ias(prelim)

Personal data

refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be directly ascertained by the entity holding the information.

Privacy

concerns the collection and use of data about individuals.

Accuracy

relates to the responsibility of those who collect data to ensure that the data is correct.

Property

relates to who owns the data.

Access

relates to the responsibility of those who have data to control who can use that data.

Data privacy

is a part of the data protection area that deals with the proper handling of data, with the focus on compliance with data protection regulations

Data security

includes a set of standards and different safeguards and measures that an organization is taking to prevent any third party from unauthorized access to digital data or any intentional or unintentional alteration, deletion, or data disclosure.

Data breach

an unauthorized or unintentional disclosure of confidential information.

Cyberattack

the stealing of data or confidential information by electronic means, including ransomware and hacking.

CIA Triad

is a model designed to guide an organization’s policies on information security.

Confidentiality

ensures that data is accessed only by authorized individuals.

Integrity

ensures that information is reliable as well as accurate.

Availability

ensures that data is both available and accessible to satisfy business needs.

Data management

the process of ingesting, storing, organizing, and maintaining the data created and collected by an organization.

Internet privacy

All personal data shared over the Internet is subject to privacy issues. Most websites publish a privacy policy that details the website's intended use of collected online and/or offline collected data.

Financial privacy

Financial information is particularly sensitive, as it may easily use to commit online and/or offline fraud.

Medical privacy

All medical records are subject to stringent laws that address user access privileges. By law, security and authentication systems are often required for individuals that process and store medical records.

Information privacy

generally pertains to what is known as personally identifiable information (PII).

Personally Identifiable Information (PII)

is information that can be used to distinguish or trace an individual’s identity

Privacy by Design

to take privacy requirements into account throughout the system development process, from the conception of a new IT system through detailed system design, implementation, and operation.

Privacy requirements

These are system requirements that have privacy relevance.

Proactive, not reactive; preventive, not remedial:

PbD is an approach that anticipates privacy issues and seeks to prevent problems before they arise. In this approach, designers must assess the potential vulnerabilities in a system and the types of threats that may occur and then select technical and managerial controls to protect the system.

Privacy as the default

This principle requires an organization to ensure that it only processes the data that is necessary to achieve its specific purpose and that PII is protected during collection, storage, use, and transmission.

Privacy embedded into the design

Privacy protections should be core, organic functions, not added on after a design is complete. Privacy should be integral both to the design and architecture of IT systems and to business practices.

Full functionality: positive-sum, not zero-sum

Designers should seek solutions that avoid requiring a trade-off between privacy and system functionality or between privacy and security.

End-to-end security—life cycle protection

refer to the protection of PII from the time of collection through retention and destruction. During this life cycle, there should be no gaps in the protection of the data or accountability for the data. The term security highlights that security processes and controls are used to provide not just security but privacy.

Visibility and transparency

PbD seeks to assure users and other stakeholders that privacy-related business practices and technical controls are operating according to state commitments and objectives.

Respect for user privacy

The organization must view privacy as primarily being characterized by personal control and free choice.

Privacy Risk Assessment

to enable organization executives to determine an appropriate budget for privacy and, within that budget, implement the privacy controls that optimize the level of protection.

Security controls

are safeguards or countermeasures prescribed for an information system or an organization that are designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements

Privacy controls

are the technical, physical, and administrative (or management) measures employed within an organization to satisfy privacy requirements.

Privacy engineering

focuses on implementing techniques that decrease privacy risks and enables organizations to make purposeful decisions about resource allocation and effective implementation of controls in information systems

Security risk assessment

is an expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.

Risk management

includes a disciplined, structured, and flexible process for organizational asset valuation; security and privacy control selection, implementation, and assessment; system and control authorizations; and continuous monitoring.

Privacy requirements

are system requirements that have privacy relevance. They are derived from various sources, including laws, regulations, standards, and stakeholder expectations.

Privacy impact assessment (PIA)

is an analysis of how information is handled.

Privacy engineering and security objectives

focus on the types of capabilities the system needs to demonstrate the implementation of an organization’s privacy policies and system privacy requirements.