5.5: Explain privacy and sensitive data concepts in relation to security. Flashcards

1
Q

Organizational Consequences of Privacy Breaches

A

Fines
IP Theft
Identity Theft
Reputation Damage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

EXAM TIP

A

Be aware that organizational consequences of data privacy breaches can result in reputational damage, identify theft, fines, or IP theft.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Notifications of Breaches

A

Escalation

Public Notifications and Disclosures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Data Types

A

Classifications

Effective data classification programs include measures to ensure data sensitivity labeling and handling so that personnel know whether data is sensitive and understand the levels of protection required. When the data is inside an information-processing system, the protections should be designed into the system.

Public;Private;Private;Confidential;Critical;Proprietary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

EXAM TIP

A

Learn the differences between the data sensitivity labels so you can compare and contrast the terms confidential, private, public, and proprietary. The differences are subtle but will be important to determine the correct answer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Personally Identifiable Information (PII)

A

When information is about a person, failure to protect it can have specific consequences. Business secrets are protected through trade secret laws, government information is protected through laws concerning national security, and privacy laws protect information associated with people. A set of elements that can lead to the specific identity of a person is referred to as personally identifiable information (PII). By definition, PII can be used to identify a specific individual, even if an entire set is not disclosed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

EXAM TIP

A

PII refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Health Information

A

The Health Insurance Portability and Accountability Act (HIPAA) regulations define protected health information (PHI) as “any information, whether oral or recorded in any form or medium” that

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Privacy-Enhancing Technologies

A

One principal connection between information security and privacy is that without information security, you cannot have privacy. If privacy is defined as the ability to control information about oneself, then the aspects of confidentiality, integrity, and availability from information security become critical elements of privacy. Just as technology has enabled many privacy-impacting issues, technology also offers the means in many cases to protect privacy. An application or tool that assists in such protection is called a privacy-enhancing technology (PET).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Data Minimization

A

Data minimization is one of the most powerful privacy-enhancing technologies. In a nutshell, it involves not keeping what you don’t need. Limiting the collection of personal information to that which is directly relevant and necessary to accomplish a specified purpose still allows the transactions to be accomplished, but it also reduces risk from future breaches and disclosures by not keeping “excess” data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Data Masking

A

Data masking involves the hiding of data by substituting altered values. A mirror version of a database is created, and data modification techniques such as character shuffling, encryption, and word or character substitution are applied to change the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Tokenization

A

Tokenization is the use of a random value to take the place of a data element that has traceable meaning. A good example of this is when you have a credit card approval, you do not need to keep a record of the card number, the cardholder’s name, or any of the sensitive data concerning the card verification code (CVC) because the transaction agent returns an approval code, which is a unique token to that transaction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Anonymization

A

Data anonymization is the process of protecting private or sensitive information by removing identifiers that connect the stored data to an individual. Separating the PII elements such as names, Social Security numbers, and addresses from the remaining data through a data anonymization process retains the usefulness of the data but keeps the connection to the source anonymous.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Pseudo-Anonymization

A

Pseudo-anonymization is a de-identification method that replaces private identifiers with fake identifiers or pseudonyms (for example, replacing the value of the name identifier “Mark Sands” with “John Doe”). Not all uniquely identifying fields are changed because some, such as date of birth, may need to be preserved to maintain statistical accuracy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Roles and Responsibilities

A

Data Owners

Data Controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Data Owners

A

All data elements in an organization should have defined requirements for security, privacy, retention, and other business functions. It is the responsibility of the designated data owner to define these requirements.

17
Q

Data Controller

A

he data controller is the person responsible for managing how and why data is going to be used by the organization. In the era of GDPR and other privacy laws and regulations, this is a critical position because, under GDPR and other privacy laws, the data controller is the position responsible for protecting the privacy and rights of the data’s subject, such as the user of a website.

18
Q

Data Processor

A

The data processor is the entity that processes data given to it by the data controller. Data processors do not own the data, nor do they control it. Their role is the manipulation of the data as part of business processes. Data processors can be personnel or systems; an example of a system is the use of Google Analytics to manipulate certain elements of data, making them useful for business analysts.

19
Q

Data Custodian/Steward

A

A data custodian or data steward is the role responsible for the day-to-day caretaking of data. The data owner sets the relevant policies, and the steward or custodian ensures they are followed.

20
Q

Data Privacy Officer (DPO)

A

The data privacy officer (DPO) is the C-level executive who is responsible for establishing and enforcing data privacy policy and addressing legal and compliance issues. Data minimization initiatives are also the responsibility of the data privacy officer. Storing data that does not have any real business value only increases the odds of disclosure.

21
Q

Information Lifecycle

A

Information has a lifecycle—a beginning, a middle, and, at some point, an end. Understanding the lifecycle of information assets—from the point of collection, use, and storage as well as how the assets are shared, protected, and ultimately destroyed—is important if one is to properly handle the information.

22
Q

Impact Assessment

A

A privacy impact assessment (PIA) is a structured approach to determining the gap between desired privacy performance and actual privacy performance. A PIA is an analysis of how PII is handled through business processes and an assessment of risks to the PII during storage, use, and communication.