INFOASSURANCE_PRELIM-FINALS (copy)

ALL HANDOUT REVIEWER/

Personal Data

Any information, whether recorded in a material form or not, which itentify of an individual

Privacy

Collection and use of data about individuals

Accuracy, Porperty, and Access

This is the 3 primary privacy issues.

Data Security

A set of standards and different safeguards and measures that an organization is taking to prevent any third party.

Data Breach

An unauthorized or unintentional disclosure of confidential information

Cyberattack

Stealing of data or confidential information by electronic means, including ransomware and hacking.

Data Privacy

Is a part of the data protection area that deals with the proper handling of data with the focus on compliance with data protection regulations.

CIA Triad

Is a model designed to guide an organization’s policies on information security.

Confidentiality

Ensures that data is accesses only by authorized individuals.

Integrity

Ensures that information is reliable as well as accurate.

Availability

Ensures that data is both available and accessible to satisfy business needs.

Internet Privacy

All personal data shared over the internet is subject to privacy issues.

Financial Privacy

Financial information is partifcularly sensitive, as it may easily use to commit online and/or offline fraud.

Medica Privacy

All medical records are subject to stringent laws that address user access privileges. By law, security and authentication system.

Data Management

Process of ingesting, storing, organizing, and maintaining the data created and collected by an organization. Also the heart of privacy.

Personally Identifiable information

Information that can be used to distinguish or trace an individuals identity.

Privacy by design

Take privacy requirements into acoount throughout the system development process.

Privacy Requirements

These are system requirements that have privacy relevance. System Privacy Requirements define the protection capabilities provided by the system.

Proactive, not reactive; preventive, not remedial

an approach that anticipates privacy issues and seeks to prevent problems before they arise.

Privacy as the default

This principle requires an organization to ensure that it only processes the data that is necessary to achieve it specific purpose.

Privacy embedded into the design

Privacy protections should be core, organic functions, not added on after a design is complete.

Full functionality: positive-sum, not zero-sum

Designers should seek solutions that avoid requiring a trade-off between privacy and sytem functionality or between privacy and security.

End-to-end security-life cycle protection

This principle encompasses two concepts. The term End-to-end and life cycle refer to protection of PII

Visibility and transparency

PbD seeks to assure users and other stakeholders that privacy-related business practices and technical controls are operating according to state commitments and objectives.

Respect for user privacy

The organization must view privacy as primarily being characterized by personal control and free choice.

Security Controls

Safeguards or countermeasures prescribed for an information system or an organization that are designed to protect the confidentiality, integrity, and availability of its information.

Individual privacy

Cannot be achieved solely through securing personally identifiable information.

Privacy Controls

Technical, physical, and administrative measures employed within an organization to satisfy privacy requirements.

Privacy Engineering

Involves taking account of privacy during the entire life cycle of ICT

Security Risk Assessment

Expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.

Risk Management

Includes a disciplined, structured, and flexible process for organizational asset valuation;

Privacy Requirements

Is a system requirements that have privacy relevance. System privacy requirements define the protection capabilities provided by the system.

Privacy Impact Assessment

Is an analysis of how information is handled: to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy.

Privacy Engineering and security objectives

It focuses on the types of capabilities the system needs to demonstrate the implementation of an organization privacy policies and system privacy requirements.

Manageability

Providing the capability for granular administration of PII, including alteration deletion, and selective disclosure.

Disassociability

Enabling the processing of PII or events without association to individuals or devices beyond the operational requirements of the system.

Predictability

Enabling reliable assumptions by individuals, owners, and operators about PII and its processing by an information system.

Security Objectives

Goals and constraints that affect the confidentiality, integretiy, and availability of your data and application.

Confidentiality

Also known as data confidentiality, this property means that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Data Integrity

Ensures that data and programs are changed only in a specified and authorized manner.

System integrity

ensures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.

Availabiltity

Ensures that systems work promptly and the service is not denied to authorized users.

Authenticity

The property of being genuine and being able to be verified and trusted;

Accountability

The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.

Open Systems Interconnection

General security architecture that is useful to managers as a way of organizing the task of providing security.

Security attacks

are any action that compromises the security of information owned by an organization.

Traffic analysis

an attacker monitors communication channels to collect a range of information, including human and machine identities.

Security Mechanisms

Are technical tools and techniques that are used to implement security services.

Security service

A processing or communication service that enchances the security of the data processing system.

