CIPT - Certified Information Privacy
Technologist
Development Lifecycle - Release Planning
Definition
Development
Validation
Deployment
There are four basic types of countermeasures - 1. Preventative - These work by
keeping something from happening in the
first place. Examples of this include: security awareness training, firewall,
anti-virus, security guard and IPS.
2. Reactive - Reactive countermeasures come into effect only after an event
has already occurred.
3. Detective - Examples of detective counter measures include: system
monitoring, IDS, anti-virus, motion detectors and IPS.
4. Administrative - These controls are the process of developing and
ensuring compliance with policy and procedures. These use policy to
protect an asset.
PCI DSS has three main stages of compliance - Collecting and Storing - This involves
the secure collection and tamper-proof storage
of log data so that it is available for analysis.
Reporting - This is the ability to prove compliance should an audit arise. The
organization should also show evidence that data protection controls are in place.
Monitoring and Alerting - This involves implementing systems to enable
administrators to monitor access and usage of data. There should also be evidence that
log data is being collected and stored.
Re-Identification - re-identification refers to using data from a single entity holding the
data.
Symmetric Encryption - Symmetric key cryptography refers to using the same key for
encrypting as well as
decrypting. It is also referred to as shared secret, secret-key or private key. This key is
not distributed, rather is kept secret by the sending and receiving parties
Asymmetric Encryption - Asymmetric cryptography is also referred to as public-key
cryptography. Public key
depends on a key pair for the processes of encryption and decryption. Unlike private
keys, public keys are distributed freely and publicly. Data that has been encrypted with
a
public key can only be decrypted with a private key.
, Choice/Consent - Opt-in = requires affirmative consent of individual
Opt-out = requires implicit consent of individual
Mandatory data collection - necessary to complete the immediate transaction (vs.
optional data collection, which will not prevent the transaction from being completed)
Choice and consent are regulated by CAN-SPAM Act of 2003, European Data Directive
(Articles 7 and 8
De-Identification - Process in which sensitive data is treated in such a way that the
individual cannot be
identified.
EULA - End-user license agreement (AKA software license agreement)
EULA = contract between licensor and purchaser; establishes purchaser's right to use
the software
Cookies - Simple text file that contains name-value pairs. Types of cookies include
persistent
cookies and session cookies. Cookies can be used for:
o Personalization
o Session
OBA/OBM - Online behavioral advertising/online behavioral marketing
Via third-party tracking (e.g. web cookie) to collect and compile user information
LBS - Location-based services
Computer program-level services that include controls for location and time data
E.g. social networking, entertainment, many via mobile devices
Issues: data collection, consent, data sharing
P3P Privacy Policies - P3P = Platform for Privacy Preferences Project, designed by the
World Wide Web
Consortium (aka W3C)
P3P - a protocol that turns a website's text-based privacy policies into a
machinereadable
format
When must a PIA be conducted - Prior to developing or obtaining and IT system or
process which collects,
stores or discloses personally identifiable information
Do Not Track - Do Not Track protection is a feature that is being worked on by the
World Wide Web Consortium tracking protection working group.
Technologist
Development Lifecycle - Release Planning
Definition
Development
Validation
Deployment
There are four basic types of countermeasures - 1. Preventative - These work by
keeping something from happening in the
first place. Examples of this include: security awareness training, firewall,
anti-virus, security guard and IPS.
2. Reactive - Reactive countermeasures come into effect only after an event
has already occurred.
3. Detective - Examples of detective counter measures include: system
monitoring, IDS, anti-virus, motion detectors and IPS.
4. Administrative - These controls are the process of developing and
ensuring compliance with policy and procedures. These use policy to
protect an asset.
PCI DSS has three main stages of compliance - Collecting and Storing - This involves
the secure collection and tamper-proof storage
of log data so that it is available for analysis.
Reporting - This is the ability to prove compliance should an audit arise. The
organization should also show evidence that data protection controls are in place.
Monitoring and Alerting - This involves implementing systems to enable
administrators to monitor access and usage of data. There should also be evidence that
log data is being collected and stored.
Re-Identification - re-identification refers to using data from a single entity holding the
data.
Symmetric Encryption - Symmetric key cryptography refers to using the same key for
encrypting as well as
decrypting. It is also referred to as shared secret, secret-key or private key. This key is
not distributed, rather is kept secret by the sending and receiving parties
Asymmetric Encryption - Asymmetric cryptography is also referred to as public-key
cryptography. Public key
depends on a key pair for the processes of encryption and decryption. Unlike private
keys, public keys are distributed freely and publicly. Data that has been encrypted with
a
public key can only be decrypted with a private key.
, Choice/Consent - Opt-in = requires affirmative consent of individual
Opt-out = requires implicit consent of individual
Mandatory data collection - necessary to complete the immediate transaction (vs.
optional data collection, which will not prevent the transaction from being completed)
Choice and consent are regulated by CAN-SPAM Act of 2003, European Data Directive
(Articles 7 and 8
De-Identification - Process in which sensitive data is treated in such a way that the
individual cannot be
identified.
EULA - End-user license agreement (AKA software license agreement)
EULA = contract between licensor and purchaser; establishes purchaser's right to use
the software
Cookies - Simple text file that contains name-value pairs. Types of cookies include
persistent
cookies and session cookies. Cookies can be used for:
o Personalization
o Session
OBA/OBM - Online behavioral advertising/online behavioral marketing
Via third-party tracking (e.g. web cookie) to collect and compile user information
LBS - Location-based services
Computer program-level services that include controls for location and time data
E.g. social networking, entertainment, many via mobile devices
Issues: data collection, consent, data sharing
P3P Privacy Policies - P3P = Platform for Privacy Preferences Project, designed by the
World Wide Web
Consortium (aka W3C)
P3P - a protocol that turns a website's text-based privacy policies into a
machinereadable
format
When must a PIA be conducted - Prior to developing or obtaining and IT system or
process which collects,
stores or discloses personally identifiable information
Do Not Track - Do Not Track protection is a feature that is being worked on by the
World Wide Web Consortium tracking protection working group.
