Privacy Operational Lifecycle - Section III.B. - Protect Your Organization Flashcards
Data life cycle management elemements
- Enterprise Objectives
- Minimalism
- Simplicity
- Adequacy of infrastructure
- Informatin Security
- Authenticity
- Retrievability
- Distribution controls
- Auditability
- Consistancy
- Enforcement
Data life cycle management is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition. DLM provides a holistic approach to the processes, roles, controls and measures necessary to organize and maintain data. Many of the elements are similar to Fair Information Practices. Notice and consent are borth common examples of priciples contained in iterations of FIPs, but they are related more closely with data subject rights, not data governance.
Solove’s Privacy Risks identify what four activities that can lead to risks to privacy?
(1) Information collection;
(2) Information processing;
(3) Information Dissemination (Datenweitergabe); and
(4) Invasions.
What is a security control?
A process, policy, device, practice, or other action that attempts to modify risk.
What does STRIDE stand for?
It is a security framework for the acronym:
Spoofing,
Tampering,
Repudiation,
Information disclosure;
Denial of service, and
Elevation of privilege.
What are the three primary principles set forth in ISO Standard 31700-1:2023 for implementing privacy by design into consumer goods and services?
(1) Empowerment and Transparency;
(2) Institutionalization and Responsibility; and
(3) Ecosystem and Lifecycle.
What are the two primary types of software design processes?
Plan-driven development and agile development.
The Software Development Life Cycle (SDLC) is a framework that defines the steps involved in the software development process. Software process models build off the SDLC. They are intended to separate development into distinct stages and define under what conditions development may proceed to the next stage. Some models also define other aspects of software development, such as potential artifacts (i.e., by-products produced during development) at each stage and individual roles. There are two primary types of software design processes: plan-driven development and agile development. Plan-Driven Development is a model that attempts to plan and develop all of the features a user might want in the final product and determines how all those features are to be developed. Examples of plan-driven development methods include the spiral and waterfall models. Agile Development is a type of model that anticipates the need to remain flexible and is a lighter-weight, more pragmatic approach to development that “incorporates new system requirements during the actual creation of the system.” Agile development focuses on specific portions of a project to develop one at a time. Examples of agile development models include the Scrum and Extreme Programming models.
What is the primary concern of the “integrity” prong of the CIA Triad?
Information should be kept in a form that is authentic, accurate, and complete.
True or False: Both information security and information privacy rely heavily upon the principle of accountability.
True
What is linkability?
The amount of effort required to link data to a specific individual.
What is a technical security control?
A type of security control that consists of procedures and mechanisms designed to limit and monitor access to information.
True or False: Implementation of data destruction practices is one of the most powerful ways to protect personal data.
True.
What is collision resistance?
The principle in hashing that it should be computationally infeasible to find any two distinct inputs that map to the same output.
What is a privacy engineer?
An area specialist in systems engineering that is focused on creating systems that adequately protect the processing of personal data.
A privacy engineer is effectively a domain expert on one aspect of software development.
What is the principle of least privilege?
The notion that any user should only have the bare minimum privileges necessary to perform his or her function.
What is a common best practice for implementing administrative security controls?
Limiting information access to roles within an organization based upon need-to-know status.
What two components make up an access control system?
Authorization and authentication.
True or False: Identity can be abstracted away and validated by third parties.
True