CIPT Glossary Flashcards
What is Abstracting data?
Abstraction limits the level of detail at which personal information is processed. Reducing the precision of data, while retaining the accuracy and suitability for its purpose, may yield the same desired results for an organization collecting personal information.
- Grouping aggregates data into correlated sets rather than processing it individually.
- Summarizing puts detailed information into categories based on more abstract attributes.
- Perturbing adds approximation or “noise” to data to reduce its specificity.
What is an Access Control Entry (ACE)?
An element in an access control list (ACL) that controls, monitors, or records access to an object by a specified user.
What is an Access Control List (ACL)?
A list of access control entries (ACE) that apply to an object, controlling or monitoring access by specified users.
What does Accountability mean?
The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC’s Cross Border Privacy Rules.
Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.
What is Active Data Collection?
Data subject is aware that collection is taking place and takes an action to enable the collection, ex. Filling out and submitting an online form
What is an Adequate Level of Protection?
A transfer of personal data from the EU to a third country may occur if the European Commission has determined that the country ensures adequate protection.
(a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred;
(b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules;
(c) the international commitments the third country or international organisation concerned has entered into in relation to the protection of personal data.
What is the Advanced Encryption Standard?
An encryption algorithm for security-sensitive non-classified material, selected by the U.S. Government in 2001.
What is defined as Adverse Action under the Fair Credit Reporting Act?
Any business, credit, or employment actions affecting consumers that have a negative impact, such as denying credit or employment.
No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action.
What is the Agile Development Model?
A software design process that incorporates new system requirements during creation, focusing on specific portions of a project.
What is an Algorithm?
A computational procedure or set of instructions designed to perform a specific task or solve a particular problem.
What is Anonymization?
The process of altering identifiable data so it can no longer be related back to an individual.
Among many techniques, there are three primary ways that data is anonymized.
- Suppression is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability.
- Generalization takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24).
- Noise addition takes identifying values from a given data set and switches them with identifying values from another individual in that data set.
Note that all of these processes will not guarantee that data is no longer identifiable and have to be performed in such a way that does not harm the usability of the data.
What is Anonymous Information?
Data that is not related to an identified or identifiable natural person and cannot be re-identified.
What does Anthropomorphism mean?
Attributing human characteristics or behaviors to non-human objects.
What are Anti-discrimination Laws?
Laws indicating special classes of personal data that are subject to more stringent data protection regulations.
What is Application or field encryption?
The ability to encrypt specific fields of data, particularly sensitive information like credit card numbers.
What are Application-Layer Attacks?
Attacks that exploit flaws in network applications installed on servers, such as web browsers and email servers. Regularly applying patches and updates to applications may help prevent such attacks.
What is Appropriation in data privacy?
Using someone’s identity for another person’s purposes.
What is Asymmetric Encryption?
A form of data encryption that uses two separate but related keys to encrypt data. The system uses a public key, made available to other parties, and a private key, which is kept by the first party. Decryption of data encrypted by the public key requires the use of the private key; decryption of the data encrypted by the private key requires the public key.
What is Attribute-Based Access Control?
An authorization model that provides dynamic access control by assigning attributes to the users, the data, and the context in which the user requests access (also referred to as environmental factors) and analyzes these attributes together to determine access.
For example, a bank employee might only be able to approve large transactions if they are a manager, are accessing the system from a secure location, and are working during business hours.
What is an Audit Trail?
A chain of electronic activity or paperwork used to monitor, track, or validate an activity.
What is Authentication?
The process by which an entity determines whether another entity is who it claims to be.
What is Authorization in information security?
The process of determining if an end user is permitted access to a desired resource.
Authorization criteria may be based upon a variety of factors such as organizational role, level of security clearance, applicable law or a combination of factors. When effective, authentication validates that the entity requesting access is who or what it claims to be.
What is Automated decision-making?
The process of making a decision by technological means without human involvement.
