the hash of the password |
|
|
Term
|
Definition
Suppression Generalization - replacing birthdate with year. Removing street from address Noise addition - changing data values that won’t affect statistical data |
|
|
Term
Methods of anonymizing microdata? |
|
Definition
1. Bottom coded - >80 2. Controlled rounding - Nearest integer 3. Data imputation - Replace with plausible data 4. Value swapping |
|
|
Term
What are the five Fair Information Practice Principles? |
|
Definition
|
|
Term
A security policy should include what security measures? |
|
Definition
Encryption Software Protection (antivirus, web filtering) Access Controls Physical protection Social Engineering Auditing |
|
|
Term
How to avoid privacy-invasive applications? |
|
Definition
Privileged Access Software Policy - requirements and guidelines Privacy links - all apps should have one Application research Employee training IT involvement |
|
|
Term
|
Definition
Similar, but it goes further by providing a request/response language that permits the development of an access request |
|
|
Term
What is differential privacy? |
|
Definition
iPhone keystrokes
maximize the accuracy of queries from statistical databases while minimizing the chances of identifying its records. |
|
|
Term
|
Definition
Small blocks of code on a webpage that allow websites to do things like read and place cookies. The resulting connection can include information such as the person's IP address, the time the person viewed the pixel and the type of browser being used |
|
|
Term
|
Definition
Allow checking that a user has accessed some content. Common uses are email tracking and page tagging for web analytics |
|
|
Term
Multi-party computation (MPC) |
|
Definition
Creates methods for parties to jointly compute a function over their inputs while keeping those inputs private. Unlike traditional cryptographic tasks, where the adversary is outside the system of participants |
|
|
Term
Choice and Consent are regulated by what Act? |
|
Definition
CAN-SPAM Act of 2003, European Data Directive (Articles 7 and 8) |
|
|
Term
What privacy issues are related to location based services (LBS)? |
|
Definition
data collection, consent and data sharing |
|
|
Term
|
Definition
World Wide Web Consortium (W3C) |
|
|
Term
|
Definition
Prior to developing or obtaining and IT system OR process which collects,stores or discloses PII. |
|
|
Term
Lockify and Maskme are tools to do what? |
|
Definition
|
|
Term
|
Definition
1. Openness: No hidden personal info. 2. Access: Give users access to data 3. Specific Purpose 4. Right to Edit 5. Integrity |
|
|
Term
Biometric false negatives occur when they are more or less sensitive? |
|
Definition
|
|
Term
Biometric false positives occur when they are more or less sensitive? |
|
Definition
|
|
Term
Actions to preserve privacy |
|
Definition
data classification plan Inventory data data flow diagrams |
|
|
Term
What are the four encryption levels |
|
Definition
disk, file, record, field |
|
|
Term
|
Definition
you can link several pieces of information related to the same person, but not to come back to that person identity |
|
|
Term
|
Definition
security, quality, collection limitation, appropriate use, retention, limited disclosure, monitoring, and enforcement |
|
|
Term
|
Definition
permits the creation of a dynamic e-mail address that can be used in filling out forms and signing up for accounts |
|
|
Term
|
Definition
permits the sending of encrypted e-mails to specific recipients such that only the sender and receiver can view the e-mails |
|
|
Term
|
Definition
Can see what data is being transmitted from their mobile devices. |
|
|
Term
Who created video surveillance guidelines in the EU? |
|
Definition
The European Data Protection Supervisor |
|
|
Term
If surveillance needs to be performed, an individual should have the following rights |
|
Definition
Be made aware of it and have control over the collected data. |
|
|
Term
What us the purpose of the cloud security alliance? |
|
Definition
consists of member organizations, including most large cloud providers, that work together to define best practices in security. |
|
|
Term
|
Definition
Via an org’s website Third party site Media shipped to org |
|
|
Term
What privacy principles should be used when collecting data from users? |
|
Definition
Notice Choice Control Consent Limit data set |
|
|
Term
What does choice provide to a user? |
|
Definition
Provides users with a say on how their data is managed by an org Who can see my data? |
|
|
Term
Ibm informix supports encryption of data transmissions between databases |
|
Definition
|
|
Term
What actions need to be taken to ensure collected data is valid? |
|
Definition
Part of BBB validate process Ensure all fields are completed Audit process Confirm periodically with users |
|
|
Term
Why should auditing be enabled throughout the record lifecycle? |
|
Definition
Ensure that record management policies are in place |
|
|
Term
What are the phases of the record lifecycle? |
|
Definition
Receipt or creation Storage Usage Maintenance Disposition |
|
|
Term
What is the biggest security risk with portable media? |
|
Definition
|
|
Term
What is the best way to remove data from hard drives? |
|
Definition
|
|
Term
Global sanitization standards |
|
Definition
Canada - csec Australia -ism New zealand - nzism Germany - vsitr Us- dod |
|
|
Term
Regulations for data destruction |
|
Definition
