I. System Activities that Impact End User Privacy

Similar documents
IT Privacy Certification

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

I. Introduction to Privacy: Common Principles and Approaches

IAPP Privacy Certification

05.0 Application Development

Security Information & Policies

Information Security, Privacy and Compliance Convergence

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Online Lead Generation: Data Security Best Practices

SERENA SOFTWARE Serena Service Manager Security

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Maximum Global Business Online Privacy Statement

APPLICATION COMPLIANCE AUDIT & ENFORCEMENT

Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.

Uniting IAM and data protection for greater security

Cloud Security Case Study Amazon Web Services. Ugo Piazzalunga Technical Manager, IT Security

Microsoft s Compliance Framework for Online Services

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PRIVACY, SECURITY AND THE VOLLY SERVICE

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

IT Security & Compliance. On Time. On Budget. On Demand.

The increasing popularity of mobile devices is rapidly changing how and where we

Projectplace: A Secure Project Collaboration Solution

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

TRUSTED CLOUD. Our commitment to provide a cloud you can trust. Fernando Machado Píriz September 2014

MySQL Security: Best Practices

John Essner, CISO Office of Information Technology State of New Jersey

Internet File Management & HIPAA A Practical Approach towards Responding to the Privacy Regulation of the Act

Certified Information Systems Auditor (CISA)

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Passing PCI Compliance How to Address the Application Security Mandates

Application Integration and Data Security

How To Protect A Web Application From Attack From A Trusted Environment

Contact: Henry Torres, (870)

Best Practices for the Use of RF-Enabled Technology in Identity Management. January Developed by: Smart Card Alliance Identity Council

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

A Survey on Security Issues in Service Delivery Models of Cloud Computing

Security Considerations

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

BMC BSM for PCI DSS Addressing PCI DSS File Integrity Monitoring SOLUTION WHITE PAPER

Cloud Security and Managing Use Risks

Comprehensive Compliance Auditing and Controls for BI/DW Environments

tell you about products and services and provide information to our third party marketing partners, subject to this policy;

CONTENT OUTLINE. Background... 3 Cloud Security Instance Isolation: SecureGRC Application Security... 5

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI Compliance for Cloud Applications

igrc: Intelligent Governance, Risk, and Compliance White Paper

Chapter 1 The Principles of Auditing 1

Cloud Computing Governance & Security. Security Risks in the Cloud

A Flexible and Comprehensive Approach to a Cloud Compliance Program

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

GoodData Corporation Security White Paper

Who Am I? Mark Cusack Chief Architect 9 years@rainstor Founding developer Ex UK Ministry of Defence Research InfoSec projects

FormFire Application and IT Security. White Paper

Take Control of Identities & Data Loss. Vipul Kumra

SECURITY RISK MANAGEMENT

Amazon Web Services: Risk and Compliance May 2011

GUIDELINES FOR RESPONSIBLE USE OF IDENTITY MANAGEMENT SYSTEMS

Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, :00 AM

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector

PCI DSS Compliance: The Importance of Privileged Management. Marco Zhang

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM

Mobile Application Security Sharing Session May 2013

CONTENTS. PCI DSS Compliance Guide

Recommendations for the PIA. Process for Enterprise Services Bus. Development

Clarifications: 1) We are asking for a two week extension in order to provide a detailed response to the requirements outlined in the REI.

Securing Data in Oracle Database 12c

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Federal Trade Commission Privacy Impact Assessment

Recent Researches in Electrical Engineering

Privacy & Big Data: Enable Big Data Analytics with Privacy by Design. Datenschutz-Vereinigung von Luxemburg Ronald Koorn DRAFT VERSION 8 March 2014

Consolidated Audit Program (CAP) A multi-compliance approach

WebEx Security Overview Security Documentation

Privacy Impact Assessment

Intro to QualysGuard IT Compliance SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

Data Protection: From PKI to Virtualization & Cloud

Data Management Policies. Sage ERP Online

Office 365 Data Processing Agreement with Model Clauses

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

全 球 資 安 剖 析, 您 做 確 實 了 嗎? Albert Yung Barracuda Networks

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

Key Management Interoperability Protocol (KMIP)

PII Compliance Guidelines

PCI DSS Compliance & Your Database

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

Tableau Online Security in the Cloud

PCI Compliance Considerations

Privacy and Identity Management for Europe

How To Manage Security On A Networked Computer System

INCIDENT RESPONSE CHECKLIST

I. U.S. Government Privacy Laws

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Securing Data on Microsoft SQL Server 2012

Transcription:

I. System Activities that Impact End User Privacy A. The Information Life Cycle a. Manual processes i. Interaction ii. Data entry b. Systems i. Operating and file ii. Database iii. Applications iv. Network and data transport v. Web services vi. Client services c. Data types i. Personally identifiable information (PII) ii. Regulated information (SOX, HIPAA) iii. Credit card information iv. Trade secrets (organization) v. Contractual information (partners, customers) B. The IT Development Life Cycle a. Privacy intersections in the development process i. Release planning ii. Definition iii. Development iv. Validation v. Deployment 1