What is Basel III?
A set of reform measures to strengthen the regulation and risk management of the banking sector.
What is Behavioral Advertising?
Advertising targeted at individuals based on observed behavior over time.
Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.
What is Big Data?
Large data sets characterized by volume, velocity, and variety.
What are Biometrics?
Data concerning intrinsic physical or behavioral characteristics of an individual.
Examples include DNA, fingerprints, retina and iris patterns, voice, face, handwriting, keystroke technique and gait. The General Data Protection Regulation, in Article 9, lists biometric data for the purpose of uniquely identifying a natural person as a special category of data for which processing is not allowed other than in specific circumstances.
What is Blackmail?
The threat to disclose an individual’s information against their will.
What is Breach Disclosure?
The requirement for organizations to notify regulators and victims of incidents affecting personal data security.
The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure.
What is a Breach of confidentiality?
Revealing an individual’s personal information despite a promise not to do so.
What does Bring Your Own Device mean?
The use of employees’ personal computing devices for work purposes.
What is Browser Fingerprinting?
A technology that differentiates users based on the unique instance of their browser.
Each browser keeps some information about the elements it encounters on a given webpage. For instance, a browser will keep information on a text font so that the next time that font is encountered on a webpage, the information can be reproduced more easily. Because each of these saved elements have been accessed at different times and in different orders, each instance of a browser is to some extent unique. Tracking users using this kind of technology continues to become more prevalent.
What is Caching?
The saving of local copies of downloaded content to reduce the need for repeated downloads. To protect privacy, pages that display personal information should be set to prohibit caching.
What is the California Online Privacy Protection Act?
A law requiring websites catering to California citizens to provide a privacy statement and allow children to delete collected data.
Websites also must inform visitors of the type of Do Not Track mechanisms they support or if they do not support any at all.
What does CCTV stand for?
Closed Circuit Television, referring to video surveillance systems.
What are Chat bots?
Computerized intelligence that simulates human interactions for basic customer requests.
What is the Children’s Online Privacy Protection Act (COPPA)?
A U.S. federal law that protects the personal information of children under 13 online.
COPPA requires these website operators: to post a privacy notice on the homepage of the website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child’s personal information will be disclosed to third parties; provide parents access and the opportunity to delete the child’s personal information and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.
What does Choice refer to in the context of consent?
The idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not. If there is no true choice it is unlikely the consent will be deemed valid under the General Data Protection Regulation.
What is Ciphertext?
Encrypted (enciphered) data.
What is Cloud Computing?
The provision of IT services over the Internet, including software and infrastructure.
What are Code audits?
Analyses of source code to detect defects, security breaches, or violations.
What are Code reviews?
Meetings organized by developers to review code, often involving a reader, moderator, and privacy specialist.
What is Collection Limitation?
A principle stating limits should exist on the collection of personal data, obtained lawfully and fairly.
What is Communications Privacy?
Protection of the means of correspondence, including postal mail and electronic communications.
One of the four classes of privacy, along with information privacy, bodily privacy and territorial privacy.
What are Completeness Arguments?
Means of assuring compliance with privacy rules in the design of new software systems.
What is Computer Forensics?
The discipline of assessing an information system for clues after it has been compromised.
What is a Concept of Operations?
A detailed outline of how a software product will work once operational, used in Plan-driven Development Models.
What does Confidentiality mean in data protection?
Data is considered confidential if it is protected against unauthorized or unlawful processing.
The General Data Protection Regulation requires that an organization be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
What is consent in the context of data privacy?
This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, consent is the individual’s way of giving permission for the use or disclosure. Consent may be affirmative; i.e., opt-in; or implied; i.e., the individual didn’t opt out.
(1) Affirmative/Explicit Consent: A requirement that an individual “signifies” his or her agreement with a data controller by some active communication between the parties.
(2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
What is a Content Delivery Network?
