Term
| what needs to be given to consumers to understand what a company is doing with their personal information |
|
Definition
|
|
Term
| What is the term used to describe giving consumers options as to how any personal info collected from them may be used? |
|
Definition
|
|
Term
| What term refers to secondary uses beyond those necessary to complete the contemplated transaction |
|
Definition
|
|
Term
| What term describes a customer's ability to view and edit their data? |
|
Definition
|
|
Term
| What term describes technical and managerial controls that protect against loss and unauthorized access? |
|
Definition
|
|
Term
| What term describes what needs to be done in oder for a core principle of privacy protection to be effective? |
|
Definition
|
|
Term
| NCASE rules are set out by who? |
|
Definition
| FTC's fair information practice principles (FIPPS) |
|
|
Term
| What is the definition of a single purpose machine? |
|
Definition
|
|
Term
| What elements should be used to classify data? |
|
Definition
| origin, category, sensitivity and purpose |
|
|
Term
| What is the purpose of a security policy? |
|
Definition
| define responsibilities for employees |
|
|
Term
| what type of assessment finds gaps in coverage and determines security requirements to address them |
|
Definition
| privacy impact assessment (PIA) |
|
|
Term
| What are the external requirements of a security policy? |
|
Definition
Corporate
Regulatory - FTC
Industry - BBB |
|
|
Term
| What is privileged access? |
|
Definition
| lockdown admin access to install apps. |
|
|
Term
| What four ways to create approved software policy? |
|
Definition
mandate software list
standards board to approve apps
distribute a list of acceptable apps
provide guidance to employees about apps |
|
|
Term
| What are the three application deployment strategies? |
|
Definition
1. IT controlled
2. IT monitored
3. Employee controlled |
|
|
Term
| What are some ways to mitigate network attacks? |
|
Definition
prevent malware
apply smartphone policies
validate network devices
write secure code
validate apps |
|
|
Term
| What are some ways to prevent external threats? |
|
Definition
strong authentication
network monitoring
network encryption |
|
|
Term
| What are two ways to secure external files |
|
Definition
Passwords
Digital rights mgmt - need a policy server |
|
|
Term
| What are three ways to prevent a dba to have access to data? |
|
Definition
SElinux OS
role based access control
Remote auditing |
|
|
Term
| Who are the Privacy stakeholders for a company? |
|
Definition
Consumers
Regulators
Industry groups
Researchers
Employees |
|
|
Term
| What are some Consumer privacy agencies in US? |
|
Definition
Coppa
Fair credit reporting act
Right to financial privacy act |
|
|
Term
| What is the Consumer privacy agency in the EU? |
|
Definition
| Data protection directive |
|
|
Term
| What is the role of the European Data Protection Supervisor? |
|
Definition
Monitors the institutions
Commissions, council and parliament |
|
|
Term
| What is the org where member states establish independent national regulatory bodies? |
|
Definition
European Free Trade Association
Monitored by EFTA Surveillance Authority |
|
|
Term
| What is Canada’s privacy commission? |
|
Definition
| Office of the Privacy Commissioner of Canada |
|
|
Term
| What Industry groups protect consumer privacy via self-regulation? |
|
Definition
BBB
Interactive Advertising Bureau
TRUSTe |
|
|
Term
| What are some types of mistakes occur when managing personal data? |
|
Definition
Insufficient policies
Improper training
Disjointed practices
Complacency
Third-party contracts |
|
|
Term
| What types of technologies can perform analysis of data without accessing it? |
|
Definition
Homomorphic encryption
Multipart computation
Differential privacy |
|
|
Term
| What language can be used that permits the definition of policies that can be programmatically enforced via security controls? |
|
Definition
| Extendable Access Control Markup Language (XACML) |
|
|
Term
| What system permits the definition of users and group policies that can be programmatically enforced by the database? |
|
Definition
| SQL server policy based mgmt system |
|
|
Term
| Sections in a privacy notice |
|
Definition
What data is collected
How it is used
How it is shared
User control over collected data
Controlling marketing contact
Use of cookies and tracking
Gaining access to data
Resolving privacy issues
Date of privacy notice
Changes in privacy notice |
|
|
Term
| Data that is observed, inferred and declared directly from users and third parties |
|
Definition
|
|
Term
| Key item to control marketing contact |
|
Definition
| Should not have to receive marketing emails to get service emails. Should not get emails from other product groups. |
|
|
Term
| What topics should a privacy policy have? |
|
Definition
Types of data classification
Data collection principles
Protection of data
Data retention period
Treatment of sensitive data
Sharing of data across groups, partners and vendors
Creation if dept priv policies
Performance of privacy reviews
Participation in a privacy response center
Responding to privacy inquiries
Responding to data inquiries |
|
|
Term
| What should the data collection principles cover? |
|
Definition
When and how Data should be collected and List obligations for Data collection.
