Romney C12: Confidentiality & Privacy

Question 1

Basic objective information security

Answer 1

preserving the confidentiality of the organization’s intellectual property & similar information share with it by its business partners

Question 2

Objectives of confidentiality and privacy

Answer 2

protect sensitive information from unauthorized access and disclosure

Question 3

4 basic actions to protect C&P

Answer 3

1. Identify & classify the information to be protected
2. Encrypt the information
3. Control access to the information
4. Train employees to properly handle the information

Question 4

4 basic Actions:

1. Identify & classify information to be protected

Answer 4

• identify where such information resides & who has access to it
• classify the information in terms of its value to the organization

Question 5

4 basic actions:

Protecting sensitive information with encryption

Answer 5

to protect information in transit over the internet

additional layer of protection

Question 5

4 basic actions:

Protecting sensitive information with encryption

Answer 5

to protect information in transit over the internet

additional layer of protection

Question 5

4 basic actions:

Protecting sensitive information with encryption

Answer 5

to protect information in transit over the internet
additional layer of protection
only protect when it is stored or being transmitted not during processing

Question 6

4 basic actions:

3. Controlling access to sensitive information

Answer 6

additional digital physical access controls through:

• Information rights management (IRM)
• data loss prevention (DLP)
• digital watermark
• data masking
• tokenization

Question 7

Information Rights Management (IRM)

Answer 7

Offers the capability not only to limit access to specific files or documents but also to specify the actions (read, copy, print etc) that individuals granted access to that resource can perform

Some IRM has the capability to limit access privileges to a specific period of time and to remotely erase protected files

Question 8

Data Loss Protection

Answer 8

Software that works like antivirus program in reverse, blocking outgoing messages (email, IM, etc) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect

Question 9

Digital watermark

Answer 9

code embedded in documents that enables an organization to identify confidential information that has been disclosed

Question 10

Data masking

Answer 10

protecting privacy by replacing sensitive personal information with fake data. Also called tokenization

Question 11

Tokenization

Answer 11

another word for data masking`

Question 12

Training

Answer 12

• employees need to know what info they can share with outsiders
• employees need to be taught how to protect sensitive data

Question 13

Privacy Regulations: The EU’s GDPR & U.S Laws

Answer 13

• Europeans Union’s General Data Privacy Regulation is the strictest & most far-reaching privacy regulations
• imposes huge fines (up to 4% of global revenues) for issues such as not properly obtaining consent to collect and use personal information or not being able to document that the organization has taken proactive approach to protecting privacy.

Question 14

Other laws and regulations

Answer 14

– California Consumer Privacy Act (C CP A) of 2018
– Health Insurance Portability and Accountability Act
(H I P A A)
– Health Information Technology for Economic and
Clinical Health Act (H I T E C H)
– Financial Services Modernization Act

Question 15

Generally Accepted Privacy Principles (AICPA and CICA)

Answer 15

1. Management
2. Notice
3. Choice and consent
4. Collection
5. Use, retention, disposal
6. Access
7. Disclosure to 3rd parties
8. Security
9. Quality
10. Monitoring & enforcement

Question 16

GAPP: 1. management

Answer 16

Organizations need to establish a set of procedures and policies for protecting the privacy of personal info they collect from customers/obtain from 3rd parties

Assign responsibility and accountability for implementing those policies to a specific person

Question 17

GAPP: 2. Notice

Answer 17

provide notice about its privacy policies and practices at or before the time it collects personal info from customers,

notice should clearly explain what info is being collected, the reasons for its collections and how it will be used.

Question 18

GAPP: 3. Choice and Consent

Answer 18

explain choices available to people and obtain their consent prior the collection and use of their personal info.

opt out: implicit consent because companies can assume it’s okay to collect and use customers’ personal information unless they explicitly object

opt in: explicit consent because organizations cannot collect and use customers’ personal info unless they explicitly agree to allow such actions

Question 19

GAPP: 4. Collection:

Answer 19

Collect need info only to fulfill the purpose stated in its privacy policies
-concern: use of cookies on websites

cookies: a text file created by a website and stored on a visitors hard disk. Store info what the user has done on the site.

