Information Assurance and Security (Data Privacy) Prelim Reviewer

Personal Data

Refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be directly ascertained by the entity holding the information

Privacy

Concerns the collection and use of data about individuals

Accuracy

Refers to the responsibility of those who collect data to ensure that the data is correct

Property

Relates to who owns the data

Access

Relates to the responsibility of those who have data to control who can use that data

Data Privacy

Is a part of the data protection area that deals with the proper handling of data, with the focus on compliance with data protection regulations.

Data Security

Includes a set of standards and different safeguards and measures that an organization is taking to prevent any third party from unauthorized access to digital data or any intentional or unintentional alteration, deletion, or data disclosure

Data Breach

An unauthorized or unintentional disclosure of confidential information

Cyberattack

The stealing of data or confidential information by electronic means, including ransomware and hacking

CIA Triad

Is a model designed to guide an organization’s policies on information security

Confidentiality

Ensures that data is accessed only be authorized individuals

Integrity

Ensures that information is reliable as well as accurate

Availability

Ensures that data is both available and accessible to satisfy business needs

Elements of Data Privacy

• Right of an individual to be left alone and have control over their data

• Procedures for proper handling, processing, collecting and sharing of personal data

• Compliance with data protection laws

Data Management

The process of ingesting, storing, organizing, and maintaining the data created and collected by an organization

Information Privacy

• Is considered an important aspect of information sharing

• May be applied in numerous ways, including encryption, authentication, and data masking, each attempting to ensure that information is available only to those with authorized access

• Includes regulations required for companies to protect data.

• Geared toward preventing data mining and the unauthorized use of personal information, which are illegal in many parts of the world

Internet Privacy

All personal data shared over the internet is subject to privacy issues. Most websites publish a privacy policy that details the website;s intended use of collected online and/or offline collected data

Financial Privacy

Financial Information is particularly sensitive, as it may easily use to commit online and.or offline fraud

Medical Privacy

All medical records are subject to stringent laws that address user access privileges. By law, security and authentication systems are often required for individuals that process and store medical records.

Personally Identifiable Information

Is information that can be used to distinguish or trace an individual’s identity

Privacy Requirements

These are requirements that have privacy relevance. They are derived from various sources, including laws, regulations, standards, and stakeholder expectations

System Privacy

Define the protection capabilities provided by the system, performance and behavioral characteristics exhibited by the system, and the evidence used to determine that the system privacy requirements have been satisfied.

Proactive, not reactive; preventive, not remedial

Is an approach that anticipates the privacy issues and seeks to prevent problems before they arise. Designers must assess the potential vulnerabilities in a system and the types of threats that may occur and then select technical and managerial controls to protect the system

Privacy as the default

This principle requires an organization to ensure that it only processes the data that is necessary to achieve its specific purpose and that PII is protected during collection, storage, use, and transmission

Privacy embedded into the design

Privacy protections should be the core, organic functions, not added on after a design is complete. Privacy should be integral both to the design and architecture of IT systems and to business practices.

Full functionality: positive-sum, not zero-sum

Designers should seek solutions that avoid requiring a trade-off between privacy and system functionality or between privacy and security

End-to-end security-life cycle protection

This principle encompasses two concepts. It refers to the protection of PII from the time of collection through retention and destruction. During this life cycle, there should be no gaps in the protection of the data or accountability for the data. The term security highlights that security processes and controls are used to provide not just security but privacy

Visibility and transparency

Seeks to assure users and other stakeholders that privacy-related business practices and technical controls are operating according to state commitments and objectives

Respect for user privacy

The organization must view privacy as primarily being characterized by personal control and free choice

Privacy Risk Assessment

Is to enable organization executives to determine an appropriate budget for privacy and, within that budget, implement the privacy controls that optimize the level of protection

Security Controls

Are safeguards or countermeasures prescribed for an information system or an organization that are designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements

Privacy Controls

Are the technical, physical, and administrative measures employed within an organization to satisfy privacy requirements,

Privacy Engineering

• Involves taking account of privacy during the entire life cycle of ICT

• Focuses on implementing techniques that decrease privacy risks and enables organizations to make purposeful decisions about resource allocation and effective implementation of controls in information systems

Security Risk Assessment

Is an expectation of loss expressed as the probability that a particular threat will expolit a particular vulnerability with a particular harmful result

Risk Management

Includes a disciplined asset valuation, security and privacy control selection, implementation, and assessment system and control authorizations

Privacy engineering and security objectives

Focuses on the type of capabilities the system needs to demonstrate the implementation of an organization’s privacy policies and system privacy requirements