Notification, control, protection required, minimization requirements and sharing limits |
|
|
Term
| Ways to protect data during collection |
|
Definition
Dependent on classification and regulatory requirements
Encryption or access control |
|
|
Term
| How to respond to data privacy requests? |
|
Definition
Define conditions for request
Setup process to verify owner
Process to takedown content |
|
|
Term
| What can be done with data after the retention period is over? |
|
Definition
Deleted
De-identified
Aggregated |
|
|
Term
| What is the multilevel security system? MLS |
|
Definition
Strong role based or attribute based access control system
So protecting data is based on policy |
|
|
Term
|
Definition
based on retention period
termination of contract
acquisition by another company
completion of a contract
regulatory requirement
deletion request by the data owner |
|
|
Term
| Proper inventory controls |
|
Definition
having rules governing where data can be placed.
minimize the use of offline storage and data placed on thumb drives
centralize contracts
classify data
create data flows and list all data stores in a data inventory |
|
|
Term
| What are some discretionary access control concerns? |
|
Definition
| review group permissions and the permission inheritance is enabled. |
|
|
Term
| what is a concern regarding mandatory access control? |
|
Definition
| possible to clear a resource's ACL and permanently lose access to a resource (SELinux supports MAC) |
|
|
Term
| What attributes are part of attribute-base access control? |
|
Definition
| time, location, nationality, age required to access |
|
|
Term
| what standard supports attribute based access control? |
|
Definition
| XACML - extensible access control markup language |
|
|
Term
| What should an incident response program consist of? |
|
Definition
Incident response center
Web form
Email address
Phone number
Reps from hr, pr, legal, privacy and security |
|
|
Term
| What elements should a privacy response form have? |
|
Definition
Accessible from privacy notice
Privacy categories
Auto response
Incident tracking system |
|
|
Term
| What are the web form Privacy categories? |
|
Definition
data breach
data access request
account takeover |
|
|
Term
| Events that trigger a PIA |
|
Definition
New product or service
New or updated program for processing data
Merger or acquisition
Creation of new data center
Onboarding new data
Movement of data to another country
New regulations |
|
|
Term
What country has PIPEDA?
Who is affected? |
|
Definition
Canada
Anyone doing business in Canada
Personal info protection and elec doc act |
|
|
Term
|
Definition
All orgs holding personal data
Online or offline data |
|
|
Term
What country uses Personal Data Ordinance?
Who is affected? |
|
Definition
Hong Kong
Orgs doing business in HK |
|
|
Term
What county uses the Law on the Protection of Personal Data Held by Private Parties?
Who does it affect? |
|
Definition
Mexico
Companies doing business in Mexico |
|
|
Term
Who is affected by COPPA?