Australia- privacy act 1988 Eu - dpd India - the information technology rules of 2011 South Korea- 2012 act on the protection of personal data Us - fair credit reporting act |
|
|
Term
|
Definition
Dac- users can add permissions Mac - users can be locked out of files Rbac - forget to remove users from groups |
|
|
Term
Guidelines for multi-enterprise access |
|
Definition
Single contract Single privacy policy No shared credentials Administration is a shared responsibility |
|
|
Term
What is the identity metadata architecture? |
|
Definition
Privacy snd security enhancing identity solution from Microsoft (Cardspace) SSO |
|
|
Term
Record encryption Most secure / worst performance Backups should be done by application |
|
Definition
|
|
Term
Benefits of symmetric keys vs asymmetric keys |
|
Definition
Sharing large blocks of data to multiple people Faster and requires a smaller key AES and DES |
|
|
Term
Purpose of just-in-time notice |
|
Definition
A link to privacy statement / controls as account is created or program installed |
|
|
Term
What is a weakness of using biometrics? |
|
Definition
Revocation capabilities Privacy risk Need to encrypt biometrics |
|
|
Term
What do RSA secure id, LUKS and TAILS do? |
|
Definition
Security via portable devices |
|
|
Term
LUKS LINUX Hard DISK ENCRYPTION |
|
Definition
|
|
Term
What is a persistent idenifier |
|
Definition
This is an identifier that can provide a single view of an individual across numerous devices — across desktop, mobile web, and in-app, without duplication |
|
|
Term
Hashing unique IDs that have a specific computer or user, it does not make the data anonymous |
|
Definition
|
|
Term
Making Data imprecise Age Location URL IP ADDRESS SEARCH KEYWORD |
|
Definition
Age. 65 Location zipcode, city URL no subdomain IP ADDRESS remove last octet SEARCH KEYWORD convert to non sensitive category or delete |
|
|
Term
|
Definition
A person’s demographic info, interests and associations |
|
|
Term
What is the purpose of declared data? |
|
Definition
To develop an online profile |
|
|
Term
Best practices for secure code for designers |
|
Definition
Signup for bugtraq View competitors vulnerabilities New users have low rights and strong passwords Sample code reviewed Privacy implications understood |
|
|
Term
Best practices for secure code for developers |
|
Definition
Check all untrusted input Check buffer management Check latest update Check all DACLS and remove defaults Limit error messages |
|
|
Term
Best practices for secure code for web and database |
|
Definition
Output must be filtered No concatenation of sql commands No connecting to database as admin No use of eval functions No reliance on REFERER header |
|
|
Term
Best practices for secure code for testers |
|
Definition
List of attack points Comprehensive data mutation, test SQL and XSS Past vulnerabilities Fails safely Attack surface is small |
|
|
Term
What should the privacy standard consist of? |
|
Definition
should describe expectations around the privacy by design program, provide guidelines and practices and ensure that the commitments are met. |
|
|
Term
Where would you find info about the company's transparency regarding privacy? |
|
Definition
privacy notice on website, installation of application or when data is collected. |
|
|
Term
What does a data flow analysis consist of? |
|
Definition
An evaluation of where all data is collected, stored, processed and transmitted. |
|
|
Term
What should data inventory consist of? |
|
Definition
Data owners, categorization, how the data is handled at each step |
|
|
Term
GAPP Maturity Model Levels |
|
Definition
Ad-hoc - informal Repeatable - not complete Defined Managed - monitored Optimized - enforced |
|
|
Term
What us a blended mobile statement? |
|
Definition
Combo of nutrition and icons in privacy notice |
|
|
Term
What us a combination privacy statement? |
|
Definition
|
|
Term
What are the data collection principles? |
|
Definition
notification, control, protection required, minimization requirements sharing limits |
|
|
Term
When performing a PIA what factors need to be considered? |
|
Definition
Regulations Standards Contractual obligations Commitments from privacy notice Gaps, controls and types of new data collected |
|
|
Term
What is Canada PIPEDA minimum requirement? |
|
Definition
At a minimum, organizations must obtain opt-out consent from data subjects in order to collect, use or disclose personal information. |
|
|
Term
Main concern Hong Kong’s Personal Data ordinance |
|
Definition
Data subjects must be provided the right to access, correct or delete their personal information. |
|
|
Term
What are the common privacy principles? |
|
Definition
Collection limitation Use limitation Data quality Specific purpose Security Openness Individual participation Accountability |
|
|
Term
What needs to be performed first for internal disclosures of data? |
|
Definition
|
|
Term
What needs to be performed for external disclosures? |
|
Definition
Limits of processing data Retention Destruction Follow privacy notices Know type of data and group that will have access to it |
|
|
Term
What is the importance of metadata for retrieving backups? |
|
Definition
Metadata can be used to determine the type of data being stored on backup media without exposing the contents of the data. For example, the metadata could provide categorization information, sensitivity level or even the index to the encryption keys used to encrypt the contents of the backup. |
|
|