Passive attacks

are like eavesdropping or monitoring transmissions. Very difficult to detect because they do not involve any alteration of the data.

Release of message contents

this type an attacker will monitor an unprotected communication medium like accounts.

Denial-of-service attack

prevents or inhibits the normal use or management of communication facilities. Such an attack may have specific target;

Active attacks

Involve some modification of stored or transmitted data or the creation of false data.

Masquerade

Takes place when one entity pretends to be a different entity.

Replay

Involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.

Data modification

simply means that some portion of a legitimate message is altered or that messages are delayed or reordered to produce an unauthorized effect.

Access Control

The ability to limit and control access to host systems and application via communication links

Data Confidentiality

Protection of transmitted data from passive attacks. Concerning the content of data transmission.

Data integrity

Ensures that messages are received as sent, with no duplication, insertion, modification, reordering or replays.

Availability Service

Means that a system or a system resource is accessible and usable upon demand by an authorized system entity.

Authentication

Service is concerned with ensuring that communication is authentic.

Online Privacy

Refers to privacy concerns related to user interaction with internet services through web servers and mobile apps.

Data collectors

collect information directly from their customers, audience, or other types of users of their services.

Data brokers

Compile large amounts of personal data from several data collectors and other data brokers without having direct online contact.

Data users

Category encompasses a broad range. One type of data user is a business.

WWW

Fundamentally a client/server application running over the internet.

Web server security and privacy

Concerned with the vulnerabilities and threats associated with the platform that hosts a website.

Web application security and privacy

Concerned with web software, including any application accessible via Web

Web browser security and privacy

Concerned with the browser used from a client system to access a web server.

Mobile Ecosystem

The execution of mobile application on a mobile device may involve communication across several networks.

Cellular and Wi-Fi infrastructure

Modern mobile devices are typically equipped with the capability to use cellular and WI-FI networks to access the internet.

Public application store

Public app stores include native app stores; these are digital distribution of services operated and developed by mobile OS Vendors.

Device and OS vendor infrastructure

Mobile device and OS vendors host server to provide updates and patches to the OS and apps.

Enterprise mobility management systems

is a general term that refers to everything involed in managing mobile devices and related components.

Administrator

A member of the organization who is responsible for deploying, maintaining, and securing the organization mobile deivces.

App testing facility

administrator submits the app to an app testing facility in the organization that employs automated or human analyzer.

Auditor

Is to inspect reports and risk assessments from one or more analyzers. Then makes a recommendation to someone in the organization.

Web application privacy

Open web application security project top 10 privacy risks project

Web application vulnerabilities

failing to suitable design and implement an application, detect a problem, or promptly apply a fix.

User-side data leakage

Failing to prevent the leakage of any information containing or related to user data, or the data itself.

Insufficient data breach response

Not informing the affected persons about a possible breach or data leak.

Insufficient deletion of personal data

Failing to delete personal data effectively or a timely fashion

Non-transparent policies, terms, and conditions

Not providing sufficient information describing how data are processes

Collection of data not required for the primary purpose

Collecting descriptive, demographic, or any other user-related data

Sharing of data with third party

providing user data to a third party without obtaining the user’s consent.

Outdated personal data

Using outdated, incorrect, or bogus user data and failing to update or correct the data.

Missing or insufficient session expiration

Failing to effectively enforce session termination.

Insecure data transfer

Failing to provide data transfers over encrypted and secured channels.

Insecure network communcations

Network traffic needs to be securely encrypted to prevent an adversary from eavesdropping.

Web Browser vulnerabilities

Adversaries can exploit vulnerabilities in mobile device web browser

Vulnerabilities in third-party libraries

Third-party software libraries are reusable components that may be distributed freely or offered for a fee.

Risk Assessment

To enable organization executives to determine an appropriate budget for security. Also to estimate of the potential cost.

Threat

Circumstance or event with the potential to adversely impact organizational operations.

Threat Severity

The magnitude of the potential of a threat event to impose a cost on a organization.

Threat Strength

Referred to as threat capability, the probable level of force that a threat agent can apply against an asset.

Threat event frequency

The probable frequency, within a given time frame, that a threat agent will act against an asset.

Vulnerability

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggerd by a threat soruce.

Impact

The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information.

Likelihood

Called loss event frequency, the probable frequency.

Risk

Extent to which an entity is threatened by a potential circumstance or event.