What services are affected? |
|
Definition
Children under 13
Websites or online services with actual knowledge that they are collecting, using or disclosing personal in for children under 13
Directly or indirectly |
|
|
Term
| 5 phases of info lifecycle |
|
Definition
Collection
Use
disclosure
Retention
Destruction |
|
|
Term
| The sharing or onward transfer of data to third parties is the definition of what? |
|
Definition
|
|
Term
| How does a user find out how their data is being used? |
|
Definition
|
|
Term
| What are the eight OECD privacy principles? |
|
Definition
Collection limitation principle
Data quality principle
Purpose specification principle
Use limitation principle
Security safeguards principle
Openness principle
Individual participation
Accountability |
|
|
Term
| Code of Fair Information Practices |
|
Definition
No personal data record keeping system
Right to access / correct
Identifying Purpose
Take precautions to prevent misuse |
|
|
Term
| Issues with privacy control for consumers |
|
Definition
Users can opt out of advertising but can’t control the collection of their data
Users can disable tracking of location data but then mapping is disabled |
|
|
Term
| Implied vs explicit consent |
|
Definition
Implied- user never provides specific consent
Explicit - verifiable acknowledgement |
|
|
Term
| What are some ways to ensure accurate data from third parties? |
|
Definition
1. Validate the company’s data collection and verification process
2. Member of BBB
3. all data fields are completed
4. Verify data with user
Track changes of access control |
|
|
Term
| What is the best way to validate a user |
|
Definition
|
|
Term
| What are the factors that determine how data is used? |
|
Definition
According to privacy policies
Regulations
Contractual agreements
Too many data elements
Outdated data elements
Internal sharing |
|
|
Term
| What are some ways to test applications that use PII? |
|
Definition
Anonymization
Random data
Use data generator programs
Limited sets |
|
|
Term
| Onward transfer or ?? also means sharing of info external to the org collecting it. |
|
Definition
|
|
Term
| Internal disclosures use the metadata associated with the data flow diagram which should point to what? |
|
Definition
| privacy policies of the group sharing and receiving the data |
|
|
Term
| External Disclosures are covered by contracts and comply with what? |
|
Definition
|
|
Term
| What are the steps for vendor mgmt due diligence |
|
Definition
Inventory of what will be sent
How to transfer data
Must review vendor’s data access, storage practices |
|
|
Term
| What methods can a record be disposed properly? |
|
Definition
Deletion
Destruction
Recycling
Selling
Rights management expiration
Returning it to original owner |
|
|
Term
| What is the only method used to validate users who want access to their user data? |
|
Definition
|
|
Term
| What are methods to protect transient records? |
|
Definition
1. Storing online session data to preserve partial purchases that may have been abandoned
2. Enabling auto-save for docs
3. Enabling journal files for databases |
|
|
Term
| What is the format command to zero the entire disk? |
|
Definition
|
|
Term
| What are good practices for developing an IT architecture? |
|
Definition
Technology standardization
Policy consolidation
Data center distribution
(Privacy law issues with other countries) |
|
|
Term
| Issues to consider when acquiring data via a merger |
|
Definition
Service provider processing of data
Vendor data
Customer data
Online data |
|
|
Term
| Governing body to protect processing data online for targeted advertising |
|
Definition
| Interactive advertising Bureau |
|
|
Term
| Governing agency to watch financial data for EU |
|
Definition
|
|
Term
| What is the issue with context of authority? |
|
Definition
| The broader the scope of the context the more difficult it is to manage the privacy resources |
|
|
Term
| What are the guidelines for multi-enterprise/outsourced to user contexts? |
|
Definition
1. Single contract covers where project data is stored
2. Single privacy policy
3. No shared credentials
4. Administration of resources is shared by members of each enterprise |
|
|
Term
| What is the Purpose of open ID federation? |
|
Definition
| Allows users to be authenticated by a relaying party |
|
|
Term
| What is the standards org established to define open standards for identity management? |
|
Definition
|
|
Term
| What org builds trust frameworks for verifying online identities? |
|
Definition
|
|
Term
| Why is Kantara more secure than open ID? |
|
Definition
| Uses federated approach and performs an assessment of ID providers |
|
|
Term
| What privacy enhancing identity solution was developed by Microsoft and why was it more private than liberty and katakara? |
|
Definition
Identity Metasystem Architecture
Did not permit tracking of users |
|
|
Term
What are the following examples of?