C. Data Collection and Transfer a. Responsibilities of the IT professional b. Determining data accountability i. Ownership of data ii. Data inventory iii. Degree of data sensitivity c. Purpose and uses of PII i. PCI regulated data d. Employee data uses e. Onward transfers of data i. External parties ii. Storage/transfer media iii. Routine and non-routine transfers f. Employee data challenges i. Locations and modes ii. Business use of mobile services D. Data Security a. Top 20 security risks (SANS) i. Client-side ii. Server-side iii. Security policy and personnel iv. Application 1. SQL injection v. Network b. Credit card information i. Cardholder data types ii. Application of Payment Card Industry Data Security Standards (PCI DSS) E. Data Storage a. Types of storage i. Persistent ii. Transient b. Location of storage i. Systems ii. Location F. Data Processing a. Internal processing i. Primary and secondary uses b. Relationships with third parties i. Global resourcing and outsourcing ii. Vendor management G. Data Retention and Destruction a. Period of retention b. Duplication of records c. Consistency of policy and practice 2

H. Data Access and Redress a. Legal requirements b. Business rationale c. Access mechanisms d. Handling requests I. Privacy and System Design a. Applying Fair Information Practice principles i. Collection limitation ii. Data quality iii. Purpose specification iv. Use limitation v. Security safeguards vi. Openness vii. Individual participation viii. Accountability II. Data Subject Privacy Expectations and Behaviors A. Privacy Expectations a. The consumer perspective b. Organizational practices B. Privacy Responsibility Framework a. User sphere b. Joint sphere c. Recipient sphere d. Engineering issues and responsibilities C. E-commerce Personalization a. End user benefits b. End user privacy concerns i. Unsolicited marketing ii. Inaccurate inferences iii. Price discrimination iv. Unauthorized account access or data sharing D. System Monitoring a. Phone-home software 3

III. Privacy Protection Mechanisms A. Privacy by Architecture a. Addressing data protection gaps b. Separating profile and transaction data c. Granularity levels for data collection d. Limiting common attributes and identifiers e. Regular or forced deletion of profile data f. Decentralized privacy architecture B. Privacy by Policy a. Notice and choice b. Security safeguards c. Access d. Accountability i. Audits C. Identifiability a. Labels that point to individuals b. Strong and weak identifiers c. Pseudonymous and anonymous data d. Degrees of identifiability i. Definition under the EU Directive ii. Privacy stages and system characteristics 1. Identifiable versus identified 2. Linkable versus linked D. Privacy-enhancing Techniques a. Web security protocols i. Transport Security Layer (TLS) ii. Secure Sockets Layer (SSL) iii. Hypertext Transfer Protocol-Secure (HTTPS) b. Automated data retrieval c. Automated system audits d. Data masking and data obfuscation e. Data encryption i. Cryptography 1. Crypto design and implementation considerations 2. Application or field encryption 3. File encryption 4. Disk encryption 4

E. Privacy-enhancing Tools a. Limiting or preventing automated data capture b. Combating threats and exploits c. Anonymity tools i. Anonymizers ii. Privacy-preserving data mining iii. Applications of anonymity tools 1. Communication and publishing 2. Payment processing 3. Voting and surveying 4. Credentialing 5. Anonymity by web proxy a. The Tor Anonymity System IV. Providing Notice and Choice A. Types of Notice and Choice a. Policy components b. Means of distribution c. Explicit and implicit consent B. Software-based Notice and Consent a. Guidelines b. End user license agreement (EULA) c. Mechanisms i. Out-of-box ii. Installation time iii. First-run iv. Just-in-time v. Collections and/or transfers of data vi. Online services 1. Redirecting Internet searches and queries 2. Modifying web browser settings 3. Activating a feature function with system impact 4. Online advertising 5. Software updates 6. Software removal 7. Location-based services vii. Machine-readable privacy policy languages 1. Platform for Privacy Preferences Project (P3P) a. User agents b. Policy assertions c. Deployment 2. Application Preference Exchange Language (APPEL) 3. Enterprise Privacy Authorization Language (EPAL) 5

V. Auditing and Enforcing IT Privacy Compliance A. Data Governance a. Management, control and evaluation frameworks i. ISO/IEC 38500:2008 ii. Control Objectives for Information and Related Technology (COBIT) b. IT service management frameworks i. Information Technology Infrastructure Library (ITIL) ii. IBM Tivoli Unified Process (ITUP) c. Industry consortia security frameworks i. Payment Card Industry Data Security Standards (PCI DSS) ii. Health Information Trust Alliance (HITRUST) d. Security risk and compliance review (SRCR) B. Audits in the Context of Privacy a. Defining the audit b. Understanding the range of options i. Gap assessments (risk) ii. Legal reviews (compliance) iii. Attestation (third party) c. Generally Accepted Privacy Principles (GAPP) framework d. Role of the IT auditor i. Privacy impact assessments (PIA) ii. Control objectives iii. Evidence and documentation iv. Testing and verification e. IT internal audit i. Working with legal and compliance partners VI. Implementing Technologies with Privacy Impacts A. Software as a Service (SaaS) a. Cloud Computing Platforms i. Location considerations ii. Impacts on privacy obligations and protections iii. Legal uncertainty B. Wireless IDs a. Radio Frequency Identification (RFID) b. Bluetooth devices C. Location-based services a. Global Positioning Systems (GPS) b. Geographic Information Systems (GIS) 6

D. Identity and Access Management (IAM) a. Role-based access control (RBAC) b. User-based access controls c. Context of authority i. User to site ii. User to enterprise 1. Multiple enterprises d. Cross-enterprise authentication and authorization models i. Liberty Alliance Project ii. Open ID Federation iii. Identity Metasystem Architecture E. Business Intelligence and Analytics a. Applications b. Demand among businesses and governments c. Risks 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information