Chapter 12: Confidentiality and Privacy Controls

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/20

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

21 Terms

1
New cards

Privacy:

relates to personal information collected from customers, employees, and business partners.

2
New cards

Strictest and most far-reaching privacy regulation

European Union’s General Data Privacy Regulation (GDPR):

Personal information: “Any info relating to an identified or identifiable natural person” (Article 4)

Affects any entity that collects/stores/processes information about EU residents (natural persons), and thus applies to many organizations in Canada.

Imposes huge fines (up to the higher of €20 million and 4% of global annual revenues) on serious infringements.

Grants individuals a number of rights (e.g., accessing, correcting and deleting info that organizations collect about them).

For personal data breach, must notify supervisory authority (e.g., Info or Privacy Commissioner’s Office) within 72 hours.

If the breach is likely to result in a high risk, inform affected individuals without undue delay.

3
New cards

Fragmented Privacy Regime in Canada

The Personal Information Protection and Electronic Documents Act (PIPEDA): regulates how private-sector (for-profit) organizations collect, use, and disclose personal information.

The Privacy Act: regulates federal government institutions.

Non-for-profit and non-federal government organizations (e.g., municipalities and universities) are regulated by provincial laws.

4
New cards

GDPR vs. PIPEDA (Partial) Data breach notifications

72 hours cs as soon as feasible

5
New cards

GDPR vs. PIPEDA (Partial) Highest fines

The higher of 20 million euros and 4% of global annual revenue vs 100K CAD

6
New cards

GDPR vs. PIPEDA (Partial) Scope

Applies to all “data controllers and processors”, including natural persons and government agencies VS Only applies to private sector

7
New cards

GDPR vs. PIPEDA (Partial) Data Protection impact Assessment

Required if the process is “likely to result in a high risk” vs recommended but not requried

8
New cards

GDPR vs. PIPEDA (Partial) Consent

Must be explicit consent (opt-in) vs Either explicit (opt-in) or implicit (opt-out) consent

9
New cards

Basic Actions to Protect Confidentiality and Privacy

Identify and classify information

Encryption

Training

Access Controls

10
New cards

“Defense-in-Depth” approach

using multiple layers of controls to avoid having a single point of failure.

11
New cards

Data loss prevention (DLP) software

like antivirus programs in reverse (preventive control);

12
New cards

Digital watermarking is what type of access control

detective control

13
New cards

Data masking or tokenization

to prevent programmers from accessing sensitive information (preventive control).

14
New cards

Encryption

Takes plain text and with an encryption key and algorithm, converts to unreadable ciphertext

To read ciphertext, use decryption key to reverses process and make information readable

15
New cards

Symmetric encryption

one key for both encryption and decryption; fast but less secure because:

  • Both sender and receiver need to know the key;

  • Separate key has to be created for different receivers;

  • Used for large amounts of data.

16
New cards

Asymmetric encryption

one key for encryption and the other key for decryption:

  • Either key could be made public,

  • Can be used to exchange symmetric keys.

17
New cards

Virtual Private Network (VPN)

Securely transmits encrypted data between the client device and the VPN server:

  • Data are transmitted through the encrypted “tunnel”, which only parties possessing the appropriate keys can access.

  • Ensures that our internet traffic is protected from interception and eavesdropping.

18
New cards

Hasing

is the process of converting data of any size—such as text, numbers, files, or other types—into a fixed-length string of characters, typically using a mathematical algorithm called a hash function

19
New cards

Hashing vs encryption

hashing is about verifying data integrity through a one-way transformation, and encryption is about securing data confidentiality through reversible scrambling. Both are essential but serve different roles in cybersecurity and data protection

20
New cards

Blockchain

Blocks of data are “chained” together by their hashes.

Any changes to the data recorded in a block will change its hash and will be rejected by the network. Thus, “immutability” is a key feature of BC.

21
New cards

Digital Signature

guarantee that the document (e.g., a contract) is authentic. They are legally binding in most countries.

We know that an individual entered into a transaction and signed the contract (authentication) and that the contract was not modified by others (integrity).

Use both hashing and encryption.