Open ID
Liberty alliance
Identity meta structure
Social networks |
|
Definition
|
|
Term
| What is an encryption blob (binary large object)? |
|
Definition
| Vendor gets only gets encrypted card number and transaction data is only unique to vendor |
|
|
Term
| What are the main PCI requirements |
|
Definition
credit card data is protected by firewall
no defaults on vendor products
encrypt transmission
update antivirus
develop and maintain secure systems and applications
restrict access to cardholder data
assign unique IDs
restrict physical access
track and monitor access to resources
regularly test security systems and processes
info security policy for employees |
|
|
Term
| What are the three steps that are fulfilled by following PCI requirements? |
|
Definition
Access - vulnerability assessment
Remediate - address issues found in assessment
Report - |
|
|
Term
| What is PA-DSS and its purpose? |
|
Definition
Payment Application Data Security Standard
requirements for software developers that develop payment card software |
|
|
Term
| What are the requirements of PA-DSS? |
|
Definition
Create a payment app
Create an implementation guide
educate customers, resellers
Ensure it passes review
provide copy to users for implementation guide |
|
|
Term
| What are some remote access guidelines? |
|
Definition
use corporate devices
use approved devices
limit data transfers
limit types of access
mandate device controls
limit social access
provide notice and obtain consent |
|
|
Term
| What are some local network access guidelines? |
|
Definition
limit computer access
require manual authentication
use multi-factor auth |
|
|
Term
| What are some guidelines for encryption? |
|
Definition
Encryption size
Performance
Complexity
Utility - apply operations to data before encryption |
|
|
Term
| What are the pros and cons of record encryption? |
|
Definition
Each record has a different key or salt
Performance issues
Backup issues |
|
|
Term
| What is the most common use for digital rights management? |
|
Definition
| Used to prevent docs from being accessed outside the org |
|
|
Term
| What are the methods that a file an be encrypted? |
|
Definition
|
|
Term
| What are the guidelines for DLP? |
|
Definition
Policies and training - minimization of data processing
physical security - only allow necessary computers access to data
access security - access controls
hardware constraints - USB
network monitoring - encryption, firewalls, routers, monitors
software tools - antivirus, encryption, rights mgmt |
|
|
Term
| Examples of just-in-time privacy notice |
|
Definition
first run of an application
account creation
software installation |
|
|
Term
| What are the rules for aggregation? |
|
Definition
1. Large enough population
2. Categorization should include a broad set of participants, but not all
3. No identifiable data |
|
|
Term
| What is the process of combining data from multiple records into a single record around a common index? |
|
Definition
|
|
Term
Who is responsible for this role?
Define standards, policies, guidelines and auditing control |
|
Definition
|
|
Term
Whose role is this?
sponsors privacy program and mandate it |
|
Definition
|
|
Term
Whose role is this?
Collect info from users via some form of communication |
|
Definition
|
|
Term
Whose role is this?
promotes the privacy program and responds to minimize backlash from an incident |
|
Definition
|
|
Term
| What are guidelines for privacy by design? |
|
Definition
1. commit to a PbD program
2. create a privacy standard
3. perform privacy reviews
4. perform a data flow analysis
4. Transparency - how the data is collected and processed should be in privacy notice
5. Control - providing users with granular level - modify and delete and export
6. retention -until accounts are deleted or retention policy
7. security |
|
|
Term
| What should be in the privacy standard? |
|
Definition
1. describe expectations
2. provide guidelines and standards
3. ensure that commitments made in the privacy policy are met |
|
|
Term
| What needs to be performed for a data flow analysis? |
|
Definition
1. inventory and categorization of data with custodians
2. Categories should be matched against how the data is handled at each step along the data flow |
|
|
Term
| What are the guidelines for privacy with social media |
|
Definition
1. Determine your audience
2. Determine your message
3. Assign owners - to be consistent
4. Create content guidelines - to prevent leakage of sensitive information, improper statements
5. Use Corporate IDs to control the messaging
6. Limit what can be shared
6. |
|
|
Term
| What is the purpose of the e-Privacy Directive? |
|
Definition
| covers the processing of personal data and protection of online privacy. |
|
|
Term
| What are some of the aspects that the e-Privacy Directive cover |
|
Definition
Website that use cookies for tracking purposes need to provide enhanced notice.
