Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Tojasej > 5. Operations: Protecting PI > Flashcards

5. Operations: Protecting PI Flashcards

1
Q

What are the PbD fundamentals?

A
  1. Determination of the of the information privacy security control requirements

AND

  1. Insurance that controls are successfully designed, engineered, deployed, and monitored throughout the lifecycle of the product, service, IT system, and business process
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the PbD foundational principles?

A
  1. Proactive not preventive; preventative, not remedial
  2. Privacy as the default
  3. Privacy embedded into design
  4. Full functionality - positive-sum, not zero-sum
  5. End-to-end security - full lifecycle protection
  6. Visibility and transparency
  7. Respect for user privacy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does the PbD paradigm ensure?

A

Privacy and security controls are:

  1. Aligned with an organization’s tolerance for risk
  2. Compliance with regulations

AND

  1. Commitment to building a sustainable privacy-minded culture
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the qualities of the PbD paradigm?

A
  1. Proactivity
  2. Embedded privacy controls
  3. Respect for users
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Is PbD a GDPR requirement?

A

Yes Article 25 from Chapter IV and Recital 78 require that data privacy be built into the design and process and not added on as an afterthought.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the data protection by design requirements of the GDPR?

A
  1. Lawfulness, fairness, and transparency (data subject)
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the objectives of information security?

A

Confidentiality, integrity, availability (CIA) throughout the data lifecycle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What concepts does information security include?

A

Accountability - entity ownership list traceable

AND

Assurance - CIA objectives are met

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How does information security define risk?

A

A combination of of the probability of an event and its consequences (ISO/IEC 73)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the the information security risk management practices?

A
  1. Identification of risk
  2. Selection and implementation of controls and measures to mitigate risk
  3. Tracking and evaluation of risk to validate the first two parts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are some of the information security risks?

A
  1. Cloud-based threats
  2. Insider threats
  3. Remote worker endpoint security
  4. Phishing attacks
  5. Deepfakes
  6. Internet of Things Devices
  7. Malvertising
  8. Fileless attacks and living off the land
  9. Ransomware attacks
  10. Social media based attacks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the information security controls?

A

Categories:
1. Preventive
2. Detective
3. Corrective

Nature:
1. Physical
2. Administrative
3. Technical

E.g.:
1. Policies
2. Organization of information security
3. Asset management
4. Access control
5. Cryptography
6. Physical and environmental security
7. Operational security
8. Communications security
9. Systems acquisition, development, maintenance, and disposal
10. Supplier relationships (incident and business continuity management)
11. Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the difference between data privacy and information security?

A

Data privacy - the rights of an individual to control how and to what extent their personal information is collected and further processed

Information security - assuring CIA information assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the overlaps between data privacy and information security?

A
  1. integrity (security) / accuracy (privacy) - both ensure that data is not altered without authorization
  2. Availability (security) / access (privacy) - availability supports access because of data is not available, it cannot be accessed
  3. Accountability (both) - data owners are responsible for data protection in accordance with the respective protection regimen
  4. Confidentiality (when the data is both PI and nonpublic) - confidentiality supports privacy because non public information must be kept non-public
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the disconnects between data privacy and information security?

A
  1. Privacy has a wider set of obligations and responsibilities (collection limitation, opens, relevance, and use limitation) and security focuses on CIA
  2. Disconnect in confidentiality. PI is not always nonpublic (e.g., phonebook), therefore the notion of confidentiality does not apply.
  3. Security techniques can be privacy enhancing technologies but can also be applied in an invasive manner. “You can have security without privacy, but you cannot have privacy without security.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What type of information classification system do data privacy and information security rely on?

A

Orthogonal:

  1. Data privacy classifies PI into personal, sensitive personal, and non-personal information
  2. Information security directly protects information along the lines of confidentiality (public, confidential, highly confidential, restricted)
17
Q

What determines confidentiality?

A

By two parties who determine how to manage access to specific information.

18
Q

On what key elements do data privacy and information security align/support each other?

A
  1. Data breach and incident response plan
  2. Training and awareness initiatives
  3. Vendor due diligence
  4. Privacy impact assessments
  5. Certification frameworks
  6. Data making/inventory
19
Q

What is the mutual goal of data protection and information security?

A

Preventing or mitigating data breaches

20
Q

What approach aligns data protection and information security programs?

A
  1. Increased involvement of privacy personnel on information security teams
  2. Employment of core privacy functions with the IT team motivated to get a better handle on their data and the extent of their corporate risk
  3. Increased investment in privacy technology
  4. Increased use of privacy impact assessments and data inventory/classification
  5. Increased use of data retention policies
21
Q

What are the security principles for role-based access controls (RBAC)?

A
  1. Segregation of duties - ensure an individual cannot exploit or gain access to information inappropriately
  2. Least privilege - grant access at the lowest possible level required to preform the function
  3. Need-to-know access - restrict access to information that is critical
22
Q

What are the user access guidelines?

A
  1. Unique user IDs
  2. Credential for ID
  3. Level of access based on business purpose
  4. Formal logical access process
  5. Password management
  6. Review of user access rights
  7. User responsibility
  8. User requirement to follow good security practices in selecting and protecting passwords
  9. Clean desk policy
23
Q

Data classification should be organized according to which risk factors?

A
  1. Financial
  2. Operational
  3. Strategic (reputation/business)
  4. Risk to individuals
  5. Regulatory/legal
24
Q

What are the information security classification schema categories?

A
  1. Public
  2. Confidential
  3. Highly confidential
  4. Restricted
25
Q

What are the data protection classification categories?

A
  1. Sensitive or not - usually defined by policy and legislation
  2. Identifiability and linkability - useful in calibrating risk especially when it comes to big data analytics
26
Q

What are some data protection classification schemes?

A
  1. Identified - linked
  2. Pseudonymous - linkable with reasonable effort AND not linkable with reasonable effort
  3. Anonymous - Unlinkable
27
Q

In what ares can administrative or policy controls for privacy be found?

A
  1. Laws and regulations
  2. Self-regulatory regime
  3. Industry practices
  4. Corporate ethos/policy
28
Q

What are the main areas of technical controls?

A
  1. Obfuscation - PI is made obscure, unclear or unintelligible
  2. Data minimization - limited collection
  3. Security - prevention of unauthorized access
  4. PETs - systems provide acceptable level of protection
29
Q

What is a key data protection practice?

A

The destruction of information when no longer needed.

Tojasej (10 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions