Chapter 25
The Fair Information Practice Principles (FIPPs) and their components, as detailed in OMB Circular A-130, are as follows:
1. Access and Amendment 2. Accountability 3. Authority 4. Minimization 5. Quality and Integrity 6. Individual Participation 7. Purpose Specification and Use Limitation 8. Security 9. Transparency
Multiple personnel are associated with the control and administration of data. These data roles include?
1. Data owners 2. Stewards 3. Custodians 4. Users * The leadership of this effort is under the auspices of the privacy officer
PIA includes the following steps:
1. Establish PIA scope 2. Identify key stakeholders 3. Document all contact with PII 4. Review legal and regulatory requirements, including an upstream contracts 5. Document gaps and potential issues between requirements and practices 6. Review findings with key stakeholders to determine accuracy and clarify any issues 7. Create a final report for management
Factors that affect the classification (how important it is) of specific information includes its?
1. Value to the organization 2. Its age 3. Laws or regulations that govern its protection
What is Personally Identifiable Information (PII)?
A set of elements that can lead to the specific identity of a person
____ is considered one of the gold standard methods of data destruction
Burning
____ refers to the opportunity for the end user to consent to the data collection or to opt out
Choice
____ is data that is defined to represent a harm to the enterprise if it is released to unauthorized parties
Confidential data
What are some information classifications the U.S. government uses?
Confidential, Secret, and Top Secret
____ refers to the positive affirmation by a customer that they have read the notice, understand their choices, and agree to release their PII for the purposes explained them them
Consent
____ are small bits of text that are stored on a user's machine and sent to specific web sites when the user visits these sites
Cookies
____ is a business function, where the requirements for security, privacy, retention, and other business functions must be established
Data ownership
____ realigns the magnetic particles, removing the organized structure that represented the data
Degaussing
_____ was designed to provide limited control to students over their education records
Family Education Records and Privacy Act (FERPA) of 1974
The ____ of 1996 is one of the most widely used privacy acts in the United States, so much as so that its acronym has reached common use. It was designed to enable public access to U.S. government records, and "public" includes the press, which purportedly acts on the public's behalf and widely uses its to obtain information. It has 9 specific exemptions: 1. National security and foreign policy information 2. Internal personnel rules and practices of an agency 3. Information specifically exempted by statute 4. Confidential business information 5. Inter- or intra-agency communication that is subject to deliberative process, litigation, and other privileges 6. Information that, if disclosed, would constitute a clearly unwarranted invasion of personal privact 7. Law enforcement records that implicate one of a set of enumerated concerns 8. Agency information from financial institutions 8. Gelogical and geophysical information concerning wells
Freedom of Information Act (FOIA)
____ makes it illegal for someone to gather identity information on another person under false pretenses
Gramm-Leach-Bliley Act (GLBA)
Identity privacy and the establishment of identity theft crimes is governed by the?
Identity Theft and Assumption Deterrence Act (makes it a violation of federal law to knowingly use another's identity)
What does Data Sensitivity Labeling enable?
It enables personnel handling the data to know whether it is sensitive and to understand the levels of protection required
____ is the clearing of previous data off a media device before the device is reused
Media sanitization
____ refers to informing the customer that PII will be collected and used and/or stored
Notice
____ is a standard that provides guidance on what elements of a credit card transaction need protection and the level of expected protection. It is not a law and was a reaction to two phenomena: data disclosures and identity theft
PCI DSS
Canada's regulations stem from the ____, which requires that personal information be collected and used only for appropriate purposes
Personal Information Protection and Electronic Data Act (PIPEDA)
____ can be defined as the power to control what others know about you and what they can do with that information
Privacy
The ____ was an omnibus act designed to affect the entire federal information landscape
Privacy Act of 1974
____ is data that is marked to alert people that it is not to be shared with other parties, typically because they have no need to see it. It is a term that is associated with personal data belonging to a person and less often with corporate entities
Private data
____ is data that is restricted to a company because of potential competitive use
Proprietary
____ is data that can be seen by the public and has no needed protections with respect to confidentiality
Public data
What are some information classifications businesses use?
Publicly Releasable, Proprietary, Company Confidential, and For Internal Use Only
____ is a process by which paper fibers are suspended in a liquid and recombined int new paper
Pulping
____ is a physical process of destruction using excessive physical force to break an item into unusable pieces
Pulverizing
____ is the physical destruction by tearing an item into many small pieces, which can then by mixed, making reassembly difficult if not impossible
Shredding
What is Data Retention?
The determination of what records require storage and for how long
In the United States, the primary path to privacy is via ___, whereas in Europe and other countries, it is via ____
opt-out, opt-in
The U.S. Computer Fraud and Abuse Act's (CFAA) main object is to...
prevent unauthorized parties access to information they should not have access to
A ____ is a structured approach to determining the gap between desired privacy performance and actual privacy performance
privacy impact assessment (PIA)
The ____ is the C-Level executive who is responsible for privacy issues in the firm
privacy officer
Data ____ is a term that is commonly used to describe methods that permanently erase and remove data from a storage space
purging
The U.S. Children's Online Privacy Protection Act (COPPA) addresses...
respect to children accessing and potentially releasing information on the Internet. It requires that sites obtain parental permission, post a privacy policy detailing specifics concerning information collected from children, and describe how the children's information will be used
Failure to maintain the data in a secure state can be a ____
retention issue
Trained personnel can act as a...
security control
Data custodians or ____ are the parties responsible for the day-to-day caretaking of data
stewards
Health Insurance Portability and Accountability Act (HIPPA) security standards mandate...
a uniform level of protections regarding all health information that pertains to an individual and is housed or transmitted electronically. It built on the concepts of PHI and NPP
Other PETs (privacy-enhancing technologies) include small application programs called ____ that are designed to prevent the transfer of cookies between browsers and web servers
cookie cutters
When a company loses data that it has stored on its network, the term used is ____
data breach
The ____ sets the relevant policies, and the steward or custodian ensure these policies are followed
data owner
Then EU has developed a comprehensive concept of privacy, which is administered via a set of statutes known as ____
data protection
Each policy for classification of information should....
describe how it should be protected, who may have access to it, who has authority to release it and how, and how it should be destroyed
The ____ of 1988 provides civil remedies against unauthorized disclosure of personal information concerning video tape rentals, and by extension, DVDs and games as well
Video Privacy Protection Act (VPPA)
____ data is the process of rewriting the storage media with a series of patterns of 1's and 0's
Wiping