User should be able to view/edit/delete data |
|
|
Term
|
Definition
1. Must permit children under 18 to delete data
2. Must inform visitors of the type of Do NOT TRACK mechanisms they support
3. Easy to find privacy statements |
|
|
Term
| self-regulatory principles of programs |
|
Definition
Digital Advertising Alliance
Interactive Advertising Bureau |
|
|
Term
| What is some advice for companies that cater to teens and children |
|
Definition
Provide rules of conduct and enforce them
monitor open forum
provide features to allow blocking of users
provide the ability to report bad behavior
validate that your site's services are being used for criminal activity
Involve authorities when needed
Study international laws |
|
|
Term
| What are the different ad types and their relative value? |
|
Definition
Remnant - run when not using a campaign
Premium - on homepage of a website
contextual - like search engine ads match what you are searching for
demographic - age, weight, zip codes
psychographic - hobbies or interests
behavioral online advertising- based on aggregated data |
|
|
Term
| What are the common online ad models? |
|
Definition
Search ads
display ads (banner ads)
publisher ads - using a publisher for ads
third party ads |
|
|
Term
| What are some precautions when placing third-party ads? |
|
Definition
Have a contract in place
Limit the ability to for ad networks place cookies
provide an opt-out
members of the DAA |
|
|
Term
| What are resources on a webpage called that are hidden? |
|
Definition
| Web beacon, pixel tags, clear GIFs |
|
|
Term
| what are local shared objects (LSOs)? |
|
Definition
| memory within the browser that can store data, similar to a cookie. (e.g. Adobe Flash and Silverlight) |
|
|
Term
| what trait do both cookies and local shared objects have? |
|
Definition
| only the website that stored the data can access the data. |
|
|
Term
| What is the term browser fingerprinting? |
|
Definition
| using the IP address sent during a browser session to a website and the browser's user agent string to uniquely identify the browser. |
|
|
Term
|
Definition
| a mechanism for ensuring the value of a cookie persists even after it is deleted. Performed with browser fingerprinting and LSO storage |
|
|
Term
| What are the goals of privacy policy language? |
|
Definition
does it solve the problem it was trying to address?
What is its adoption rate?
How well does it interoperate with identity, database and content management systems?
what is the deployment criteria
what is the training requirement
what is the maintenance involved? |
|
|
Term
| What is the purpose of the Platform for Privacy Preferences Project (P3P) |
|
Definition
| for websites with standardized way to express privacy practices. Put privacy notices in XML format |
|
|
Term
|
Definition
platform neutral
loose coupling of directories (no need to sync between directories or user info to be maintained)
improved online experience - SSO
Identity federation
reduce admin costs
risk transference |
|
|
Term
| What is the purpose of XACML |
|
Definition
| applies a set of tokens to a resource that describe the type of access permitted by a set of predefined roles. |
|
|
Term
| What are the benefits of XACML |
|
Definition
it uses a standard language
it's generic, distributed and powerful |
|
|
Term
| What are some cookie tracking protection features? |
|
Definition
| Cookie blocking / deleting (once browser session ends) |
|
|
Term
| What are some ways to prevent automated data capture? |
|
Definition
facial features - hat and sunglasses
magnetic strip - only use at certain places
RFID tags - place in foil
USB - password / encryption |
|
|
Term
| What are some anonymity tools? |
|
Definition
site blockers
Tor
The Free Network - can provide point to point communication
E-mail anonymity - maskme and lockify
differential privacy - analyze user data in a database without access to it.
Homomorphic encryption - |
|
|
Term
|
Definition
| when a person types a legitimate URL into a browser but is rerouted to a fake website. |
|
|
Term
| How is Application Preference Exchange Language (APPEL) different than P3P? |
|
Definition
Express privacy settings in a browser
Not adopted. Express user's privacy preferences in XML |
|
|
Term
| What is Enterprise Privacy Authorization Language (EPAL)? |
|
Definition
| Privacy language that has access controls to a resource for specific purposes. IBM's privacy rights markup language. |
|
|
Term
| Privacy areas that should be covered by CSP |
|
Definition
Assurance that employees follow org policies
Backups
Disposal of data
restrict visibility by other hosted companies
limitation on who can access the services |
|
|
Term
| What items should be covered in a CSP contract? |
|
Definition
effective period
CSP access to systems and app configurations
restrictions on sharing and usage of data
compliance obligations
backups
disposal - after contract is up as well |
|
|
Term
| What are the ways a data breach can occur? |
|
Definition
Malicious insider
Poor access controls
Lack of encryption
Traffic hijacking
Insecure interfaces
Denial of service
Services misuse |
|
|
Term
| What are some tools that can be used to provide secure connections to cloud services? |
|
Definition
