CIPT - Privacy in Technology (2023/2024) Rated A

CIPT - Privacy in Technology (2023/2024) Rated A GDPR General Data Protection Regulations NCASE Rules Notice Choice Access Security Enforcement Areas of IT Risks Client-Side (employee computers) Server Side Applications Network Bastion-Server Server with one purpose and only software for that purpose, such as a Proxy Server or Printer Server IT Involvement in Applications comes in 3 flavors IT controlled IT Monitored Employee Controlled Mistakes Organizations Make Insufficient Policies Improper Training Disjointed Practices Complacency (not enough audits) Third-Party Contracts IT Governance v. Data Governance IT Governance are the systems, applications, and support personnel that handle data. Data governance is the proper management of that data Privacy Notices Inform the outside world Organization Privacy Policies Instruct the organizational members Discretionary Access Control User has complete control over they resource that they own Mandatory Access Control Only the administrator has control over the ACL of a resource Role-Based Access Control Resource access based on organizational roles Attribute-Based Access Control Attributes such as location, age, nationality, etc. determine access Information LifeCycle Stages Collection Use Disclosure Retention Destruction Common Privacy Principles Collection Limitation Data Quality Purpose Specification Use Limitation Security Safeguards Openness Individual Participation Accountability Choice v. Control Choice is a user being able to give input to their privacy practices. Control is something such as being able to opt out of ads, but you can't control data collection. Technology Standardization Makes everything easier when everything is the same, such as Hardware, OSes, client applications, server software, etc. Policy Consolidation Making a global privacy policy for all departments to follow for their data Data Center Distribution Different localities have different laws and regulations for data management, perform a privacy rule to make sure all are known and understood Data Controller Determines purposes and means of the processing of personal data Data Processor Processes data on behalf of the controller. Separate legal entity from the controller Data Subject Person to which a set of personal data applies Limitations of Access Management as a privacy tool Access Management ensures the right people access the right data, but doesn't make sure they handle it properly Principle of Least Privilege It's a must, but if you don't do it right, productivity will be hindered because people will be constantly trying to request permissions Open ID Federation Organzation that allows you to use a third-party site for authentication Cross-Site Authentication Single Sign On BLOB Binary Large Object; in relation to credit cards, a blob can be encrypted and stores transaction data unique to the vendor (so the vendor can safely store it) PCI DSS Requirements (Sections) Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability management Program Implement Strong access control measures Regularly monitor and test networks Maintain an info sec policy PCI DSS Requirements (Steps) 1. Firewalls 2. Don't use vendor-supplied defaults 3. Protect stored credit card data 4. Encrypt transmission of credit car data across open network 5. Use/Update antivirus software/programs 6. Develop and maintain secure systems/applications 7. Restrict access to "Need to Know" 8. Assign a unique ID to everyone with access 9. Restrict physical access to credit card data 10. Track/monitor all access to network resources and credit card data 11. regularly test security 12. Maintain a policy that addresses information security for everyone Maintain PCI DSS Through 3 Steps Assess Remediate Report Virtual Private Network Good so employees can use public networks Demilitarized Zone (DMZ) Networks network for customers/vendors that has access to the internet, but not access to the org's network Architecture Controls VPN DMZ Networks Multifactor Authentication Data Encryption Implementation Considerations Encryption Size Encryption Performance Utility Complexity Automated Data Retrieval Use a form to have someone get info from a database, rather than granting access to a database Automated System Audits WOrkorders, one file at a time, etc. Data Masking / Data Obfuscation Think dots when entering a password Privacy by Design principles Commit to a PBD program create a privacy standard perform privacy reviews perform a data flow analysis Be transparent to data subjects Give users CONTROL and ACCESS Retention policies must be applied to ALL data Pharming Similar to phishing, but uses technical exploits to trick the computer SQL Injection Strucutred Query Language. Entering info in a filed that the SQL script will pick up as a command, rather than a query. This can be used to modify parts of the database Cross-Site Scripting (XSS) Embeds a client-side script intro a page that gets executed when a user visits a site Remnant Ads Cheapest WHen you have no info on the viewer Premium Ads most expensive Ads are part of an ad campaign Contextual Ads Most common type of ads, related to site's context or the search terms used Demographic Ads Ads targetting a specific demographic profile Psychological Ads Ads based on interests Behavioral Ads Ads based on user's browsing habits. Commonly created from aggregated data Cookies Text files that store information about a website Web Beacons Resource on a page invisible to the naked eye Used to track the user Local Shared Objects Memory within a browser components that functions like a cookie eXtensible Access Control Markup Language (XACML) Security language used for privacy Types of CLouds Personal Cloud Private Cloud Public Cloud Community Cloud Personal Cloud Cloud for individuals Typically a backup Private Cloud A Data center that is a cloud, but only for the org that made it Public Cloud Think AWS Community Cloud Cloud shared by organizations that need shared resources Wireless Encryption Protocols Wired Equivalent Policy (WEP) - shit Wi-Fi Protected Access (WPA) WPA2 - the best Geographic Information Systems (GIS) Combines GPS data with other data to get more information Levels of Encryption Disk Files Records Fields Cost of Data Breach $200 per customer record leaked When should PIA's be completed Every time there is a change in a data flow or data inventory