CH 8.1 Privacy by design

Question 1

What is privacy by design?

Answer 1

The concept that privacy is part of the design of products, systems, software, etc. and is built in my default.

Question 2

Data minimization

Answer 2

collect only what you need

Question 3

Data Destruction

Answer 3

One important way to protect personal information and privacy is to destroy personal information when it is no longer needed

Question 4

How to best align information security and privacy teams

Answer 4

Team; don’t reinvent; stay aware; rank and prioritize problems/risks

Question 5

process oriented privacy design strategy

Answer 5

Commitment to processing personal information in a privacy-friendly way and ensuring that these commitments are honored.

Question 6

Data oriented privacy design strategy

Answer 6

Focus on technical ways that data can be processed with the maximization of privacy in mind.

Question 7

Privacy by Design

Answer 7

1) Integrates privacy protections into physical stems, technology products and business processes.
2) Ensures can be assured that privacy controls are in place from the outset of a project

Question 8

Privacy by Design Foundational Principles

Answer 8

1) Proactive not Reactive
2) Preventative not Remedial
3) Privacy as the Default Setting
4) Privacy Embedded into Design
5) Full Functionality- Positive-Sum, not Zero-Sum
6) End-to-End Security - Full Lifecycle Protection
7) Visibility and Transparency - Keep it Open
8) Respect for User Privacy - Keep it User-Centric

Question 9

Instituting Privacy by Design

Answer 9

1) Commit to the Program
2) Create a Privacy Standard
3) Perform Privacy Reviews of Products and Services
4) Perform a data flow analysis
5) Inform consumers of your privacy practices
6) Provide privacy controls for users
7) Provide users with access to data
8) Apply data retention and destruction policies
9) Secure sensitive data

Question 10

goal setting

Answer 10

including privacy

Question 11

document requiremments

Answer 11

documenting what you will do and what you won’t do – useful for testing after building

Question 12

quality attributes

Answer 12

1) identifiability
2) confidentiality
3) availability

Question 13

information needs

Answer 13

what is the least amount of data needed to accomplish this goal

Question 14

high level design

Answer 14

comprises of:

1) quality attributes (identify, confident, available)
2) architectures: (usable front-end, compliant back-end)
3) design representation (design includes all nodes throughout system)

Question 15

low level design/implementation

Answer 15

• reuses libraries, frameworks, APIs when possible from other parts of system for consistency’s sake

Question 16

impose controls

Answer 16

1) architecture (decentralize operations)
2) secure (using abstraction/hiding)
3) supervise (enforcement of privacy policies)
4) balance (ensuring that solutions don’t incur further risks)

Question 17

testing and validation

Answer 17

validating the requirements. comprised of:

1) unit testing
2) system testing
3) integration testing
4) manual testing

Question 18

ongoing vigilance practices against privacy and security risks

Answer 18

1) code reviews (peer to peer)
2) code audits (3rd party to organization)
3) runtime behavior monitoring (noting spikes and dips)
4) keeping software up to date with modern standards

Question 19

What are the three primary ways that data is anonymized?

Answer 19

1) Suppression
2) generalization, and
3) noise addition