GSS-API (generic security services)
Ip address filtering
Mac address filtering
Network port disabling
OWASP ESAPI (enterprise security)
Protocol disabling
Virtual private network |
|
|
Term
| What is the CSA Cloud Computing Matrix? |
|
Definition
Framework for implementing good cloud data security concepts and principles
13 domains |
|
|
Term
| What defines a functional interface that applications can use data throughout its lifecycle in the cloud? |
|
Definition
| Cloud Data Management Interface standard |
|
|
Term
| What is the main purpose of the cloud data management interface standard? |
|
Definition
| Permits apps to manage containers and the data that is placed in them and apply metadata to the containers and data elements |
|
|
Term
| RFID framework was created by what orgs? |
|
Definition
Privacy rights clearinghouse
ACLU
EFF
electronic privacy info center |
|
|
Term
IAPP mobile app privacy tool
is meant to provide best practices for applications for what developers/providers? |
|
Definition
Application developers
Platform developers
Advertising vendors
Operating system providers
Mobile service providers |
|
|
Term
| What requirement categories are in the mobile app privacy toolkit? |
|
Definition
Data collection
Retention
Notice and Transparency
Choice and consent
Accountability and oversight
Privacy controls and security
Children |
|
|
Term
| How do Geographic info system differ from gps? |
|
Definition
| Application that combines geographic data along with descriptive info associated with the data -metadata |
|
|
Term
| How do USERS minimize hacking risks of IOT ? |
|
Definition
Auditing- monitor logs
Disconnect when not in use
Limit who can connect to them
Block camera lens
Encrypt
Password protect wifi
Change default passwords |
|
|
Term
| How do VENDORS minimize IOT risks? |
|
Definition
Audit
Protect privacy and security
Permit users to use their own encryption key
Force password policies
Provide support
Auto update of patches |
|
|
Term
| What organization uses "the guidelines on the protection of privacy and transborder flows of personal data" |
|
Definition
| OECD (organization economic cooperation and development) |
|
|
Term
| What organization published "the privacy framework" |
|
Definition
| APEC (asia-pacific economic cooperation) |
|
|
Term
|
Definition
|
|
Term
| What org published Fair Information Practice Principles |
|
Definition
|
|
Term
| What org published the privacy control catalog - appendix J |
|
Definition
|
|
Term
|
Definition
Collection limitation
Data quality
purpose specific
use limitation
security safeguards
openness
individual participation
accountability |
|
|
Term
What are these terms refer to?
First-party
Surveillance
Third-party
Repurpose |
|
Definition
Collection types
Active and passive |
|
|
Term
|
Definition
Man in the middle attack
Replays the hash of the password |
|
|
Term
|
Definition
Suppression
Generalization - replacing birthdate with year. Removing street from address
Noise addition - changing data values that won’t affect statistical data |
|
|
Term
| Methods of anonymizing microdata? |
|
Definition
1. Bottom coded -
>80
2. Controlled rounding -
Nearest integer
3. Data imputation -
Replace with plausible data
4. Value swapping |
|
|
Term
| What are the five Fair Information Practice Principles? |
|
Definition
|
|
Term
| A security policy should include what security measures? |
|
Definition
Encryption
Software Protection (antivirus, web filtering)
Access Controls
Physical protection
Social Engineering
Auditing |
|
|
Term
| How to avoid privacy-invasive applications? |
|
Definition
Privileged Access
Software Policy - requirements and guidelines
Privacy links - all apps should have one
Application research
Employee training
IT involvement |
|
|
Term
|
Definition
| Similar, but it goes further by providing a request/response language that permits the development of an access request |
|
|
Term
| What is differential privacy? |
|
Definition
iPhone keystrokes
maximize the accuracy of queries from statistical databases while minimizing the chances of identifying its records. |
|
|
Term
|
Definition
| Small blocks of code on a webpage that allow websites to do things like read and place cookies. The resulting connection can include information such as the person's IP address, the time the person viewed the pixel and the type of browser being used |
|
|
Term
|
Definition
| Allow checking that a user has accessed some content. Common uses are email tracking and page tagging for web analytics |
|
|
Term
| Multi-party computation (MPC) |
|
Definition
| Creates methods for parties to jointly compute a function over their inputs while keeping those inputs private. Unlike traditional cryptographic tasks, where the adversary is outside the system of participants |
|
|
Term
| Choice and Consent are regulated by what Act? |
|
Definition
| CAN-SPAM Act of 2003, European Data Directive (Articles 7 and 8) |
|
|
Term
| What privacy issues are related to location based services (LBS)? |
|
Definition
| data collection, consent and data sharing |
|
|
Term
|
Definition
| World Wide Web Consortium (W3C) |
|
|
Term
|
Definition
| Prior to developing or obtaining and IT system OR process which collects,stores or discloses PII. |