Question 20

GAPP: 5. use, retention and disposal

Answer 20

use customers’ personal info only in the manner described in their stated privacy policies and retain that info only as long as it is needed to fulfill a legitimate business purpose.

when info is no longer useful, must be disposed in a secure manner.

Question 21

GAPP: 6. Access

Answer 21

should provide individuals with the ability to access, review, and correct the personal information stored about them

Question 22

GAPP: 7. Disclosure to 3rd parties

Answer 22

should disclose their customers’ personal info to third parties only in the situations and manners described in the organization privacy policies and only to third parties who provide the same level of privacy protection

Question 23

GAPP: 8. Security

Answer 23

Take reasonable steps to protect its customers’ personal info from loss/unauthorized disclosure. Must used various preventive, detective and corrective controls

Question 24

GAPP: 9. Quality

Answer 24

Organizations should maintain the integrity of their customers’ personal information and employ procedures to ensure it’s reasonable accurate.

Question 25

GAPP: 10. Monitoring and enforcement

Answer 25

Organizations must periodically verity that their employees procedures to ensure it’s reasonably accurate

Question 26

Identity theft

Answer 26

unauthorized use of someone’s personal information for the perpetrator’s benefit

Question 27

Encryption

Answer 27

• the process of transforming normal content, called plaintext, into unreadable gibberish (ciphertext)

plaintext: normal test that has been encrypted
ciphertext: plaintext transformed into unreadable using gibberish encryption

Question 28

Decryption

Answer 28

reverse process - transforming ciphertext back into plaintext

Question 29

Factors that influence encryption strength

Answer 29

1. Key length
2. Encryption algorithm
3. Policies for managing cryptographic keys

Question 30

Key length

Answer 30

longer keys provide stronger encryption by reducing the number of repeating blocks in the ciphertext

makes it harder to spot patterns in the ciphertext that reflect patterns in the original plaintext.

Question 31

Encryption Algorithm

Answer 31

• formula for using the key to transform the plaintext into ciphertext.

A strong algorithm is difficult to break by using brute-force guessing techniques.

Question 32

Policies for managing cryptographic keys:

Answer 32

most vulnerable aspects of encryption system.

- must be stored securely and protected with strong access controls

Question 33

Types of Encryption Systems

Answer 33

1. Symmetric encryption system

2. Asymmetric encryption system

Question 34

symmetric encryption system:

Answer 34

use the same key both to encrypt and to decrypt

commonly included in most operating system

Question 35

Asymmetric encryption system:

Answer 35

use two keys that are created as a matched pair.
keys called: public key and private key
either the public or the private key can be used to encrypt but only the other matching key can decrypt.
used in combination with a process called hashing to create legally binding digital signatures.

Question 36

public key:

Answer 36

widely distributed and made available to everyone

Question 37

private key

Answer 37

kept secret and known only to the owner of the pair of keys.

Question 38

key escrow

Answer 38

the process of storing a copy of an encryption key in a secure location

Question 39

Two major problems of symmetric:

Answer 39

1. both parties (sender & receiver) need to know the shared secret key
2. a separate key needs to be created for use by each party with whom the use of encryption is desired.

Question 40

Problems of Asymmetric Encryption System

Answer 40

is speed.
much (thousand of times) slower than symmetric encryption, making it impractical to exchange large amounts of data over the internet

Question 41

Virtual Private Networks (VPNs)

Answer 41

using encryption and authentication to securely transfer information over the internet, thereby creating a “virtual” private network (sender and receiver have the appropriate encryption and decryption keys)

• include controls to authenticate the parties exchanging information & to create an audit trail of the exchange

Question 42

Hashing

Answer 42

Transforming plaintext of any length into a short code called a hash

this property of hashing algorithms provides a means to test the integrity of a document, to verify whether two copies of a document, each stored in different devices, are identical

ability to verify integrity plays an important role in creating legally binding digital signatures and is an essential component underlying blockchains

Question 43

Digital signatures

Answer 43

Used to create a legally binding agreements. (2 steps to create)

1. document creator uses a hashing algorithm to generate a hash of the original document
2. document creator uses private key to encrypt step 1 above

Question 44

Blockchain

Answer 44

a distributed ledger of hashed documents with copies stored in multiple computers (it cannot be unilaterally altered by one entity)

• to serve as an audit trail for business process