Servers that contain most or all of the visible elements of a web page and are contacted to provide those elements.
In the realm of advertising, a general ad server is contacted after a webpage is requested, that ad server looks up any known information on the user requesting to access the webpage.
What is context aware computing?
When a technological device adapts itself to the environment, including characteristics like location, video, audio, and brightness.
What is the context of authority?
Control over access to resources on a network is based on the context in which the employee is connected.
What is contextual advertising?
A form of targeted advertising where the content of the ad relies on the content of the webpage or the user’s query.
What is contextual integrity?
A concept developed by Helen Nissenbaum, contextual integrity is a way to think about and quantify potential privacy risks in software systems and products. Contextual Integrity focuses on what consumer expectations are in a given situation and how the product or system differs from that expectation. The more a product or system deviates from those expectations, the more likely a consumer will perceive a privacy harm.
What is a cookie?
A small text file stored on a client machine that tracks the end user’s browser activities and connects web requests into a session.
Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already. Cookies may be referred to as “first-party” (if they are placed by the website that is visited) or “third-party” (if they are placed by a party other than the visited website). Additionally, they may be referred to as “session cookies” if they are deleted when a session ends, or “persistent cookies” if they remain longer. Notably, the General Data Protection Regulation lists this latter category, so-called “cookie identifiers,” as an example of personal information. The use of cookies is regulated both by the GDPR and the ePrivacy Directive.
What is coupling in technology?
The interdependence between objects within a technology ecosystem, controlling the flow of information within a design.
Tightening the coupling, allows objects to depend on the inner working of other objects. Loosening the coupling reduces object’s dependency on other objects. Loosening isolates information processing to a select group of approved classes and reduces the chance of unintentionally re-purposing data.
What is cross-site scripting?
Code injected by malicious web users into web pages viewed by other users.
What is cryptography?
The science or practice of hiding information, usually through its transformation, including functions like encryption and digital signatures.
What is a cryptosystem?
The materials necessary to encrypt and decrypt a message, typically consisting of the encryption algorithm and the security key.
What is customer access?
A customer’s ability to access, review, correct, or delete their personal information.
What is customer data integration?
The consolidation and management of customer information from all sources, vital for customer relationship management.
What is customer information?
Data relating to clients of private-sector organizations, patients in healthcare, and the general public in public-sector agencies.
What is cyberbullying?
Exposing a person’s private details or re-characterizing them beyond their control via technology.
What are dark patterns?
Recurring solutions used to manipulate individuals into giving up personal information.
What is data aggregation?
Combining individual data sets to analyze trends while protecting individual privacy by using groups rather than isolating individuals.
To effectively aggregate data so that it cannot be re-identified (or at least make it difficult to do so) the data set should: (1) have a large population of individuals, (2) Categorized to create broad sets of individuals, and; (3) not include data that would be unique to a single individual in a data set.
What is a data breach?
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.
What are data centers?
Facilities that store, manage, and disseminate data, housing critical systems for data management.
What is a data controller?
The person or entity that determines the purposes and means of processing personal data.
What are data elements?
Units of data that cannot be broken down further or have a distinct meaning, which may become personal data when combined.
What are data flow diagrams?
Graphical representations of the flow of data in an information system, used for design and modeling.
What is data loss prevention?
Strategies and software to ensure sensitive information is not disseminated to unauthorized sources.
What is data masking?
The process of de-identifying, anonymizing, or otherwise obscuring data so that the structure remains the same but the content is no longer sensitive in order to generate a data set that is useful for training or software testing purposes.
What is data matching?
An activity that involves comparing personal data obtained from a variety of sources, including personal information banks, for the purpose of making decisions about the individuals to whom the data pertains.
What is the data minimization principle?
The principle that only necessary personal data should be collected and retained.
What is data processing?
Any operation performed on personal data, including collection, storage, use, and destruction.
What is a data processor?
A person or entity that processes personal data on behalf of the data controller.