|
|
Term
| Lockify and Maskme are tools to do what? |
|
Definition
|
|
Term
|
Definition
1. Openness: No hidden personal info.
2. Access: Give users access to data
3. Specific Purpose
4. Right to Edit
5. Integrity |
|
|
Term
| Biometric false negatives occur when they are more or less sensitive? |
|
Definition
|
|
Term
| Biometric false positives occur when they are more or less sensitive? |
|
Definition
|
|
Term
| Actions to preserve privacy |
|
Definition
data classification plan
Inventory data
data flow diagrams |
|
|
Term
| What are the four encryption levels |
|
Definition
| disk, file, record, field |
|
|
Term
|
Definition
| you can link several pieces of information related to the same person, but not to come back to that person identity |
|
|
Term
|
Definition
| security, quality, collection limitation, appropriate use, retention, limited disclosure, monitoring, and enforcement |
|
|
Term
|
Definition
| permits the creation of a dynamic e-mail address that can be used in filling out forms and signing up for accounts |
|
|
Term
|
Definition
| permits the sending of encrypted e-mails to specific recipients such that only the sender and receiver can view the e-mails |
|
|
Term
|
Definition
| Can see what data is being transmitted from their mobile devices. |
|
|
Term
| Who created video surveillance guidelines in the EU? |
|
Definition
| The European Data Protection Supervisor |
|
|
Term
| If surveillance needs to be performed, an individual should have the following rights |
|
Definition
| Be made aware of it and have control over the collected data. |
|
|
Term
| What us the purpose of the cloud security alliance? |
|
Definition
| consists of member organizations, including most large cloud providers, that work together to define best practices in security. |
|
|
Term
|
Definition
Via an org’s website
Third party site
Media shipped to org |
|
|
Term
| What privacy principles should be used when collecting data from users? |
|
Definition
Notice
Choice
Control
Consent
Limit data set |
|
|
Term
| What does choice provide to a user? |
|
Definition
Provides users with a say on how their data is managed by an org
Who can see my data? |
|
|
Term
| Ibm informix supports encryption of data transmissions between databases |
|
Definition
|
|
Term
| What actions need to be taken to ensure collected data is valid? |
|
Definition
Part of BBB
validate process
Ensure all fields are completed
Audit process
Confirm periodically with users |
|
|
Term
| Why should auditing be enabled throughout the record lifecycle? |
|
Definition
| Ensure that record management policies are in place |
|
|
Term
| What are the phases of the record lifecycle? |
|
Definition
Receipt or creation
Storage
Usage
Maintenance
Disposition |
|
|
Term
| What is the biggest security risk with portable media? |
|
Definition
|
|
Term
| What is the best way to remove data from hard drives? |
|
Definition
|
|
Term
| Global sanitization standards |
|
Definition
Canada - csec
Australia -ism
New zealand - nzism
Germany - vsitr
Us- dod |
|
|
Term
| Regulations for data destruction |
|
Definition
Australia- privacy act 1988
Eu - dpd
India - the information technology rules of 2011
South Korea- 2012 act on the protection of personal data
Us - fair credit reporting act |
|
|
Term
|
Definition
Dac- users can add permissions
Mac - users can be locked out of files
Rbac - forget to remove users from groups |
|
|
Term
| Guidelines for multi-enterprise access |
|
Definition
Single contract
Single privacy policy
No shared credentials
Administration is a shared responsibility |
|
|
Term
| What is the identity metadata architecture? |
|
Definition
Privacy snd security enhancing identity solution from Microsoft
(Cardspace)
SSO |
|
|
Term
Record encryption
Most secure / worst performance
Backups should be done by application |
|
Definition
|
|
Term
| Benefits of symmetric keys vs asymmetric keys |
|
Definition
Sharing large blocks of data to multiple people
Faster and requires a smaller key
AES and DES |
|
|
Term
| Purpose of just-in-time notice |
|
Definition
| A link to privacy statement / controls as account is created or program installed |
|
|
Term
| What is a weakness of using biometrics? |
|
Definition
Revocation capabilities
Privacy risk
Need to encrypt biometrics |
|
|
Term
| What do RSA secure id, LUKS and TAILS do? |
|
