CIPT - Certified Information Privacy Technologist
Development Lifecycle - Release Planning
Definition
Development
Validation
Deployment
There are four basic types of countermeasures - 1. Preventative - These work by keeping something
from happening in the
first place. Examples of this include: security awareness training, firewall,
anti-virus, security guard and IPS.
2. Reactive - Reactive countermeasures come into effect only after an event
has already occurred.
3. Detective - Examples of detective counter measures include: system
monitoring, IDS, anti-virus, motion detectors and IPS.
4. Administrative - These controls are the process of developing and
ensuring compliance with policy and procedures. These use policy to
protect an asset.
PCI DSS has three main stages of compliance - Collecting and Storing - This involves the secure collection
and tamper-proof storage
of log data so that it is available for analysis.
Reporting - This is the ability to prove compliance should an audit arise. The
organization should also show evidence that data protection controls are in place.
, Monitoring and Alerting - This involves implementing systems to enable
administrators to monitor access and usage of data. There should also be evidence that
log data is being collected and stored.
Re-Identification - re-identification refers to using data from a single entity holding the data.
Symmetric Encryption - Symmetric key cryptography refers to using the same key for encrypting as well
as
decrypting. It is also referred to as shared secret, secret-key or private key. This key is
not distributed, rather is kept secret by the sending and receiving parties
Asymmetric Encryption - Asymmetric cryptography is also referred to as public-key cryptography. Public
key
depends on a key pair for the processes of encryption and decryption. Unlike private
keys, public keys are distributed freely and publicly. Data that has been encrypted with a
public key can only be decrypted with a private key.
Choice/Consent - Opt-in = requires affirmative consent of individual
Opt-out = requires implicit consent of individual
Mandatory data collection - necessary to complete the immediate transaction (vs.
optional data collection, which will not prevent the transaction from being completed)
Choice and consent are regulated by CAN-SPAM Act of 2003, European Data Directive
(Articles 7 and 8
De-Identification - Process in which sensitive data is treated in such a way that the individual cannot be
identified.
Development Lifecycle - Release Planning
Definition
Development
Validation
Deployment
There are four basic types of countermeasures - 1. Preventative - These work by keeping something
from happening in the
first place. Examples of this include: security awareness training, firewall,
anti-virus, security guard and IPS.
2. Reactive - Reactive countermeasures come into effect only after an event
has already occurred.
3. Detective - Examples of detective counter measures include: system
monitoring, IDS, anti-virus, motion detectors and IPS.
4. Administrative - These controls are the process of developing and
ensuring compliance with policy and procedures. These use policy to
protect an asset.
PCI DSS has three main stages of compliance - Collecting and Storing - This involves the secure collection
and tamper-proof storage
of log data so that it is available for analysis.
Reporting - This is the ability to prove compliance should an audit arise. The
organization should also show evidence that data protection controls are in place.
, Monitoring and Alerting - This involves implementing systems to enable
administrators to monitor access and usage of data. There should also be evidence that
log data is being collected and stored.
Re-Identification - re-identification refers to using data from a single entity holding the data.
Symmetric Encryption - Symmetric key cryptography refers to using the same key for encrypting as well
as
decrypting. It is also referred to as shared secret, secret-key or private key. This key is
not distributed, rather is kept secret by the sending and receiving parties
Asymmetric Encryption - Asymmetric cryptography is also referred to as public-key cryptography. Public
key
depends on a key pair for the processes of encryption and decryption. Unlike private
keys, public keys are distributed freely and publicly. Data that has been encrypted with a
public key can only be decrypted with a private key.
Choice/Consent - Opt-in = requires affirmative consent of individual
Opt-out = requires implicit consent of individual
Mandatory data collection - necessary to complete the immediate transaction (vs.
optional data collection, which will not prevent the transaction from being completed)
Choice and consent are regulated by CAN-SPAM Act of 2003, European Data Directive
(Articles 7 and 8
De-Identification - Process in which sensitive data is treated in such a way that the individual cannot be
identified.