What is a data protection authority?
Independent authorities that supervise data protection laws in the EU and handle complaints about GDPR violations.
What is data quality?
The principle that personal data should be relevant, accurate, complete, and up-to-date for its intended use.
What is a data recipient?
A person or entity to which personal data is disclosed, excluding public authorities acting under specific inquiries.
What is a data schema?
A framework that formulates constraints on data, defining its entities and relationships.
What is a data subject?
An identified or identifiable natural person.
What is declared data?
Personal information directly provided to a social network or website by a user.
What is deep learning?
A subfield of AI and machine learning that uses artificial neural networks for processing raw data.
What is demographic advertising?
Web advertising based on individual information such as age, location, or gender.
What are design patterns?
Shared solutions to recurring problems that improve program code maintenance.
What is the design thinking process?
A five-phase process used in value-sensitive design: empathize, define, ideate, prototype, and test.
What is differential identifiability?
Setting parameters that limit confidence in the contribution of any individual to an aggregated value.
What is the Digital Advertising Alliance?
A non-profit organization that sets standards for consumer privacy in online advertising.
What is digital fingerprinting?
Using log files to identify a website visitor, often for security and system maintenance.
What is digital rights management?
Management of access to and use of digital content and devices after sale, often using access control technologies.
What is a digital signature?
A means for ensuring the authenticity of an electronic document, invalidated if the document is altered.
What is the Directive on Privacy and Electronic Communications Act?
A policy directive for EU Member States regarding user consent for cookies and tracking.
What is disassociability?
Minimization of connections between data and individuals compatible with system operational requirements.
What is discretionary access control?
An access control type that allows an object owner to grant or deny access within a computer-based information system.
What is distortion in data privacy?
Spreading false and inaccurate information about an individual.
What is a DMZ (Demilitarized Zone) Network?
A firewall configuration that secures local area networks by acting as a broker for traffic between the LAN and outside networks.
What is Do Not Track?
A proposed policy allowing consumers to opt out of web-usage tracking.
What are e-commerce websites?
Websites with online ordering capabilities that have special privacy advantages and risks.
What is electronic communications data?
Includes content of communication, traffic data, and location data as defined by the ePrivacy Directive.
What is an electronic communications network?
Transmission systems and resources that permit the conveyance of signals by various means, including satellite and cable systems.
What are the three main categories of personal data defined in the EU under the ePrivacy Directive?
The content of a communication, traffic data, and location data.
What is an Electronic Communications Network?
Transmission systems and equipment that permit the conveyance of signals by various means, including satellite networks and fixed/mobile terrestrial networks.
What is an Electronic Communications Service?
Any service that provides users the ability to send or receive wire or electronic communications.
What is Electronic Surveillance?
Monitoring through electronic means, such as video surveillance and intercepting communications.
What is Encryption?
The process of obscuring information to make it unreadable without special knowledge.
What is an Encryption Key?
A cryptographic algorithm applied to unencrypted text to disguise its value or decrypt encrypted text.
What is an End-User License Agreement?
A contract between the software owner and the user, outlining payment and usage restrictions.
What is Enterprise Architecture?
A conceptual outline that defines the structure and operation of an organization.
What was the EU Data Protection Directive?
The Directive (95/46/EC) was replaced by the General Data Protection Regulation in 2018 and was the first EU-wide legislation protecting individuals’ privacy.
What does Exclusion mean in data privacy?
Denies an individual knowledge of and/or participation in what is being done with their information.
What is Exposure in the context of privacy?
The revelation of information that is normally concealed from most others.
What is Extensible Markup Language (XML)?
A markup language that facilitates the transport, creation, retrieval, and storage of documents.
What is an Extranet?
A network system formed through the connection of two or more corporate intranets, creating inherent security risks.
What is the Factors Analysis in Information Risk (FAIR) model?
A framework that breaks risk into the frequency of action and magnitude of the violations.