Definition
| Security via portable devices |
|
|
Term
LUKS
LINUX Hard DISK ENCRYPTION |
|
Definition
|
|
Term
| What is a persistent idenifier |
|
Definition
| This is an identifier that can provide a single view of an individual across numerous devices — across desktop, mobile web, and in-app, without duplication |
|
|
Term
| Hashing unique IDs that have a specific computer or user, it does not make the data anonymous |
|
Definition
|
|
Term
Making Data imprecise
Age
Location
URL
IP ADDRESS
SEARCH KEYWORD |
|
Definition
Age. 65
Location zipcode, city
URL no subdomain
IP ADDRESS remove last octet
SEARCH KEYWORD convert to non sensitive category or delete |
|
|
Term
|
Definition
| A person’s demographic info, interests and associations |
|
|
Term
| What is the purpose of declared data? |
|
Definition
| To develop an online profile |
|
|
Term
| Best practices for secure code for designers |
|
Definition
Signup for bugtraq
View competitors vulnerabilities
New users have low rights and strong passwords
Sample code reviewed
Privacy implications understood |
|
|
Term
| Best practices for secure code for developers |
|
Definition
Check all untrusted input
Check buffer management
Check latest update
Check all DACLS and remove defaults
Limit error messages |
|
|
Term
| Best practices for secure code for web and database |
|
Definition
Output must be filtered
No concatenation of sql commands
No connecting to database as admin
No use of eval functions
No reliance on REFERER header |
|
|
Term
| Best practices for secure code for testers |
|
Definition
List of attack points
Comprehensive data mutation, test SQL and XSS
Past vulnerabilities
Fails safely
Attack surface is small |
|
|
Term
| What should the privacy standard consist of? |
|
Definition
| should describe expectations around the privacy by design program, provide guidelines and practices and ensure that the commitments are met. |
|
|
Term
| Where would you find info about the company's transparency regarding privacy? |
|
Definition
| privacy notice on website, installation of application or when data is collected. |
|
|
Term
| What does a data flow analysis consist of? |
|
Definition
| An evaluation of where all data is collected, stored, processed and transmitted. |
|
|
Term
| What should data inventory consist of? |
|
Definition
| Data owners, categorization, how the data is handled at each step |
|
|
Term
| GAPP Maturity Model Levels |
|
Definition
Ad-hoc - informal
Repeatable - not complete
Defined
Managed - monitored
Optimized - enforced |
|
|
Term
| What us a blended mobile statement? |
|
Definition
| Combo of nutrition and icons in privacy notice |
|
|
Term
| What us a combination privacy statement? |
|
Definition
|
|
Term
| What are the data collection principles? |
|
Definition
notification,
control,
protection required,
minimization requirements
sharing limits |
|
|
Term
| When performing a PIA what factors need to be considered? |
|
Definition
Regulations
Standards
Contractual obligations
Commitments from privacy notice
Gaps, controls and types of new data collected |
|
|
Term
| What is Canada PIPEDA minimum requirement? |
|
Definition
| At a minimum, organizations must obtain opt-out consent from data subjects in order to collect, use or disclose personal information. |
|
|
Term
| Main concern Hong Kong’s Personal Data ordinance |
|
Definition
| Data subjects must be provided the right to access, correct or delete their personal information. |
|
|
Term
| What are the common privacy principles? |
|
Definition
Collection limitation
Use limitation
Data quality
Specific purpose
Security
Openness
Individual participation
Accountability |
|
|
Term
| What needs to be performed first for internal disclosures of data? |
|
Definition
|
|
Term
| What needs to be performed for external disclosures? |
|
Definition
Limits of processing data
Retention
Destruction
Follow privacy notices
Know type of data and group that will have access to it |
|
|
Term
| What is the importance of metadata for retrieving backups? |
|
Definition
| Metadata can be used to determine the type of data being stored on backup media without exposing the contents of the data. For example, the metadata could provide categorization information, sensitivity level or even the index to the encryption keys used to encrypt the contents of the backup. |
|
|
